Banks and credit cards are preferred targets for fraudsters. In a study published by Serasa Experian, of the 331,200 frauds applied in Brazil in May of this year, 53.3% of them misused the identity to open accounts and issue cards without the owner’s authorization. When this happens, are financial institutions responsible for returning the money to the victim?
University professor and lawyer Fabricio Posocco, from Posocco & Advogados Associados, reminds that, according to the understanding of the Supreme Court of Justice (STJ), yes. “The thesis established in precedent 479 STJ is that financial institutions are objectively responsible for damage caused by fraud or the use of false documents”.
Fraudulent bank account opening and manipulation
A lawyer specializing in consumer law explains that fraudulent operations, such as obtaining loans and opening accounts using false identification, must be canceled by the bank. “What was improperly charged must be returned to the consumer, because he is not responsible for damage for which he is not responsible, according to Article 393 of the Civil Code.”
Pix fraud and kidnapping
Since the launch of Pix, in November 2020, until the last month of July, more than 933 million BRL transactions have been confirmed. Unfortunately, not all of them are legitimate. In courts across the country, there are victims of service failures, such as unauthorized transfers made due to stolen cell phones, lightning hijacking and coercion of Pix key registration.
“Judges condemned banks to compensate clients. Most of the decisions indicate that financial institutions must invest in the security of their branches, services, and especially in the area of internet banking and digital applications. For the judges, it is up to the bank to verify the regularity of the transactions, as well as to evaluate the entire profile of the client in order to block those who are suspicious, under the penalty of the configuration of civil liability of financial institutions”, quotes Posocco.
Fraud in credit card transactions
A leak of sensitive data, like the one that happened last December at the Central Bank, can be used by fraudsters who use fake call center and fake motoboy scams, for example. Then the usernames, CPF, bank, branch number and account number of around 160,000 people were exposed.
“The fraudster contacts the victim over the phone posing as a fake employee of the bank or company with which he is in a relationship. It says that the card has been purchased or cloned. Then he asks for confirmation of personal and bank details, which he already has. This tactic tricks consumers into believing they are talking to a bank. Later, the victim realizes that he suffered a financial loss,” says the lawyer.
Posocco emphasizes that companies are obliged to protect customers’ personal data and passwords from leaks, in accordance with the General Data Protection Act (LGPD). “In case of failure to comply with this procedure, as stated in Article 42 of the LGPD, the controller or operator who causes property, moral, individual or collective damage to another is obliged to repair it”.
What if the data breach was not initiated by the financial institution whose client was the victim? The expert explains that the bank is responsible for not identifying repeated transfers, in a short period of time and beyond the usual amount. “Every financial institution knows the profile of the client. Therefore, in the case of atypical transactions, the bank must make a preventive block to verify authenticity and collect confirmation from the client”.
In 2021, mobile attacks reached 70.61% and already represent the majority of fraud affecting Brazilian e-commerce, anti-fraud firm Konduto reveals.
The fraudster develops a fake website and social network profile to auction and sell products, clones WhatsApp, sends SMS with a misleading link, creates an unauthorized ticket and asks for updates to applications of social programs and benefits for citizens, such as Caixa Tem. All this comes to the victim through a smartphone. The problem is that they never deliver the goods paid for and can still steal personal and financial information.
“When an account on a social network is hacked by an embezzler, in order to sell non-existent products and ask for money from contacts, the platform can also be liable for moral damages to the victim,” warns Posocco.
What to do to get the money back
Lawyer Fabricio Posocco states that STJ Precedent 297 and Article 3, Paragraph 2 of the Consumer Protection Code establish that the bank is a service provider and is responsible for any risk inherent in its activity. In other words, any unexpected damage to the consumer must be compensated by the bank.
“The victim must contact the financial institution to report the fraud and dispute the amounts. You must also file a police report (BO) at a physical or virtual police station. On the website of the State Secretary for Social Protection, the victim can find a link to the electronic police station,” recommends the expert.
In order to further reduce the damage, in case of theft of the mobile phone, the victim must also inform the phone operator to block the device using the IMEI. Then, using another smartphone, you need to change all passwords for e-mail, social networks and other applications that were on the device taken by the criminal.
“The current legislation and the theses established by the higher courts guarantee that, if the money is not returned by the financial institution, it is possible to turn to consumer protection agencies, such as Procon, or to the judiciary for damages,” concludes Fabricio.Posocco, from the office of Posocco & Advogados Associados .