Judgment against Apobank: Financial institution liable for phishing damage

The Berlin II Regional Court has strengthened the rights of bank customers in phishing-like deception attempts and has technologically obligated financial institutions. This is evident from a ruling by Civil Chamber 38 dated April 22 (File No.: 38 O 293/25), available to heise online. In the proceedings against Deutsche Apotheker- und Ärztebank (Apobank), the court ruled that the financial house must be liable for unauthorized damage exceeding 200,000 Euros. The decision clarifies that the assumption of gross negligence is hardly tenable in increasingly sophisticated fraud scenarios.

The case sheds light on the professionalism of the attackers: the affected parties were lured into the trap by a combination of a deceptively real letter in the bank's name, a manipulated online banking interface, and a personal phone call. The fraudsters possessed detailed knowledge of the plaintiffs' other accounts, which solidified the impression of a legitimate bank employee.

According to her statement, the customer did not suspect anything when she was prompted to set up 2-factor authentication during her usual login via her favorites bar on the computer. This had previously been announced in an authentic-looking letter. The scenario also seemed credible due to the timely call from a supposed bank employee, which was made using the bank's official number. Furthermore, the plaintiff only photographed codes from the screen without actively transmitting sensitive authorization data such as PINs or TANs to the caller.

The Berlin judges clarified that customers do not act with gross negligence in such a nearly perfectly staged deception.

Technical early detection as a bank obligation

The court's statements go beyond the decision itself. The chamber suggests approaches for necessary early detection systems: the bank could have recognized and prevented the fraud, as the customer's login and the simultaneous registration of a new device by the perpetrators occurred via entirely different IP addresses and providers. The financial house did not block this obvious discrepancy through automated security mechanisms and allowed the linking of the new device without sufficient ownership verification.

Ulrich Schulte am Hülse from the law firm Ilex Rechtsanwälte, who achieved the ruling, considers this assessment to be technically still amateurish. However, he sees the judiciary on the right track. In proceedings against Apobank, complete log files, including IP addresses, are almost always available. Based on this data and a customer survey, it can be precisely proven in retrospect which action is attributable to the perpetrators and where the bank should have intervened.

The lawyer emphasizes that phishing is no longer just a consumer issue. The decision shows that the largest individual damages are increasingly occurring in the area of small and medium-sized enterprises. Freelancers, self-employed individuals, and established corporations are affected. Modern multibanking, where business and private accounts are merged, increasingly blurs these categories. The ruling thus protects actors whose existence could be threatened by high damage sums.

Support from higher regional court jurisprudence

This view aligns with the trend of other courts. The Higher Regional Court of Koblenz recently announced that even clicking on links in SMS and entering transaction numbers into a browser form cannot automatically be considered gross negligence if the fraud scheme builds a deceptively real interaction chain.

The Berlin ruling thus sends a signal: banks must sharpen their security algorithms. Suspicious discrepancies in log files, such as simultaneous logins from technically implausible sources, should be proactively used for fraud prevention.

(vbr)