Elderly individual falls victim to SMS scam for €23,000 - Bank shows little remorse in response
Deutsche Bank and SMS Phishing Incident: A Closer Look
A German association, the Interest Group of Former DDR Refugees e.V. (IEDF e.V.), has fallen victim to an SMS phishing scam, losing €23,000 in a fraudulent transaction at Deutsche Bank.
The incident came to light in January 2024 when the treasurer of the IEDF e.V. was tricked into updating her PhotoTAN registration via a link in an SMS. The association's members, familiar with phishing in connection with emails but not with SMS, were caught off guard.
Following the incident, the IEDF e.V. filed a complaint with the police and informed Deutsche Bank about the fraud. However, the association's account was terminated by the bank after the fraud case. Deutsche Bank attributed the loss to gross negligence on the part of the association, citing the revelation of login details and forwarding of photoTAN activation letter information to the fraudsters.
The Consumer Advice Center explains that merely using a payment instrument and the associated authentication does not suffice to prove gross negligence. Banks typically handle fraudulent transactions resulting from SMS phishing by investigating the claims promptly and refunding unauthorized transactions unless the customer is found to be grossly negligent. If the customer can prove they were not at fault, for example through police reports or affidavits, banks generally accept liability.
However, if gross negligence is established—such as sharing OTPs or PINs, using unsecured devices without protection, or delaying fraud notification—the customer may be held liable for the loss. In practice, when a customer claims absence of fault due to no gross negligence but the transaction involved SMS phishing, banks will conduct an investigation considering the above factors before deciding liability and refunding unauthorized charges if appropriate.
The main indictment against the unknown sender of the phishing SMS was dropped due to lack of evidence, but subsidiary proceedings against account holders are ongoing. A man is being investigated for money laundering in connection with one of the transferred accounts. The Public Prosecutor's Office in Mannheim is still investigating regarding a named account holder.
The IEDF e.V. is an association committed to the pension rights of DDR refugees and finances itself through membership fees. The association lacks the funds for a lawsuit against Deutsche Bank, and has not received its money back.
It is essential for individuals and organisations to be vigilant against SMS phishing scams, and to report any suspicious activities to the authorities promptly. Banks must also maintain secure authentication systems and implement stronger, more secure authentication beyond vulnerable SMS codes to protect their customers from such incidents. Regulatory frameworks enforce banks to adopt more secure methods such as biometrics or hardware tokens, particularly in countries like the Philippines, to reduce the risks of SMS phishing.
In conclusion, handling SMS phishing cases requires a balance of verifying customer responsibility, bank security practices, and regulatory requirements to ensure fair resolution of fraud disputes arising from SMS phishing.
- The banking-and-insurance industry, represented by Deutsche Bank in this case, must prioritize the implementation of stronger, more secure authentication methods to protect customers from SMS phishing incidents.
- As shown in the SMS phishing incident involving Deutsche Bank and the IEDF e.V., general news about such scams serves as a reminder for organizations and individuals to remain vigilant and report suspicious activities to the authorities promptly.
- In the realm of finance, it is crucial for both customers and banks to understand the implications of gross negligence in cases of SMS phishing, as failings in this area can lead to losses and disputes over liability.
