The Court of First Instance number 7 of Las Palmas de Gran Canaria has upheld the claim of a resident of the capital of Gran Canaria who lost all her money after being the victim of cybercriminals who impersonated the bank where she had her account. The Court has ordered the bank to pay the affected party the sum that was stolen from her through phishing (4,902 euros), plus legal interest accrued. Likewise, the sentence condemns the bank to pay the costs.
The bank opposed the client's claim, alleging that she alone was responsible for falling into the trap. The judicial authority establishes that there is financial responsibility on the part of the bank, since, it states, "since the defendant is the one providing the payment service in such a technological environment and increasingly susceptible to attacks such as the one the plaintiff has been subjected to, it implies financial responsibility, given that it is the same one that must increase specific security measures, and not merely informative ones, to the level of the means of payment it offers."
According to the sentence, the cyber scam was forged in the summer of 2023, when the bank's client received via SMS, "the usual channel of communication" with the bank, a message informing her of "a security alert" on her card, referring her to a link or computer link in the same message for its correction.
The affected party clicked on the link from her mobile phone, and this action took her to "a website with all the identifying features of the bank's website." In it, the ruling continues, "the plaintiff entered her key and password to access, without succeeding."
In this way, the following day she received a call from "who said he was an employee of the defendant [the bank] with knowledge of the plaintiff's personal data, name, surnames, last operations... informing her that there had been a serious situation of computer security risk and that she should transfer all her funds to a new account, with an IBAN that was sent to her through the SMS thread of the financial institution."
The plaintiff carried out two transfers to the indicated account of 1,152 and 3,750 euros, "losing all availability over the aforementioned amounts, giving rise to the complaint to the National Police Corps."
Faced with the bank's opposition to returning the money that had been stolen from the affected party by the cybercriminals, the judge states that it cannot be expected that the plaintiff "displayed a suspicious or inquisitive attitude regarding the message sent," which she understood to be legitimate "since she even received calls from someone who claimed to be an employee of the defendant, who explained the reason for the SMS messages sent (...) within the line of conversation she was having" with her bank.
"There is no data to support the existence of a negligent action on the part of the plaintiff," the sentence says, "taking into account that a complex technological system was used, consisting of a series of SMS attacks on the plaintiff's trust in who she believed to be the financial institution, sending a link that takes her to a web page with identical content."
The sentence is subject to appeal before the Provincial Court of Las Palmas.
