At the end of last January, a man from Córdoba received a text message on his mobile phone from his bank branch, Caja Rural del Sur, explaining that his bank account could be hacked. and asking him to put your access data to your Caja Rural account to change these credentials.
It turned out that this text message was sent by cybercriminals and not by your bank. A phishing-style scam (or more specifically smishing, which is similar but via SMS). It must be remembered that in Spain, phishing scams are becoming more and more common and that the authorities have broken up several gangs capable of stealing a lot of money.
Therefore, when entering his information, this man, named Rafael (and who has not made his surnames public) by accessing the SMS link and giving your bank credentials there, you actually gave away your data to these strangers. And, later, this gang stole money from his account, being able to easily access his online banking.
Specifically, the cybercriminals made two bank transfers: one of 1,890.80 euros and another of 9,970.80 euros, from Rafael’s personal account to another account, whose owner he did not know. The sum of the two transfers amounted to 11,861.60 euros.
THEFT OF DATA AND UNSOLICITED PACKAGES WHAT IS BRUSHING
What did the affected person do?
When Rafael saw that money had left his account for someone unknown, the first thing he did was alert the National Police (something that is recommended). As soon as he became aware of the fraud, The victim went to the National Police to file a complaint..
After this, he went to his Caja Rural del Sur branch to ask for the money to be reimbursed, showing the documents he had about the situation. The branch manager personally promised to handle the claim, but Rafael received no response from the bank for a couple of months.
After this, the organization that works to defend consumer rights in Spain. FACUA’s legal department in Córdoba contacted the Caja Rural del Sur Customer Service to demand that it return the 11,861.60 euros to its client.
To do this, they resorted to article 36 of Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures, which states that “Payment operations will be considered authorized when the ordering party has given consent.or for its execution”, a circumstance that had not occurred in this case.
They also mentioned article 45, which establishes that when an unauthorized payment order is executed, the bank must return the amount of the operation to the client: “the payer’s payment service provider will reinstate the account of payment in which the debit was made to the state in which it would have been if the unauthorized operation had not been carried out”.
FACUA Córdoba warned Caja Rural del Sur that if the claim was not addressed, there would be a lawsuit. The Caja Rural returned the money a few days ago and with the concept “January 2022 fraud subscription”, corroborating that it is indeed a fraud, although the banking company was not aware of it.
Bank obligations, according to FACUA
FACUA says that “banks, as facilitators of electronic means of payment, are obliged to implement double authentication or reinforced authentication, as established by Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures”.
These factors are divided into three types: knowledge, in which something is asked that only the customer knows, such as a password or PIN; possession, where you are required to use an object, such as a mobile phoneand inherence, the least common, in which something inherent to the client is used, such as his fingerprint or his face.