Netherlands: Case analysis - the Rabobank phone phishing decision

23 September 2014

The ‘s-Hertogenbosch Court of Appeals issued a decision in February this year on a case involving the Dutch banking and financial services firm Rabobank Group, in which the plaintiff claimed that its local branch of Rabobank had failed to provide sufficient information to warn against phishing.

attempts made over the telephone. The Court confirmed an earlier local district court decision, finding that the Rabobank’s warnings had been sufficient. Adam Pasaribu of Bird & Bird analyses the case.

On 18 February 2014, the Court of Appeals in ‘s-Hertogenbosch, the Netherlands, confirmed a decision by the local district court stating that the Rabobank had sufficiently warned a customer about phishing attempts by phone. This article provides a brief analysis of this decision.

The facts

The plaintiff, an assembly company, was phoned by a person falsely claiming to be an employee of Rabobank (the phisher). During the call, authorisation credentials were apparently provided by the plaintiff to the phisher. These credentials were subsequently used by the phisher to transfer monies, on 8 June 2010, from the bank

account of the assembly company to one or more other bank accounts. The decision of the Court of Appeals does not state the date of the phone call, but taking into account the way in which the online banking environment of Rabobank works, the call must have taken place just prior to the irregular transfer(s).

The plaintiff sought damages from Rabobank, claiming that the local Rabobank did not sufficiently warn the plaintiff about phishing attempts made by phone. In an earlier stage of the court proceedings, the Court of Appeals allowed the plaintiff to demonstrate that the Rabobank did not warn against phishing attempts over the phone, by allowing the plaintiff to provide evidence through witness statements. In the underlying decision, the Court of Appeals considered the witness statements. Witnesses of the plaintiff state that when going to the online banking website of Rabobank, the website displays the online banking website of the local Rabobank. According to these witnesses, the local website did not display warnings from Rabobank Nederland. Some of the witnesses state that on the local website no warnings with regard to phishing attempts by phone were displayed. Other witnesses state that the local website did contain such warnings, but they were only displayed after 8 June 2010 (and therefore not before the date the irregular transactions took place). The local Rabobank countered these witness statements with statements by employees of Rabobank Nederland and with several emails. According to these statements, the online banking environment is provided by Rabobank Nederland.

Whenever a client logs into the online banking environment, the website automatically displays contact details of the associated local Rabobank, as well as warnings from Rabobank Nederland. The emails provided by the local Rabobank referred to specific phishing warnings that were published in the online banking environment on 7 May 2010 and 20 May 2010. Clients of Rabobank were warned with respect to phishing attempts made (inter alia) by phone.

The Court of Appeals found the evidence provided by Rabobank to carry more weight in comparison to the statements provided by the plaintiff. Ultimately, the Court of Appeal found that the plaintiff was sufficiently warned by (the local) Rabobank about phishing attempts by phone, either on 7 May 2010 or from 20 May 2010 onwards; at the very least, the plaintiff was warned prior to 8 June 2010, the day of the irregular transfers.

Brief analysis

All banks have a duty to warn their clients in general about phishing attempts and other types of fraud in relation to the (online) banking services they provide, and generally speaking, banks in the Netherlands do so. In November 2007, the Dutch Banking Association (the Nederlandse Vereniging van Banken) launched a campaign called 'knock three times.' In short, the campaign stresses that each bank client should ask three questions when making use of online banking: (1) is my computer safe to use? (i.e. is my virus scanner up-to-date and is my firewall working?), (2) is the website I visit really the website I want to access? and (3) are the bank statements I receive accurate? (i.e. are all listed transactions valid?).

In radio messages and TV ads references to phishing attempts in general were included, but no specific reference was made to phishing attempts made by phone. In the underlying decision, there is no discussion with regard to whether or not banks should warn their clients about phishing attempts in general. The legal issue at hand focuses on the question of whether or not Rabobank warned its clients specifically about phishing attempts made by phone. In this respect, we have to take a look at a specific characteristic of the way Rabobank operates.

With respect to the banks collectively known as Rabobank, the nature of the way the Rabobank group operates sometimes leads to confusion amongst its clients. Clients usually perceive all Rabobanks as one entity, while legally this is not the case. Each client is a client of a local Rabobank (for instance: Rabobank Amsterdam or Rabobank The Hague and surroundings). These local Rabobanks together have a subsidiary called Rabobank Nederland. This subsidiary provides (inter alia) all clients of the local Rabobanks with an online banking environment, which can be accessed through Whenever a client logs in with his or her credentials, the online banking environment of Rabobank Nederland displays certain details with respect to the local bank where the client holds one or several banking accounts (for instance a checking account and a saving account); at the top of the page, the name of the local Rabobank is mentioned. For a client, it looks like (s)he is routed to a local bank website, but in reality this is not the case. All messages in the online banking environment come from Rabobank Nederland. Whenever a client logs into the online banking environment, (s)he will be notified of new messages. This is done through a persistent window: the client will need to perform an action (i.e. a click on the relevant window button) in order to continue.

For the bank this is a way to ensure that the client has the opportunity to read security messages. Whether or not the client actually reads such messages does not seem to be relevant. As long as the message contains a specific warning, the bank is safe, so to say. The decision of the Court of Appeals states that in or around May 2010, Rabobank Nederland was alerted that phishing attempts were being made by phone.

Rabobank Nederland decided to warn all of its clients about such attempts, by issuing a warning in the online banking environment. Such a warning was either issued on 7 May or on 20 May 2010, in any event before the date the irregular transactions were made and therefore, the plaintiff was sufficiently warned. The reasoning applied here seems to be that the plaintiff must have been in a position to read such a warning (i.e. the plaintiff logged into the online banking environment somewhere between 7 May 2010 or 20 May 2010 and 8 June 2010); had the plaintiff not logged in within the said time frame, they would not have been in a position to read the warning as the warning was only distributed through the online banking environment. Nowadays, the situation is different.

On 2 December 2013 the Dutch Banking Association launched a campaign called 'bank safe.'1 In order to bank safely, five rules are promoted: (1) keep your security credentials safe, (2) do not let someone else use your debit or credit card, (3) keep your computer, tablet or mobile phone secure, (4) check your bank statements regularly and (5) report incidents immediately to your bank. This recent campaign also warns about phishing attempts, malware, social engineering, identity fraud, money mules and skimming. From a legal point of view, this means that in general, as banks refer to these five campaign rules on their respective websites, banks will be deemed to have sufficiently informed their clients about how to bank safely, both online and offline. As a consequence, it will be harder for a client to argue that he/she has not been sufficiently warned by his or her bank about any criminal activity, when he/she becomes a victim of criminal activity.

This article was published in the August issue of E-Finance & Payments Law & Policy.