The bank must reimburse the customer who is the victim of sophisticated scams

When the computer fraud is too complicated, the customer may be partially compensated by the bank, despite having entered the data into the system himself, as requested by the fraudsters. This is what emerges from the decision of the Arbitro Bancario Finanziario (College of Milan) no. 10672 of 5 December 2025, concerning a sophisticated case of computer fraud. The case configures an emblematic case of fraud carried out through 'vishing' and 'ID caller spoofing', a technique that allows criminals to falsify the calling telephone number to make it appear identical to the intermediary's official number, thus misleading the victim. The case involved the legal representative of a company who, alarmed by a fake text message concerning an alleged abnormal access, was on the phone for a good four hours with a self-styled bank operator who induced him to arrange six instant credit transfers.

Lawyer Letizia Vescovini points out that the Abf's decision is based on two levels of analysis. First, it must be considered that since the client had personally entered the codes, albeit vitiated by deception, he had given his technical consent. Having established this point, however, the analysis shifted to the general principles of contractual liability and professional diligence, leading the Abf to recognise a contributory fault between the parties. According to the lawyer, the Arbitrator identifies the bank's fault in the 'failure to adopt adequate security measures to detect and prevent anomalous transactions'. In practice, the banking system should have intercepted the obvious deviations from the client's normal profile, such as the absence of previous instantaneous transfers, the unpublished recipients and the large amount moved in rapid succession, elements that the lawyer frames as part of the business risk that a 'prudent banker' must prevent. However, the ruling also recognises the client's negligence: having collaborated for four hours by providing codes in an abnormal situation constitutes 'culpable credulity', which is why the bank was condemned to pay only one third of the damages.

Widening the horizon towards the orientations of the jurisprudence of merit and legitimacy, lawyer Vescovini observes: "The risk of computer fraud is fully part of the professional risk of the intermediary, who is obliged to guarantee very high security standards and to reimburse damages unless there is proof of the user's malice or serious negligence. If in the presence of coarse fraud (with grammatical errors or suspicious links) the customer's carelessness constitutes gross negligence sufficient to exonerate the bank, the scenario changes in the face of highly sophisticated scams. Hence in the face of techniques such as spoofing or man-in-the-middle attacks, the victim's conduct, even if conducive to the event, does not integrate the extremes of gross negligence.