Italian Bank Ordered to Compensate Damages from Phishing

A recently published judgment of the Milan Civil Court (No. 14533/2014 of 5 December 2014) ordered an Italian banking institution to compensate two account holders for the damages caused by a phishing scam.

The lawsuit was filed by two brothers holding a joint account at the bank who, in 2009, realised that several transactions, which they had never made, had been charged to their account through the home banking service.

The plaintiffs accused the defendant of having failed to take appropriate measures in order to prevent the fraud; the defendant objected, having adopted state-of-the-art security measures, and blamed the incident on the plaintiffs, whom it said had unwisely revealed their access data to third parties or else had used computers not running adequate anti-malware programs.

The judge in charge of the case appointed an expert witness to reconstruct what had happened and appraise the security measures adopted by the defendant. The expert witness ruled out any “Man-in-the-Middle” or “Man-in-the-Browser” attacks—i.e., respectively, any interference in the Internet communications between the plaintiffs and the bank’s website or any malware injected into their browser—and concluded that the plaintiffs had fallen victim to a classic phishing scam, carried out by sending an email that purported to be from the bank and urging customers to communicate their access codes.

According to the expert witness, this particular fraudulent technique was already well-known well before 2009, and in that same year the adoption of systems preventing it, for example those based on one-time passwords, were a standard among banking institutions.

Based on these assessments, the judge found that the defendant was in breach of its duty of care with regard to its contractual commitment towards account holders to provide security, having acted without the degree of diligence to be expected from a professional operator.

According to the judge, the defendant, as the qualified party, could not have ignored the scheme described and, as a consequence, should have adopted security systems capable of preventing it. The fact that the plaintiffs were not aware of these fraudulent techniques and had not realised that the email apparently originating from the bank was intended to steal confidential data could not be attributed to a lack of diligence on their part.

In this last regard, the judge noted that the email identified as the vehicle of the fraud was well designed, not presenting any signs of forging obvious to the average person lacking qualified expertise in IT matters: it had been sent to one of the plaintiffs at the email account provided by the defendant itself, from an email address “not immediately recognisable as fraudulent”, and it bore the same logo used by the defendant to distinguish its online banking service.

Having established the defendant’s accountability, the judge ordered the latter to compensate the plaintiffs for both economic damages (equal to the total amount subtracted from their account as a result of the fraud, plus interest), and moral damages—consisting of the “inevitable suffering and distress following the fraud suffered in noting the loss of the entire reserve credited to the account“—quantified on an equitable basis.