Phishing attack during online banking: Bank shares blame despite gross negligence on the part of the customer

Once again, a customer of a savings bank fell victim to a phishing attack in connection with his online banking. This time, transfers totaling almost €50,000 were made to fraudsters. The Dresden Higher Regional Court surprised everyone with its ruling, deciding that the responsible savings bank was partly to blame because the online banking login did not require strong customer authentication, and ordering the savings bank to pay part of the damages, amounting to around €10,000. However, the court rejected full liability (Higher Regional Court of Dresden, ruling of June 5, 2025 – 8 U 1482/24). Attorney Sascha C. Fürstenow explains the reasons for this decision in this article.

Facts of the case

The customer in question received a fake email purportedly from “Sparkasse Customer Service” informing him that his online banking was being updated and that adjustments had to be made for this purpose. The email redirected the customer to a website that was deceptively similar to the real Sparkasse website. On this fake site, the customer entered his login details to log into online banking. He was then informed that an employee from the technical department would contact him by phone.

Through deceptively genuine calls from “employees” of the savings bank, the daily limit was increased from €1,000 to over €24,000 and funds were transferred to a third party’s checking account. The customer assumed that the multiple approvals on the pushTAN app were necessary to carry out the technical reinstallation of his online banking. During the last call, the customer was asked to confirm two further orders in his app. Not only was the daily limit increased, but another transfer of over €24,000 was made to a third party and the login name for access to online banking was changed so that it was no longer possible to log in with his known data. It was not until weeks later that he noticed he could no longer log into his online banking. When he called customer service and was informed of the account movements, he stated that he had not authorized these transactions and demanded his money back. The customer was unsuccessful before the Chemnitz Regional Court, but the Dresden Higher Regional Court ruled in favor of the customer in part.

Dresden Higher Regional Court: Customer did not authorize the payments

The court is of the opinion that the customer is entitled to reimbursement of the transferred amounts pursuant to Section 675u (2) of the German Civil Code (BGB), as there was no effective consent pursuant to Section 675j BGB. Although the savings bank was able to prove the authentication of the payment transactions by means of technical documentation (Section 675w (1) BGB), this is not sufficient because there is no proof of authorization of the payments and the following prima facie evidence was undermined by the phishing attack. The payment transactions were caused and manipulated by the abusive intervention of third parties, so that no conscious authorization took place.

No strong customer authentication in online banking

The court further stated that the savings bank did not require strong customer authentication for access to online banking. According to Section 1 (24) of the German Payment Services Supervision Act (ZAG), the payer is not liable if their payment service provider does not require strong customer authentication. At least two independent elements must be requested for authentication, but at the savings bank, logging into online banking only required entering a user name and PIN. Furthermore, the court criticizes the fact that the Sparkasse’s online banking system makes it so easy to increase the daily limit from EUR 1,000 per day to over EUR 20,000, arguing that this security gap in online banking, in addition to social manipulation, and therefore the Sparkasse was partly to blame under Section 254 of the German Civil Code (BGB).

In addition, the savings bank had misleadingly given the impression that the pushTAN app was a TÜV-certified procedure. However, TÜV Rheinland did not have accreditation within the meaning of the GDPR in the area of data protection and data security, meaning that the certificates used were not issued lawfully.

Customer grossly negligent in breaching duty of care

Despite the many security gaps in the Sparkasse’s online banking system, the court found that the customer had been grossly negligent in breaching his contractual and statutory duties of care. By responding to the phishing email and fake calls, the customer had committed “cardinal errors.”

Although the phishing attack resulted in the attackers gaining access to the customer’s online banking by disclosing his login details, they did not gain access to his pushTAN app. The customer actively contributed to the incidents by repeatedly authorizing transactions. The customer carried out the transactions that require strong customer authentication (daily limit change, change of user name, and real-time transfer) during the phone call with the alleged employee. This makes it clear that the customer did not pay much attention to the text messages and blindly complied with the request. In particular, the customer had been using the Sparkasse’s online banking service for years and was familiar with the procedures. By failing to carry out a final check of the data, the customer was therefore guilty of gross negligence in breaching his duty of care. The assumption that he was unable to identify the names of the payment recipients during authentication does not constitute a strong argument, as the court ruled that the recipient’s IBAN was sufficient and the recipient’s name did not need to be displayed.

The court acknowledges that the customer was the victim of a phishing attack and social engineering. However, the Sparkasse constantly provides customers with up-to-date security tips and advice, as well as warnings immediately after logging into online banking. Furthermore, the Sparkasse does not send emails that lead to online banking via a link or button, nor does it send emails requesting data entry. The customer also violated the security instructions by not updating his pushTAN app for a long time. The customer should also have recognized that the email could not have come from the savings bank because it contained grammatical errors and was written in colloquial language. The requests to confirm the orders on the phone with the alleged savings bank employee should also have raised doubts. In addition, the average online banking user should have been aware of the issue of “phishing” due to its presence in the media.

Due to the grossly negligent breach of duty of care, the customer is entitled to “only one-fifth” of the claim for damages, i.e. around EUR 10,000.

Significance of the ruling for bank customers

The decision of the Dresden Higher Regional Court is of considerable importance for both bank customers and banks. There is disagreement about what technical conditions are necessary and to what extent strong customer authentication must be carried out. Nevertheless, customers also bear a great deal of responsibility for their data security. Users of online banking have been aware for years that so-called phishing emails can be in circulation and that the identity of the caller can easily be faked during telephone calls. The average customer of online banking systems should therefore be aware that the pushTAN app, which is explicitly used to approve transactions, should not be used for other purposes. In recent years, there have also been many press reports in the media warning consumers not to give out information to unknown callers on the phone and not to initiate financial transactions.

How to protect yourself from phishing attacks and reduce risks

Attorney Fürstenow advises bank customers to take at least the following security precautions:

Check the sender carefully and pay attention to

• unusual sender addresses
• spelling mistakes
• logos that are not identical to those used by the bank
• colloquial wording and/or urgent, threatening language (“Your account will be blocked”).

Do not click on any suspicious links

• instead, enter the bank’s website manually

Never disclose your PIN or TAN

• whether by email or over the phone to supposed “employees.”

Activate two-factor authentication

• use security software
• update apps at regular intervals.

Attorney Sascha C Fürstenow will be happy to advise you on this and work with you to ensure that the contract contains all the necessary provisions and that your interests are represented.