A high court decision ordered a financial institution to award substantial compensation after failures in bank protection during a money transfer. The ruling centers on how digital banking safeguards operated during a recent incident described as a case of unauthorized access to a client’s account.
In June, a resident of Yekaterinburg opened an Internet banking profile from a desktop computer to conduct transfers from his own account. After creating a payment instruction, the user was abruptly logged out from the application. Attempts to sign in from a different device failed, prompting him to contact the bank’s support team.
Investigation revealed that fraudsters had gained entry to the victim’s personal account, changed the primary phone number, altered the notification method, and executed two transfers totaling about 1.4 million rubles. The scheme was aided by a customer who had returned to the app and tried to complete a transfer by entering codes that were allegedly sent by the bank. In reality, the bank delivered only part of the SMS messages the victim opened, and the remaining messages were never received. The victim did not receive alerts about transfers that had already been completed.
According to a lawyer involved in the case, the intruders managed to seize full control of the account within minutes. The time between the transfers and the interaction with support was measured in just a few minutes. It is noted that the funds were sent to recipients who themselves held Raiffeisenbank accounts. This meant that the transfers occurred within the same banking system, allowing the bank to potentially reverse or freeze the transactions. The lawyer also pointed out that the attackers had altered the main phone number to an unknown contact without the customer’s consent.
The Central Bank’s position is that such bank actions amount to transactions made without customers’ consent. In standard practice, financial institutions implement security measures that prevent immediate access from a new device after a user adds a personal account. Despite the clear violation of the client’s interests, the Oktyabrsky District Court initially ruled in favor of the customer. A higher regional court later reviewed the case and affirmed the victim status of the Yekaterinburg resident.
As a consequence, Raiffeisenbank is obligated to reimburse the customer for 1.4 million rubles that were stolen by the fraudsters. The bank is also required to pay a fine, compensation for moral damages, and interest as specified by the court. — The decision underscores the need for stronger safeguards and rapid response protocols in online banking when a login or device change occurs.
In related reports, fraud schemes involving SIM card updates and targeted social engineering have continued to surface in the region, reminding consumers of the ongoing risk to personal financial data.