
Phishing is by now a well-known form of cybercrime in which attempts are made to “fish” for a person’s personal information and then use it fraudulently. Through phishing, a fraudster can obtain personal data and use it, for example, to carry out payment transactions remotely. This often results in significant financial loss for the victim. The question is: who bears this financial loss?
In the blog post below, we examine the legally relevant provisions in the context of phishing and explain to what extent the victim can recover the stolen funds.
First of all, phishing constitutes a criminal act, the criminalisation of which is embodied in the more general offence of computer fraud. Article 504quater, §1 of the Criminal Code penalises conduct whereby the perpetrator, for themselves or for another person, attempts to obtain or obtains an unlawful economic advantage by means of data manipulation and with fraudulent intent. This offence is punishable by imprisonment from six months to five years and/or a fine of 208 euros to 800,000 euros.
In practice, however, it is often difficult to identify the perpetrator, leaving the victim empty-handed.
A second possibility for the victim to obtain compensation concerns the liability of the payment service provider (the bank). The legislator provides for a specific liability scheme intended to protect payment service users who have become victims of fraud.
A first condition for this liability regime is the existence of an unauthorized payment transaction, namely a transaction to which the payer did not consent. The bank’s specific liability therefore does not apply when the victim personally gave the instruction to transfer the amount to a specific account.
Secondly, from the moment the victim becomes aware of the unlawful use of their payment instrument, they must notify the bank immediately.
In this regard, the legislator has provided for an absolute limitation period. The bank can no longer be held liable if the victim fails to notify the bank no later than 13 months after the value date of the debit. In addition, the notification requirement is also relevant to the apportionment of liability.
In principle, the victim’s liability is limited for transactions carried out before notification, up to a maximum amount of 50 euros. If unauthorized payment transactions still occur after the victim has notified the bank, the bank is liable for them. There are two exceptions to this apportionment of liability.
The first exception releases the victim from all loss, meaning they bear no liability whatsoever, not even for 50 euros. This is the case when the victim could not detect the unlawful use of a payment instrument before a payment took place, for example when checking their account after the fraudulent payment.
To fall within this exception, it will be assessed whether, taking all circumstances into account, an average person in those circumstances should have detected the phishing.
The second exception has the opposite result, namely that the victim must bear all losses themselves. This is the case in the event of fraudulent conduct by the payer themselves, intentional misconduct, or when, through gross negligence, the payer has failed to comply with one or more of the obligations referred to in Article VII.38 CEL. In essence, this concerns the obligation to handle payment data with due care or the obligation to notify the bank of the unlawful use.
What constitutes gross negligence is not defined by law. Case law does, however, hold that gross negligence requires more than mere carelessness. For example, the Antwerp Court of Appeal found gross negligence because (i) the email containing a hyperlink that was sent should have raised suspicion (no official email address, no logo or reference to the bank’s website, a grammatical error, …) (ii) the subsequent telephone contact – on a Saturday – was also dubious and, (iii) communicating the PIN code and authentication codes by phone constituted a breach of the obligations resting on the payer.
In that regard, it is for the bank to demonstrate that there was gross negligence on the part of the payer.
As a victim of phishing, you enjoy legal protection under both criminal and civil law. Phishing constitutes a criminal offence, which means that the fraudster – if they can be identified – may be prosecuted. In addition, the bank may also be held liable, so that you as the victim are compensated in whole or in part, unless the victim can be blamed for gross negligence.
***
Do you still have questions about this matter or would you like additional information about the legal consequences of phishing? The criminal law team at Reyns Advocaten has extensive expertise in this area and will be happy to provide you with further advice or assistance. Do not hesitate to contact us.