Karsten D. no longer knows what name the alleged employee of the Stadtsparkasse introduced himself to on the phone. It could be that the man posed as “Mr. Nowak”. That’s “the classic name that scammers like to use,” Antonia R. revealed last summer in a podcast by Stadtsparkasse Munich. She is responsible for fraud prevention there, a sensitive area, which is why she did not want her full name to be given. At that time, the woman spent a quarter of an hour telling and explaining fraudulent tactics in online banking.
It’s more likely younger people who listen to podcasts. Karsten D. is over 70, he probably didn’t realize it. He may have also overlooked the e-mails that the Stadtsparkasse puts in the electronic mailbox of all customers once a year to warn them of the latest tricks used by online fraudsters. In any case, Karsten D. was called on a Friday in early December, and the following Monday his accounts at the Stadtsparkasse were emptied.
The Munich police received 469 reports of online banking fraud in 2022, the financial damage totaled around 1.5 million euros. Almost a tenth was accounted for by a single case, that of Karsten D. – 143,102.18 euros were stolen from him. He now wants the money back from the Stadtsparkasse, but they think D. is to blame for the loss: he acted with gross negligence.
Much of the case is typical of online banking fraud: first a call from a supposed bank employee, then an SMS on the cell phone with a link. If you click on it, you will usually be asked for access data such as user name, PIN, bank card number and date of birth. And that gives the fraudsters all the keys to the account: they can then do all sorts of things. In the case of Karsten D., they ordered money back that he had already transferred to the tax office and later debited it in their favour; They also seem to have increased his daily transfer limit. In the podcast, Antonia R. warned against clicking on links that supposedly come from a bank; the Sparkasse board member Bernd Hochberger did the same in a later episode.
Karsten D. still clicked on it when he received an SMS. “Sometimes I wake up in a sweat and berate myself for doing this,” he says. But he felt “in the care of the bank”: the phone number of the Stadtsparkasse appeared on the display of his cell phone, the caller knew and called the name of his customer advisor; he pointed out an update to the push-tan procedure, which is needed to do online banking, and that he is therefore sending an SMS with a link right away: “The savings bank also voted as the sender for the SMS,” says Karsten D. So he forwarded the link – but not back to the bank, but straight to the scammers.
“Of course I’m partly to blame”
“It’s not difficult to manipulate the display of phone numbers,” says a cybercrime specialist from the Bavarian police who wants to remain anonymous. You don’t need much knowledge for the so-called “spoofing”, you can buy the corresponding programs on the Darknet, the black market of the Internet. The investigator also knows: “When fake bank employees call, they have usually already obtained certain data. Because the perpetrators already know so much, the trust of their victims is very high.”
Just like Karsten D. “Of course I’m partly to blame,” he admits. At the request of the alleged bank employee to verify his person, he gave his date of birth and bank card number. But “I didn’t give out any access data to my account, no user name, no password. The perpetrators must have gotten that differently.” In any case, he does not think that he acted with gross negligence – he rather accuses the Stadtsparkasse of that. There, the unusual transactions from his accounts between Friday and Sunday evening should have caught his eye, he finds: 150 individual transfers to one and the same recipient account, with almost the same purposes, all amounts just under 1000 euros.
Karsten D. may have retired, but he’s still working – as a freelance software developer, he programs mainframe computers. He therefore believes that the Stadtsparkasse’s software should have sounded the alarm when the transfers from his accounts were made: “I could have written an algorithm that prevented this in a very short time.”
13 transfers within a minute
However, the software did not prevent a dozen or more transfers from being made from D’s accounts within short periods of time. For example, on Friday, December 2, between 11:16 p.m. and 11:35 p.m. 15 pieces between 980.00 and 999.92 euros. Or on Saturday within 50 minutes 29 pieces between 996.74 and 997.97 euros. The whole thing ended on Sunday evening when 13 amounts were transferred within a minute at 8:31 p.m. – between 990.19 and 996.33 euros. In this way, 118,359.92 euros were withdrawn from D’s business account through 120 transfers and 24,742.26 euros from his private account through 30 transactions. “It was part of my pension,” he says.
One of his friends sits on the supervisory board of a bank, “he told me that the whole thing was stopped after three transfers,” says Karsten D. The police cybercrime investigator also thinks: “Well-programmed banking software should recognize that 150 Transactions into one account don’t make sense. You could do that with five transfers. That would definitely have to be checked.” He is surprised that the recipient bank in Baden-Württemberg also did not react to the unusual receipt of money. Because he knows: “The perpetrators are so quick that the money can no longer be retrieved.” In any case, Karsten D.’s was already forwarded on Monday to an account in Hong Kong: “And there they are not interested in working with the German police.”
But why get money back that you don’t have to hand over? Paragraph 25 of the Banking Act states: “Credit institutions must (…) operate data processing systems in order (…) to recognize transactions in payment transactions that indicate money laundering, terrorist financing and other criminal acts.” According to the Federal Financial Supervisory Authority, a significant number of similar transactions within a limited period of time could be such an indication. Limits for a suspicion check are not specified: “These are rather set by the institutes.”
The compensation offered is not enough for Karsten D
At the Stadtsparkasse, the control mechanism is apparently triggered at 1000 euros; For Karsten D., the fact that the perpetrators in his case obviously knew this limit is an indication of a possible data leak in the bank. At the request of the SZ, a spokeswoman for the Stadtsparkasse did not want to provide any information on the details of the software programming or the number of damage cases, citing bank and company secrets. With Karsten D., the Stadtsparkasse is looking for “a solution that suits both sides”.
Compensation offered so far on a goodwill basis is not enough for Karsten D., he hired a lawyer, David Ritschel, who specializes in banking law. The legal situation is currently based on an advisory decision by the Munich Higher Regional Court of September 22, 2022, file number 19 U 2204/22: In this, any disclosure of bank data is per se considered to be grossly negligent. “I don’t think you can make such a blanket statement,” says Ritschel. “It is conceivable that the bank is partly to blame due to a lack of system security.” His client is combative: “I’m ready to go to court.”