Despite of all cyber crime on the internet, the Swiss banking system is one of the most important in the world. It enjoys a good reputation. This is based on the political and economic stability of Switzerland. It is no wonder that many bank clients entrust their money to Swiss banks.
In recent years, cyber crime has risen sharply. It was therefore only a matter of time before the courts had to deal with central issues relating to cyber crime on the internet.
Recently, the Swiss Federal Court had to judge two cases (see also part 2). The facts of these cases dealt with two different types of cyber crime. The cases show that the business relationship with a bank entails considerable risks.
The first case: social engineering scam
This ruling (ruling 4A_178/2019, 4A_192/2019 of 6th of August 2020) had the following facts as its subject:
The bank’s client was a company (hereinafter “the client”). The client agreed with the bank that it will never place payment orders by e-mail. In the following years, the client had placed payment orders with the bank exclusively via Internet banking, but never by telephone or e-mail.
The client and the bank also agreed that the accountant of the client was not entitled to place a payment order alone. Instead, they agreed on a signature arrangement. This arrangement specified that only the joint signature of specific people (including the accountant together with another authorized person) would suffice for placing a payment order.
At a later point of time, cyber criminals contacted the client’s accountant. They convinced the accountant that her boss (CEO of the client) and his lawyer will contact her. They told her that her boss wants her to place several urgent payment orders on behalf of him.
The customer service of the bank then explained to the accountant that they can accept the payment order, if the payment orders are placed by telephone by the accountant and then confirmed by e-mail by her and by her boss.
Hereinafter, the cyber criminals sent to the accountant and to the bank this confirmation from her boss by e-mail. However, the e-mail was not from her boss, but came from the cyber criminals.
Subsequently, the accountant placed the payment orders accordingly. The bank then transferred money in the amount of about 4 million euros to the scammers.
The ruling of the court
The Federal Court condemned the bank. The following circumstances were decisive for the Federal Court:
i. The client agreed with the bank that the client will not place payment orders by e-mail. Therefore, a confirmation and payment order by e-mail were not sufficient.
ii. The customer service of the bank had only re-insured himself by phone call with the accountant, not with a second person authorized to sign. This was a violation of the agreed signature arrangement (joint signature).
iii. The e-mails allegedly sent by the boss (the CEO of the client) were obviously suspicious. Among other things, because of orthographic errors.
iv. Last but not least; in the past, the client had placed payment orders exclusively via Internet banking. Never by e-mail. The bank should have noticed this and therefore, detected a possible cyber crime on the internet.
Conclusion with regard to cyber crime on the internet
In this case, the decisive factor was that the bank had agreed a signature arrangement with the client. This arrangement whether allowed the accountant to place any payment orders on her own nor by e-mail.
The important finding from this is that banks should never deviate from a contractual signature arrangement. If they do, then only after a particularly intensive examination. The bank must be sure that the payment orders actually correspond to the will of their client.