The Higher Regional Court (OLG) of Oldenburg has recently ruled that a bank is not liable for losses resulting from a phishing attack if the customer acted with gross negligence. Phishing is a form of cybercrime where attackers impersonate legitimate organizations (through emails, messages, or fake websites) to trick individuals into revealing sensitive information such as login credentials, financial data, or authentication codes. For businesses, phishing poses a significant threat, as a successful attack can lead to substantial financial losses, data breaches, and reputational damage. The central issue in this case was whether a bank customer is entitled to reimbursement of lost funds after falling victim to a phishing scam, particularly when the customer's own actions are deemed grossly negligent. 

A. Phishing Attack with Serious Consequences

In this case, a bank customer received an email that appeared to be from her bank, instructing her to update her PushTAN registration. She followed the link provided in the email, which led her to a fraudulent website. There, she entered personal information, including her date of birth, debit card number, username, and PIN. Subsequently, she received an SMS containing a registration link for the PushTAN procedure, which she forwarded to the perpetrators. As a result, nearly €41,000 was transferred in two real-time transactions to an account in Estonia.

B. Gross Negligence Excludes Reimbursement Claims

The Regional Court of Oldenburg had already dismissed the customer’s claim for reimbursement of the lost funds. Although the transactions were not authorized by the account holder, the court found that the customer had grossly violated her duty of care. The OLG Oldenburg has now confirmed this assessment. According to the court, the transfers could only have been executed because the customer disclosed sensitive information. Forwarding the registration link to third parties was also deemed grossly negligent.

The court further noted that the email contained several warning signs of fraud, such as an impersonal greeting and spelling mistakes. The customer should have questioned the authenticity of the message.

C. No Shared Responsibility on the Part of the Bank

The OLG Oldenburg found no contributory negligence on the part of the bank. In particular, at the time of the incident, it was not yet standard practice to include a warning notice in registration SMS messages, as is common today. Therefore, the bank was not required to bear any responsibility for the loss.

Conclusion: Take Online Banking Duties of Care Seriously

This ruling emphasizes that online banking customers are subject to relevant duties of care. Disclosing login credentials on fraudulent websites and forwarding authentication links can be considered grossly negligent and may result in the loss of any claim for reimbursement against the bank. Both businesses and individuals should regularly educate employees and family members about the risks of phishing and ensure compliance with security protocols.

To avoid falling victim to phishing attacks, consider the following tips:

• Always verify the sender’s email address and be cautious of unsolicited messages requesting sensitive information.
• Look for warning signs such as impersonal greetings, spelling or grammatical errors, and urgent requests.
• Never click on links or download attachments from unknown or suspicious sources.
• Use multi-factor authentication and strong, unique passwords for online banking.
• Provide ongoing training and awareness programs for employees about the latest phishing tactics.
• When in doubt, contact your bank directly using official communication channels to verify any requests.

By remaining vigilant and following these best practices, both individuals and businesses can significantly reduce the risk of falling victim to phishing scams.