Every now and then, there is news about data breaches and scams in which money has been stolen from banking customers.

“The good news is that there aren’t many crimes independent of the customer,” says Kati Piilo, Senior Legal Counsel at OP’s Retail Banking.

“Real data breaches in which a criminal breaks into a bank’s system hardly ever happen”.

If that were to happen, the bank would cover the customer’s losses.

Criminals usually try to gain access to customers’ money by phishing for user IDs and card details. According to Piilo, the number of attempts is high, and unfortunately, they are sometimes successful in their misuse.

After falling victim to a scam, we must consider whether the bank should be liable for covering the customer’s losses.

What is the level of negligence?

The victim of a scam must contact the bank and tell it what happened in as much detail as possible.

It will then consider the extent to which the misuse of funds was due to the customer’s negligence: was it simple negligence or gross negligence? This is usually difficult to assess, and the assessment is done on a case-by-case basis.

In simple negligence, the customer’s responsibility for the lost money is 50 euros, and the bank will cover the rest.

“Often, the only information we have about how the phishing was done is based on what the customer has told us. People don’t always remember the details, or they don’t dare to say what really happened”.

In simple negligence, the customer’s responsibility for the lost money is 50 euros, and the bank will cover the rest. If a customer has been grossly negligent, the bank will not provide them with compensation for the lost money.

It is difficult to give a general description of what is simple and what is gross negligence. Piilo shares an example.

Ignoring a bank’s warning is gross negligence

A typical scam starts with a customer receiving a message to their phone or email. By clicking on a link, they end up on a website asking for their banking user ID, card numbers or other such details. You should not share these details, but even if you do, it is still usually considered simple negligence.

This is not enough to transfer funds, as payments require separate confirmation. To do this, the customer receives payment details through a mobile app or SMS, for example. The confirmation request always includes the payee and the amount of the payment.

If you are not making a payment that requires confirmation, your alarm bells should be ringing, and you should not go through with the confirmation.

“You should not confirm the payment but instead, contact the bank. If you do not read a message sent by the bank and confirm the payment regardless, it is usually considered gross negligence”.

Healthy scepticism is advisable

Nowadays, most scams take place online, but there are still attempts to phish for banking details, card theft and spying on PIN codes in the offline world.

Gross negligence can include situations where the customer keeps their bank card and PIN code in the same place. Scammers are talented, and according to Piilo, there is no reason to be ashamed if you are fooled.

The rule of thumb is that you should have healthy scepticism in online environments: if you are feeling even a little suspicious, do not hand over your details but rather contact the bank and tell them about it.

“Urgency is often our enemy – people might confirm requests without reading the message. The scam might also urge you to be quick: 'your account will be cleared – prevent this by confirming'. The bank will not message you in that way if the situation is critical. They will contact you by other means such as by calling.“

Do you suspect that you have fallen victim to a scam, or that your information has fallen into the wrong hands?

Read the instructions on what to do if you think you might have been scammed, 
or if you think your information has fallen into the wrong hands.