The online banking seas have become perilous for businesses; there was a recent wave of online account hijackings between September and November 2013. This sharp increase is unsurprising when there are now an ever-growing number of sophisticated cyber pirates using 'malware' to dupe thousands of UK businesses into handing over their security password details. Once the fraudsters have hijacked the business' online bank accounts, they make urgent CHAPS transfers to various accounts (some in the UK but many as far afield as Ukraine and Cyprus). Often by the time the business or their bank's fraud investigation team suspect the transactions are fraudulent, it is too late and the accounts have been emptied of hundreds of thousands of pounds.
The Phishing Scam
The cyber pirate usually sends an email purporting to be from the bank which once opened allows the malware to be downloaded to the victim’s computer. A fake version of the bank website opens up and the next time that the business user tries to log on to their bank account, they are directed to a fake bank website which asks for log-in details but refuses to allow entry. Once the cyber pirate has the ‘challenge’ key then the hijacking can begin. The customer is then left bewildered thinking there is a problem with the website while fraudulent urgent CHAPS transfers are made by the cyber pirate.
The Vishing Scam
In some cases, the cyber pirate has turned to ‘vishing’ to get the businesses’ bank details. This is where the fraudster phones the business pretending to be someone from the bank’s fraud investigation team and asks for financial details. If the cyber pirate has already obtained access to the business’ bank account by phishing but requires further access codes, they can often con the customer into giving further access codes by telling them recent genuine business transactions so the customer is induced into believing they are in fact someone from the bank’s fraud team.
Once the customer’s bank has been alerted to the suspicious payments and has suspended the bank account then immediate recovery steps should be taken by the bank to freeze the payments in the cyber pirates’ beneficiary banks. In some cases, it may be possible that the customer’s bank alert to a beneficiary bank has resulted in the funds being frozen before they are spirited away by the cyber pirate and these may then be able to be returned to the customer via their own bank.
Legal Recovery Options
Unfortunately there will be many businesses that are not lucky enough to have the bulk of their funds returned by beneficiary banks and the customer’s attention will need to turn to the legal remedies for recovery if their bank declines to refund them following their internal investigation of the fraudulent transactions.
Payment Services Regulations 2009 (“The Regulations”)
To be entitled to a refund the customer must notify the bank of the unauthorised transactions without undue delay and within 13 months of the debit date. Helpfully the Regulations reverse the burden of proof so that it is for the bank to prove the payments were authorised by the customer. Even if the customer has authorised the transactions (thinking the cyber pirate was genuine) then the bank must show that the customer acted fraudulently, with deliberate intent or was grossly negligent. Accordingly where the bank is unable to show the customer acted fraudulently, with deliberate intent or was grossly negligent then an immediate refund of the unauthorised payments should be made. However a statutory breach of the Regulations can only be litigated by an individual although the force of the Regulations is recognised by the Financial Ombudsman Service for small companies.
Financial Ombudsman Service (“FOS”)
Since the Regulations do not give companies a statutory right to compensation then a corporate customer must seek recovery of their losses from the Financial Ombudsman Service (FOS) if the Regulations have been breached by the bank. Unfortunately, companies with more than 10 employees or a turnover of more than 2 million Euros are not eligible for the FOS so this leaves these customers with the last resort of a court action against the bank.
The banks’ primary defence to any court action will be that the customer has breached its online banking terms and conditions because it authorised another person to use the account, failed to keep the security details safe, and failed to comply with security measures like anti-virus software. These terms and conditions may be attacked as unreasonable in terms of the Unfair Terms Act 1977 but will clearly present a formidable obstacle. Accordingly, the customer must advance legal arguments that can overcome the bank’s contractual terms and conditions.
Breach of Mandate
If the bank is unable to show the customer consented to the fraudulent payment transaction then it had no authority to make the payment and it should be regarded as unauthorised. It would follow the bank was not entitled to debit the customer’s account and a damages claim for breach of the customer’s mandate may be raised.
Often when the cyber pirates hijack the customers’ online banking accounts, they make large transactions, frequent transactions of similar smaller amounts or payments to foreign accounts. Arguably these suspicious payments should put the bank under a duty of inquiry and they are consequently in breach of their duty to act with reasonable care and skill.
Financial Conduct Authority Enforcement (FCA)
While large companies will not be able to seek recovery of their losses from the FOS, they may submit a complaint to the FCA for breaches of the Payment Services Regulations 2009 (so long as they have not opted out of the Regulations). The FCA can take action against the bank for breaches of the Regulations by ordering a refund of the payments to their customer. It can also impose penalties and censures on the banks should it find Regulations have been beached.
We have expertise in online banking fraud disputes and recently recovered an SME’s losses from their bank after they had fallen victim to a vishing scam and their bank had refused to pay out. We are also currently assisting clients with recovery of losses from their banks following more recent phishing/vishing scams.
If you have been affected by a phishing/vishing scam and your bank has refused to pay out then we may be able to provide you with the necessary legal assistance to seek recovery of your losses from you bank. Please feel free to call a solicitor within the Financial Services & Banking Disputes Team on 0131 226 8200.
Disclaimer: While every effort has been made to ensure the accuracy of this blog post, it is not intended to provide legal advice as individual situations will differ. No recipients of content in this blog post should act or refrain from acting on the basis of the blog post without seeking the appropriate legal advice on the particular facts and circumstances at issue from a qualified solicitor in their jurisdiction. The blog post is for general information only and is not legal advice. The law changes frequently and varies from jurisdiction and jurisdiction. No solicitor-client relationship is formed nor should any such relationship be implied. If you require legal advice, please consult with a solicitor qualified to practise in your jurisdiction. Should you be interested in seeking our assistance with a legal matter, please contact the Dispute Resolution team on 0131 226 8200.