You are here : Home page > News > > SPOOFING, A NEW METHOD OF ABUNDANT BANK FRAUD

SPOOFING, A NEW METHOD OF ABUNDANT BANK FRAUD

On 09 August 2023

1.3 million is the number of metropolitan households having declared having been victims of bank fraud during the year 2020.

For a number of years, credit card and bank account scams and fraud of all kinds have continued to increase, both in terms of the quantity and quality of the maneuvers put in place by cybercriminals to achieve this.

The goal is simple for these criminals, to succeed, by any means, in having secret codes and other confidential information voluntarily communicated to them by the victims, thus allowing them to steal funds, sometimes in front of the eyes of the victims who will only notice more. late from the deception.

To obtain this precious confidential information, all means are good and we are today faced with real processes of fraud, akin to cooking recipes carefully followed by the authors.

One of the most recent methods that is causing havoc these days is the so-called “spoofing” method. Taken from the verb "To spoof" which means "to parody someone", it aims for cybercriminals to usurp the identity of banking establishments in order to steal customers' banking data.
 

CONCRETELY, HOW DOES THIS HAPPEN ?

Throughout the cases and complaints, a clear pattern appears. From the beginning to the end of the operation, it is a role-playing game in which the cybercriminal takes on the role of a caring banking advisor who listens to his client who is a victim of fraud.

1) The victim receives a call from the fraud department or their bank advisor, at least apparently given that the number displayed is the usual and known number of the bank. 

2) The “fake advisor” begins by creating a feeling of great stress in the victim, by announcing to them that fraud has been carried out or is being carried out on their bank account. In this way, the victim loses his means and all too often his safety reflexes.

3) Once the customer's anxiety has set in, the cybercriminal communicates a certain amount of personal information to him so that he has the impression that it is indeed a bank employee who is speaks (username, telephone number, latest credit card numbers or even date of birth and postal address) and thus feels confident, supported and reassured.

4) The next step consists of reassuring the customer by offering immediate solutions (blocking fraudulent transfers, blocking the bank card, securing the account), which require validation from the victims.

5) To do this, SMS messages and sometimes secure notifications are sent simultaneously to the victim, once again apparently coming from the banking establishment whose identity is being stolen. By validating the “security” operations announced at the request of the interlocutor or by communicating instant codes, the victim actually allows the cybercriminal to steal the funds with complete apparent legality.

Because yes, the problem is there for the victims. Communicating these validation codes will very often, too often, prevent them from being reimbursed following the fraud.

AND JUSTICE IN ALL THIS???

What does the law say about bank fraud?

Article 1937 of the Civil Code provides that “The depositary must only return the thing deposited to the person who entrusted it to him, or to the person in whose name the deposit was made, or to the person who was indicated to receive it. ".

The Monetary and Financial Code, in particular in its articles L. 133-17 to L.133-18, L133-19, L.133-23 and L.133-24, in their wording resulting from the transposition by the 2017 ordinance -1252 of August 9, 2017 of EU directive 2015/2366 of November 25, 2015 relating to payment services, provides for the rules applicable to the -fraudulent- use of means of payment.

It appears in particular from these legal provisions that, in principle, only fraudulent transactions carried out on the account of a client which have not been authorized by the latter and which have not been the consequence of serious negligence on their part can be reimbursed by the banking institution holding the bank account.

The burden of proof of the regularity of the authorization of the transaction rests with the banking establishment.

What do judges say when faced with a request for reimbursement when faced with a reluctant bank?

It is unfortunately common for banks to refuse reimbursement of sums stolen from their customers, accusing them, in the majority of cases, of serious negligence in that they voluntarily communicated their secret codes or other identifiers.

This systematization of refusal of reimbursement by banks was also the subject of a complaint filed by UFC-Que Choisir against 12 banks, which gave rise to the implementation of new measures in the law for the protection of purchasing power of August 16, 2022, with in particular penalties applied in the event of late reimbursement of a consumer who is the victim of fraud.

In line with this victory for consumers, case law has also evolved.

By a judgment of March 28, 2023, the Versailles Court of Appeal overturned the decision rendered by the trial judges and granted the request of an individual victim of fraud using a spoofing technique and whose accounts had been hacked height of the colossal sum of 54,500 euros. Not surprisingly, the banking establishment refused to reimburse the customer, citing serious imprudence and negligence on the part of the latter who had validated the transactions by secure authentication in her personal space.

To reject the client's negligence and serious imprudence, the Versailles Court of Appeal held here that it was the client's legitimate belief that he received a call from his bank, corroborated by the display of his advisor's number. previously recorded on his phone and the mention of the name which led him to be sufficiently confident to validate the disputed operations on his secure application.

The judges here seem to take into consideration the particularly advanced nature of the spoofing technique, which quite simply paralyzes the distrust of customers who are ultimately no longer physically able to distinguish truth from falsehood in such a situation.

It would be desirable for all jurisdictions to be anchored in this desire for development of justice in matters of bank fraud. Indeed, in the face of ever more sophisticated techniques, the applicable rules and other banking practices cannot remain frozen in time.

This is about legal certainty which must be ensured to litigants.

HOW TO ACT IF YOU ARE A VICTIM OF BANK FRAUD?

Obviously, the first thing to do is to be ever more careful when using your payment methods and in the face of multiple daily phishing attempts.

But if, however, you find yourself in a situation such that your bank account has been the subject of fraud and the bank refuses to reimburse you, do not hesitate to contact us.

Due to its expertise, the LEXSTONE AVOCATS firm located in Puget-sur-Argens and Rocbaron will assist you throughout the procedure so that it is as cost-effective and time-consuming as possible.

If you wish to study your case closely and obtain compensation for your losses, calling on your lawyer remains the best option.