We call phishing the illegal practices of hackers to appropriate personal data and bank passwords with the intention of impersonating our personality and attacking our assets. This is a phenomenon of growing incidence and we must be aware of our rights as consumers.

By “Col-lectiu Ronda”. Barcelona

The word “phishing” covers a wide range of fraudulent and often sophisticated practices with the common denominator of attempting to “fish” for our personal data (hence the English verb used to baptise it) in order to operate in our name through online banking services and dispose of our assets at will.

The techniques used by cybercriminals to get hold of this valuable information are almost infinite, but they often have a common feature: the hackers contact us posing as our financial institution, for example, and ask us to visit their website to enter security information (secret keys, PIN numbers, passwords…) with the excuse of resolving some kind of problem related to the operation of our account, credit cards, etc. The problem is that neither the request comes from the bank nor the page where we are directed is that of the entity, despite the fact that it may seem absolutely identical, and what we are doing is providing criminals with the information they need to make online purchases, order transfers or take out loans in our name.

On other occasions, the technique used by hackers is not that of a direct and camouflaged request, but through e-mail, for example, they introduce malicious software into our mobile phones and computer equipment from which they can track our activity and record data and passwords without us being aware of it.

These two methods described above are undoubtedly the two most common forms of phishing today, but they are not the only ones. Below, we briefly explain other techniques used by cybercriminals to illegally capture our personal data:

DNS-based phishing: One of the most sophisticated forms. Attackers take control of a company’s host system (i.e., the servers where its website is hosted) so that when we visit it, by typing in the address of the page we want to reach, we are redirected to a different page controlled by them. This page is identical in appearance to the one we wanted to visit so that we may not be aware at any time that we are on a different website and that the information we are entering passes into the hands of third parties.

Phishing in search engines: Sometimes, the tactic of cybercriminals is to create web pages that do not pretend to be other pages but are “legal” looking websites where, for example, services are advertised that are not really offered or non-existent products are offered. In this case, the problem lies in the fact that the data we offer to purchase these products or services are not managed through the payment gateway of a bank but through a system – this one fraudulent – created by the criminals themselves to capture the information. In some cases, these fraudulent pages even advertise themselves through search engine advertising services such as google ads, reinforcing the false appearance of a website with no criminal intent.

Manipulation of legal websites: Another very sophisticated way of capturing data from individuals is when hackers manage to manipulate and replace only a part of a legal website in order to appropriate the Wi-Fi data provided there by taking advantage of a weakness or imperfection in the security system of the page itself. For users, this is an almost undetectable modality because the website is really the one, we wanted to visit and we have no way of knowing that it is acting, without any external signal, like a real zombie, under the control of cybercriminals.

Fraudulent wi-fi networks: With this technique, hackers create available Wi-Fi networks with the capacity to reach public spaces (coffee shops, for example) that they identify with the name of the establishment. When people connect, they think they are using a service offered by the space where they are, but in reality, they are accessing a network where all the information they access is easily traceable by criminals.

Phishing through the customer services of companies: A modality halfway between a classic “analogue” scam, let’s put it this way, and a cyber one. Hackers obtain the contact details of people who have posted complaints or criticisms of certain companies on social networks. They contact them posing as representatives of the company itself and end up asking them for the information they require with the excuse, for example, of refunding the money corresponding to a service that has not been satisfactory.

SIM card duplication: One of the phishing modalities that is becoming more relevant due to the large number of people affected is that which has to do with the duplication of the SIM card of mobile phones. With the data that the hackers manage to capture about us, they contact our telephone operator pretending to be us in order to link the SIM card to a new device. In this way, when they order a fraudulent online transaction – for example, a transfer from our bank account to the criminals’ – they are able to enter the code that the bank will send us to validate the transaction.

These and other forms of phishing that we have just described briefly are increasingly recurrent and are taking over from the most common forms of online fraud that we have mentioned above, which consist of sending us an email that directs us to a fraudulent website or installing malware to gain access to sensitive information that we can transmit at any given time.

Whatever the strategy of the cybercriminals, the objective is the same: to appropriate our money and benefit from the enormous amount of information that circulates on the Internet on a daily basis.

Reinforced protection

Aware of the magnitude of the security problem posed by the activity of cybercriminals, the European Union approved a directive called Payment Services in the Internal Market, obliging Member States to introduce into their legal systems a series of mandatory measures for companies and financial institutions aimed at reinforcing controls and user protection. In the case of Spain, these EU-imposed measures were adopted and approved through the Payment Services Law which, among other measures, established a new regulation of payment services and emphasise the need to reinforce cybersecurity, creating an extensive framework of responsibility for institutions to guarantee a secure digital environment for their customers.

On the one hand, there is the commitment to strong authentication, with which we have become familiar over the last few years and which basically implies that any payment order is subject to a double validation process. In other words, in order to conclude a transaction, it is necessary not only to enter our password or PIN code but also, additionally, some other mechanism that can only depend on the user, either using a specific validation application installed on the mobile phone or factors exclusively inherent to the person themselves, such as biometric data, such as a fingerprint.

Responsibility of the entities

European regulations and their transposition into Spanish law not only introduce significant measures to reinforce the security of users. It also accentuates the responsibility of the institutions themselves to supervise the transactions of their customers and users in order to detect the existence of fraudulent practices that may pose a risk or indicate, even if only indirectly, that the security of the transaction may have been compromised. Therefore, institutions (which are the providers of online payment services) have to be in a position to detect whether the integrity of the different authentication elements used to validate a transaction have been subject to theft or the presence of malicious software (known as ‘*malware’) to potential transactions.

Likewise, institutions are obliged to analyse the different transactions carried out through the means available to their customers to identify transactions that could be fraudulent, to the point of being able to block them and not allow them until they can reliably validate that it is the user who is really authorising them and not someone else who has impersonated him or her for criminal purposes.

In this regard, it is very important to remember that the Payment Services Act clearly establishes that the only valid transactions are those that have the consent of the person ordering and, therefore, when a user denies having given this consent, institutions are obliged to immediately return the amount of the transaction.

Duty of care

It is usual, however, that when one of these cases arises in which the data have been obtained illegally by a third party for criminal purposes, the customer affected is, in the first instance, confronted with the institution’s refusal to return the money. On what basis do they do this? Basically, they claim that the customer’s own lack of diligence in keeping and protecting his personal data is the basis for their claim.

Lack of diligence effectively exonerates institutions from liability, as provided for in article 46 of the Payment Services Act. However, and according to current legislation, this negligence must be serious and exclusively attributable to the person himself and, in this sense, Spanish courts do not usually find negligence on the part of users except in the most serious and obvious cases, specifying time and again in numerous judgments that banks are responsible for maintaining the security of the means used to operate telematically, purchase products or services and make transfers, in addition to any other financial transaction. In any case, and this should be borne in mind, in order to be exempt from liability, it will have to be the bank itself that proves in a reliable manner that its client has acted negligently and that the damages suffered are exclusively attributable to its own person.

What should we do if we have been victims of phishing?

First and foremost, if we detect transactions that we have not ordered, we must immediately contact our bank so that it can cancel the payment method used by the cybercriminals and generate new security credentials as quickly as possible.

Once this procedure has been carried out, we must go to the police to report the incident. In doing so, we must provide as much documentation and information as possible about the means used by the hackers to obtain our data and how the fraud of which we have been victims was committed. This information is essential not only to help clarify the facts but also to demonstrate to the institution that there has been no negligence on our part.

After reporting the fraud, you should contact your bank’s customer service department to claim the refund of the amounts corresponding to the operations fraudulently carried out by the cybercriminals, informing them of the facts and of the filing of the complaint. As we explained before, it is the bank’s responsibility to refund these amounts. In the event of refusal to do so, or if the institution simply says that the authentication processes established by the regulations in force were followed and that the facts are not attributable to them, you will probably have no alternative but to take the appropriate legal action to force the institution to assume its responsibilities. We remind you, once again, that this responsibility is contemplated by the legislation in force and that the obligation to prove the existence of possible negligence corresponds to the entity which, if it is unable to do so, as is usual, incurs legal and contractual responsibilities with respect to the damage we have suffered.