A new Federal Court ruling is the talk of the town: Hackers ransacked a customer’s account, and his bank didn’t accept any liability. Yet you can protect yourself against such losses.
Jean-Claude Henchoz (name changed) went into shock when he read the last ruling: The Federal Court had decided that a Geneva private bank customer had to foot the bill himself for the damage a hacker had caused him. And this after the cantonal court in the previous instance had ordered the bank to repay the majority of his loss to Henchoz, amounting to several hundred thousand Euros.
Criminals had obtained access to this bank customer’s e-mail account and used it to send out several payment orders to his bank. Certain accounts abroad were stated as the recipients of these payments. The problem: As per the contract between bank and customer, it was possible to make payment orders via e-mail, telephone or fax. There was no need for any written order. Hackers exploited this fact.
While the Geneva cantonal court had found that the bank should have noticed these improper payments at an early stage and stop them, the Federal Court saw no error on the bank’s part, since contractually governed orders via e-mail don’t have to be automatically considered potentially fraudulent and therefore don’t have to be checked. Risks with regard to identification and transmission errors are borne by the customer.
Please note the following recommendations to protect yourself against losses as a result of improper payment orders:
- Where possible, only ever make payment orders via your bank’s e-banking facility or mobile banking app, or in person at your branch. Have other channels such as e-mail, telephone and fax contractually blocked for payment purposes.
- In case you just cannot do without payment orders via e-mail, use an e-mail provider who offers two-factor authentification, and avail yourself of this additional level of protection.
- Use different, complex passwords for all your e-mail accounts and for e-banking. Keep them safe (e. g. inside a password manager), and never let anybody know your passwords.
- Create a separate e-mail address to communicate with your bank. Don’t use this address for any other purpose, and don’t advise anyone but your bank of this address.
- Where possible, ask your bank to set up a transaction authorisation facility so that all payment orders from a certain amount onwards have to be explicitly approved by you via a different channel (e. g. telephone) before they are executed.
- Regularly check your bank statements, and also look at the last entries of your statement online. If there are any discrepancies, you should immediately notify your bank.