Phishing attacks on e-commerce sites

In the past year, there have been numerous attacks on the bank accounts of clients who offered goods on various e-commerce sites. The practices of fraudsters are becoming more and more sophisticated, making it more and more challenging to detect them. We help our clients to gain back their stolen funds.

How do fraudsters usually proceed?

The client places an advertisement for the goods on a well-known bazaar. A prospective buyer then calls and insists that the goods shall be transported via one of the private delivery services operating in the Czech Republic.

After the interested party promises to pay the cost of delivery, the client provides his email or phone number to the buyer. The client then receives a message from the alleged delivery services stating that it is necessary to click on the link in the message and accept payment for the shipment. The trustworthiness of the email message gives no indication that it is not the delivery service in question, so the client clicks on the link without doubts and is redirected to a page that is virtually identical to the home page for logging into his online banking account. From now on everything goes very quickly, the client fills in the login details, receives a few verification SMS messages, and finally a message saying that access to the client’s account has been blocked from all his devices.

The attacks occur mostly in the evening or early morning hours, where some banks do not offer nonstop phone line service and it is also not possible to visit the branch in person to resolve the matter as soon as possible and at least mitigate the effects of the phishing attack. The client will thus find that all his savings have been gradually drained from the account in several (dozens) of payments. Worst case, the fraudster has entered into a loan agreement with the bank on his behalf via internet banking.

Will the client get his money back?

After the client manages to get in touch with the bank, he immediately starts the process of claiming the payment transactions. However, the banks are very likely to reject the claim on the grounds that the client, as the account holder, has provided his internet banking details to a stranger and confirmed a stranger’s authorization device. This procedure is considered by the bank as a culpable negligence and absolves the bank from all liability.

However, there are situations under which the bank is still liable for the loss and is thus obliged to return the stolen funds to the client. One of these is the fact that the bank does not allow notification of misuse of internet banking at any time, for example, by a nonstop phone line.

What do we help the client with?

We assist clients in drafting an application for review of the decision of rejection of the claim, in which we will present arguments for determining the bank’s liability for the stolen funds based on the findings of the financial arbitrator, court decisions and communications from the supervisory authorities of the CNB and the EBA.

If the bank still refuses to return the funds, we will refer the matter to the financial arbitrator. Proceedings with the financial arbitrator are free of charge and each party bears its own costs. The financial arbitrator is generally required to issue an enforceable decision on the matter within 90 days of obtaining all the evidence.

Have you been the victim of a phishing attack? Contact us at or call +420 222 767 393 to arrange an initial consultation.