DEPOSITOR PROTECTION FROM ONLINE FRAUD

The Independent Authority “Consumer Ombudsman” makes the following recommendations to banks and consumers in the event of online fraud:

Banks are called upon to comply with the following: to continuously update and upgrade the systems and security software that they use to carry out electronic banking transactions.

Consumers are called upon to comply with the following:

1. To keep their strictly personal secret e-banking access codes (Username, Password) with particular care and not to disclose them to third parties. To use complex security codes and to change them at regular intervals.
2. To keep with corresponding care all the details of their debit or credit card: number, cardholder name, expiry date and especially the three-digit CVV2 verification code, and to disclose them only in the context of demonstrably secure transactions.
3. Not to enter e-banking codes, card details, or identification information on websites to which they may be redirected via a link contained in any incoming email of doubtful origin.
4. When they receive telephone calls from prospective buyers of products advertised online, or from supposed bank or other agency representatives asking them to disclose personal secret access codes, not to respond and to terminate the communication.
5. When they receive messages of unknown or doubtful origin on their computer or mobile phone, via email, an application (app), social media, or from an unknown telephone number (sms), they should ignore and delete them.
6. To carefully check the addresses of the emails they receive and in particular that the displayed sender name corresponds to the sender’s actual email address. A common practice for stealing data is for an incoming email to falsely bear the name of a real contact of the recipient, while the sender’s email address obviously bears no relation to that contact.
7. E-banking transactions should be carried out from computers that have an active and updated malware protection program. It is recommended that the use of computers in public or shared environments for banking transactions be avoided.
8. To access bank websites and e-banking platforms, consumers should type the website address directly and ensure that encryption is in place (indicatively: that there is an https prefix, a closed padlock icon to the left of the site’s address or in the lower right corner of the window — by clicking the cursor on the padlock, the active status of encryption can be checked).
9. It is emphasised that the banks with which they cooperate will never, by any means (email, phone or sms), ask consumers for their personal codes.
10. It is also emphasised that consumers, as soon as they suspect a leak of their personal and secret codes, must immediately contact their bank for instructions and proceed with steps to dispute any transactions not authorised by them.

• See also the article Bank Liability in Online Fraud
• See also the article Investigation of Bank Liability in Online Fraud
• See also the article Investment Fraud Lawyer
• See also the article Legal Bases of Bank Liability in Online Fraud
• See also the article New Law 2023 and Bank Liability in Online Fraud
• See also the article Electronic Banking and the Phishing Phenomenon
• See also the article Lawyer for Investment Fraud
• See also the article Defamation via Facebook
• See also the article Child Pornography
• See also the article Hacking

FREQUENTLY ASKED QUESTIONS ON DEPOSITOR PROTECTION FROM ONLINE FRAUD

1. I have fallen victim to online fraud — how can I get my money back?

Recovery of the funds is pursued on two parallel levels. On the one hand, a criminal complaint against unknown perpetrators is filed with the Prosecutor’s Office of the Court of First Instance, which is forwarded to the Cybercrime Prosecution Directorate for identification of the perpetrators and tracing of the funds. On the other hand, and more substantively, a damages action is brought against the bank on the basis of the PSD2 Directive (Law 4537/2018), where the bank failed to apply strong customer authentication or to detect suspicious transactions. The bank bears the burden of proving that the transaction was carried out validly and without any fault on its part.

2. Is the bank at fault when it failed to protect me from the fraud?

The bank has an enhanced duty of care and technical protection of deposits. Pursuant to the PSD2 Directive and Law 4537/2018, it is required to apply Strong Customer Authentication and systems for detecting suspicious transactions. When it fails to comply with these obligations or its systems do not detect manifestly unusual movements (large amounts, change of IP, transfers to unknown foreign accounts), it is liable to refund the amounts. The depositor is liable only in the event of intent or gross negligence, which must be proven by the bank and not presumed.

3. Where do I file a criminal complaint and what procedure is followed?

The criminal complaint against unknown perpetrators is filed with the Prosecutor’s Office of the Court of First Instance of the place of residence or the place where the fraud was committed. From there, it is forwarded to the Cybercrime Prosecution Directorate of the Hellenic Police, which has the technical means for tracing internet addresses and bank transfers. In parallel, a written dispute of the unauthorised transactions is submitted to the bank within 13 months and a notification is filed with the Hellenic Banking Ombudsman. Pursuing all three avenues significantly increases the prospects of recovering the funds.

4. What documents and evidence do I need?

All screenshots from suspicious emails, sms messages or websites are gathered, as well as the electronic messages in their original form with the headers. From the bank, detailed account movements, e-banking login logs, information on the destination accounts of the funds and the identification methods applied are requested. Useful items include the copy of the notification to the bank, its replies and any communication with the perpetrators. All material is assessed by a lawyer specialised in cybercrime, so that the bank’s liability can be technically and well-documented in the record.

5. How long will it take to recover my money?

The timeframe depends on the bank’s stance. Where the bank acknowledges its liability out of court, the refund takes place within a few months. Where the bank refuses, the damages action before the Single-Member Court of First Instance is, as a rule, heard within one to two years, with the possibility of bringing interim measures for immediate provisional protection. In parallel, the criminal proceedings take longer, but identification of the perpetrators and freezing of the amounts by the Cybercrime Prosecution Directorate can be effected within the first critical hours, provided the bank is notified immediately and a freezing request is submitted.

6. What is the role of the lawyer in an online fraud case?

The lawyer takes over communication with the bank from the very first moment, in order to request the freezing of the amounts in the destination accounts before they are dispersed. The lawyer drafts a documented criminal complaint, the written dispute to the bank and the application to the Hellenic Banking Ombudsman. The lawyer analyses the bank’s failures regarding strong customer authentication and fraud detection systems, establishing its liability on the basis of Law 4537/2018 and Articles 914 and 281 of the Civil Code (AK). The Law Firm ZIAMPARAS D. & ASSOCIATES has specialised experience in cybercrime and handles such cases in cooperation with technical experts.