Delhi High Court orders SBI to compensate phishing scam victim

Delhi High Court orders SBI to compensate academician duped in phishing attack, highlighting bank’s negligence in response

The Delhi High Court has ordered the State Bank of India (SBI) to compensate a 55-year-old academician who got duped to the tune of ₹2.6 lakh through a sophisticated cyber fraud involving a ‘phishing attack’.

Justice Dharmesh Sharma, in the judgment delivered on November 18, highlighted deficiencies in SBI’s response, noting that despite prompt intimation from the account holder about the account breach, the SBI Customer Care Service “showed no urgency”.

The victim, Mr. Hare Ram Singh, stated that on April 18, 2021, he received an SMS containing a link. Shortly after, he got a call from an unknown caller who convinced him to click on the link contained in the SMS so as to keep the SMS service on his mobile number open and operational.

Mr. Singh said as soon as he clicked on the SMS link, ₹2.6 lakh was unauthorisedly withdrawn by way of two transactions in the sum of ₹1 lakh and ₹1.6 each, from his Savings Bank Account maintained with the SBI.

Upon realising that he had been defrauded, Mr. Singh immediately dialled the ‘Customer Care Department’ of SBI to register a complaint and seek a hold on the transactions that had been initiated without his permission, however to no avail.

He filed a complaint before the Branch Manager, SBI, Greater Noida besides filing a cyber complaint as well as a separate complaint with the Police. As his grievance was not redressed by SBI, he also filed a complaint before the Banking Ombudsman.

The Banking Ombudsman on October 20, 2021, asked SBI to credit one-third of the disputed amount i.e., ₹33,334 to Mr. Singh’s account and closed his complaint. Aggrieved by this decision as the remaining sum of ₹2,27,000 have still not been restored to his account, Mr. Singh moved the court.

He relied on the July 6, 2017, guidelines issued by the RBI titled “Customer Protection – Limiting Liability of Customers in Unauthorised Electronic Banking Transactions”, that creates a framework for reversal of erroneous debits arising from fraudulent or other transactions.

Reserve bank of India (RBI) and SBI, on the other hand, contested the plea noting that negligence on the part of Mr. Singh cannot be ruled out, as the transactions were 2FA (Two Factor Authenticated) transactions i.e., they were carried out using the INB (internet banking) credentials and an OTP, suggesting that he must have shared the One Time Password (OTP) with the unknown caller.

The court, however, rejected this argument saying that the security protocols such as ‘2FA’ or OTP verification had been breached by a simple ‘malware’ deployed by the cyber fraudsters.

“Evidently, the online banking service of the petitioner (Mr. Singh) was linked with his mobile number, which was being used to authenticate his banking transactions, and the security apparatus of the respondent Bank failed to detect any unusual logging activity from a different Internet Protocol Address that was being used by the fraudsters,” the court said.

“It has to be presumed that it is on account of the failure on the part of the bank to put in place a system which prevents such withdrawals, that the petitioner suffered monetary losses,” the court added.

“In my view, the petitioner was a ‘victim’ of cyber fraud, and he cannot be said to be ‘negligent’ in any manner under the notions of the civil law or for that matter under the criminal law,” the court said.

Published - November 20, 2024 05:10 pm IST