Can a bank be liable in phishing cases involving fraudulent transactions?

The Cyber Blog IndiaLaw

Can a bank be liable in phishing cases involving fraudulent transactions?
Can a bank be liable in phishing cases involving fraudulent transactions?

Bank liability in phishing cases

Have you ever received emails with a subject such as “Congratulations, you have won Rs 1 lakh, just click the link to claim the money!!” or other emails with similar context? Most phishing emails appear to be very attractive and lucrative. Phishing scams are a type of social engineering attacks that manipulate the users into sharing their sensitive personal information such as passwords, ATM card information, internet banking credentials, and other financial information.

Background

Fraudsters keep on devising new ways and reasons to trick the users into sharing their personal information. At times, they may add an element of fear by stating that their card or account will be blocked. You may receive an email with a subject “Your bank branch is updating their database, please fill the form attached in the email to make sure we have the correct information.” On receiving such an email, many individuals would be triggered to submit their details so that they do not miss out on receiving updates from their branch. Please note that banks never ask you to update your information through this way. This is a phishing email, and you must avoid it. For more information on phishing, feel free to check this article.

If you ask any cyber law specialist about a bank’s liability in a phishing case, they will most likely tell you that since a customer himself/herself authorised the transactions, the concerned bank is not liable. Generally, phishing scams are successful due to lack of due diligence at victims’ end. Under the impression that the email is genuine, the victims believe the contents of the email and end up sharing their confidential information. In the last few years, even RBI has issued multiple guidelines to decide the liability in cases of unauthorised transactions. These guidelines affix the liability based on whether a customer has been negligent or not.

Contrary to the general understanding of liability in phishing cases, a different opinion was observed in Prothius Engineering Services Pvt. Ltd. v. IndusInd Bank Ltd. The learned IT Adjudicator for the State of Maharashtra ordered the bank to pay a compensation of ₹20.55 lakhs to the victim.

What is the complainant’s case?

The complainant (Prothius Engineering Services Pvt. Ltd.) alleged that they received an email from [email protected] on January 09, 2014. This email informed the complainant that the bank was updating its database and required the following information from the complainant: current account number, branch name, and registered mobile number and email address. It also contained a form that was supposed to be filled and sent back through email for updating the database.

On receipt of this email, the complainant also informed the bank’s official for verifying the authenticity of the email. It is alleged that the said official did not perform due diligence for the same. The bank called on January 21, 2014, to inform the complainant as their account had insufficient funds to clear a check issued for ₹ 13,65,968. According to the complainant’s belief, this was not possible as their account had approximately ₹ 42 lakhs.

Between January 18 to 21, 2015, debits aggregating to ₹ 14,05,000 were made from their account and the same was informed to the bank with proper notification to freeze the account on the same date and furnish its account statement. The complainant also reported the bank that they were not able to access their internet banking. Even after sending a formal notification for freezing the account, the complainant noticed another transaction of ₹ 6,50,000. Subsequently, the complainant again directed the bank to disallow any further transactions.

Aggrieved by this, the complainant filed a suit before the Adjudicating Officer under Sections 43, 43A, 43(b), 43(g), 61, 55, 66C, and 46 of the Information Technology Act, 2000 on September 08, 2014. In its complaint, the complainant stated that the bank shared the details of beneficiary accounts and informed that the matter was under investigation. However, despite several follow-ups, the bank has failed to revert the money lost via fraudulent transfers. The complainant sought relief of ₹20,55,000 at 18% interest from the date of transfer, along with ₹60,000 for the loss of 100 man-hours, a compensation of ₹1,00,000 under Sections 43 and 43A, along with ₹50,000 travelling costs incurred, and any other relief deemed fit.

What did the respondent say?

In their response, the bank denied all the submissions made by the complainant. It stated that the said email ID is not owned by the bank. The complainant should have noticed the incorrect spelling of “exclusive” in the email address before responding. Further, the complainant informed the bank on January 10, 2014, while they had already replied to the said email a day before.

Respondent number 2, Vodafone India Limited, has submitted that the registered mobile number of the complainant with the bank was active on the days of alleged fraudulent transactions. Vodafone submitted that it only acted as an intermediary under the Information Technology Act, 2000, and hence, it is exempted from any liability. Further, they denied having issued three impugned numbers involved in this case. The second respondent also submitted that the complainant is aware that it is not liable in the present case as the complainant has not made it a party to the dispute filed before the Hon’ble State Consumer Disputes Redressal Commission, Maharashtra.

Observations of the IT Adjudicator

After the complainant informed the bank about the receipt of such an email, no material has been presented to indicate that the bank took any measures to check the genuineness of the said email or replied to the complainant. While it is clear that complainant has fallen prey to a phishing fraud, the impugned email address is in the name of the bank’s domain. This indicates that either the phishing email originated from the bank or there was a security lapse in the bank’s IT system, including its mail servers.

The bank pleaded that their internal investigation showed delivery of OTP while adding a beneficiary, the complainant clearly appears to be tricked by the use of the bank’s domain. The bank cannot be simply relieved of its responsibility by contending that the complainant missed the spelling error. It is the perpetrator of the fraud who can be held liable under Section 43(a) and 43(b), not the bank. However, it is clearly established that the bank’s unsecured server and negligence provided assistance to the fraudsters and it stands liable under Section 43(g) read with Section 85 of the Information Technology Act, 2000. Further, the IT Adjudicator also concluded that the bank is in breach of security policies they were obligated to follow in accordance with the applicable RBI circulars. There is nothing on record to substantiate the involvement of the second respondent, and it was discharged.

Remedy

The IT Adjudicator directed the bank to pay a compensation of ₹20,55,000 to the complainant within one month of the order. It is clear that the compensation amount only covers the amount fraudulently withdrawn and excludes other relief as sought by the petitioner. Advocate (Dr.) Prashant Mali, a leading cyber expert and well-known lawyer, represented the complainant in this case. In an interview with the Indian Express, he said that the fight for recovering the lost money began in 2014. The case had been pending for six years, and the forum should have made the respondent pay for legal expenses accrued, interest, and other damages incurred by the complainant.

Significance of this case

This case may hold a high precedential value in the times to come. It is imperative to understand that the banks shall strive to achieve the highest level of security possible. They are not only bound by the Information Technology Act, 2000, and the guidelines issued thereunder, the banks also need to comply with the relevant RBI guidelines. In the present case, lack of due diligence and the involvement of a domain email address were the deciding factors, it will be interesting to see how the jurisprudence of phishing evolves in India in the next few years.


An initial draft of this article was prepared by Srushti Iyer. With inputs from Raj Pagariya.

Interested in contributing to our blog and knowledge base? Write to us at [email protected] and elaborate on how you can help us in creating a safer cyber space.


Featured Image Credits: Technology vector created by freepik – www.freepik.com