Online insurance cover not valid for phishing via SMS

In a fraud case involving a bank customer who was lured to a fake website via SMS, the Bielefeld Regional Court has highlighted the narrow limits of insurance coverage for digital fraud schemes. The core issue is that household insurance with “internet protection,” which explicitly covers phishing via fake emails, does not cover damages resulting from SMS phishing. This is evident from a notice issued by the Bielefeld judges on September 25 (File No.: 22 S 81/25), which was reported by IT-Rechtler Jens Ferner and Beck Aktuell.

The Volksbank customer had received a deceptively real SMS that prompted her to renew the registration for her online banking app, the VR-SecureGO Plus application, and redirected her to a fake login page. There, the victim entered her login details, thereby unknowingly authorizing the creation of a digital current account card by the fraudsters through her authorization app, which they then used for purchases totaling almost 5000 euros.

After the bank refused a refund due to gross negligence, the lawsuit against the insurance company failed not only before the District Court of Halle/Westphalia. According to the court's decision, the appeal before the Regional Court is also hopeless, as it “obviously has no prospect of success.”

An SMS is not an email

According to the Bielefeld judges, the general terms and conditions (AVB) of the policy that govern the coverage clearly differentiate between SMS and email. Accordingly, a mobile short message is “by no means equivalent” to an email. The Regional Court emphasizes that, unlike emails, SMS messages are limited in their text length, and above all, the sender address in an email allows conclusions to be drawn about the sender. A phone number does not offer this possibility with an SMS.

The customer's argument that “email” should be understood as a general term for electronic messages was rejected by the higher court. Rather, “electronic message” functions as a general term for emails, SMS, and messenger messages. Thus, the clear wording of the terms excluded phishing attacks that began via SMS from insurance coverage.

Furthermore, the plaintiff failed in her attempt to classify the incident under the insured term of pharming. According to the 22nd Civil Chamber of the Regional Court, such a manipulation of DNS requests by web browsers requires that the customer, in the belief of the authenticity of a fake bank website, execute an immediate payment transaction. However, the plaintiff customer had only authorized the creation of a digital current account card. The subsequent damages were therefore only indirectly incurred.

The fine print is crucial

Technically, according to the decision, there was also no pharming, as it involves redirecting the correct access to a website, for example, by influencing the hosts file or the DNS server. However, the customer was misled here by a falsified link to disclose her data, which technically is to be classified as Phishing.

The decision of the Regional Court shows how narrowly insurance conditions are interpreted and that insurers limit their liability through precise definitions of fraud schemes. Lawyer Ferner sees this as an important note for consumers: The case again makes it clear “how important it is to read the insurance conditions carefully.” Many customers assume, given general descriptions such as “Internet protection,” that their policy comprehensively protects them against fraud in digital payment transactions. However, even small differences in the type of attack can determine whether damage is reimbursed or not.

Ferner points out a major dilemma: insured individuals take out a relevant contract to receive benefits in the event of a claim. The other side lives by not paying. The consequence is that policyholders must critically examine their policies for all relevant attack vectors and not just look at their price. Otherwise, there may be no coverage in the event of a claim. In general, the Federal Court of Justice already narrowly defined the possibilities for compensation for phishing victims in 2012.

(emw)