Liability in case of phishing-attacks

A bank customer has a current account for business purposes. After he became victim of a so-called phishing attack, he demanded from the bank to correct his account. § 36 Abs 3 ZaDiG (Payment Services Act) gives the payment service user the right of compensation, provided that he infoms the bank immediately after the detection of the unauthorized payment transaction. The mandatory allocation of the risk of abuse to the bank is justified by the fact that the bank can control the risk technically and economically better then the user. It is in the discreation of the payment service provider to make the payment system secure and he can absorb the few cases of abuse through the price calculation. However, if the customer is also to blame for the abuse, the payment service provider can demand a reimbursement of the damage in accordance with § 44 Abs 2 and 3 ZaDiG. § 44 Abs 2 and 3 ZaDiG regulate the liability of the customers in a mandatory and conclusive way. The customer must take upon receipt of the payment instrument all precautions which can reasonably be expected from him, as well as all precautions provided in the terms of use to protect the personalized security features and the payment instrument against unauthorized access. In addition, the customer must report the loss, the theft or unauthorized use of a payment instrument without any delay as soon as he becomes aware of it. [OGH 15.03.2016, 10 Ob 102/15w]