Skip to content

The Italian Supreme Court on the consequences of phishing on online bank access codes

The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

The Italian Supreme Court on the consequences of phishing on online bank access codes

In its March 13, 2023, No. 7214 decision, the Italian Supreme Court ruled conclusively on a banking dispute that involved a financial institution and some of its account holders regarding liability for abusive access to a bank account by unauthorized third parties resulting in the unlawful withdrawal of funds.


A couple of bank account holders unexpectedly find a charge of €6,000 on their bank account that they do not recognize as a banking transaction made by them electronically. Therefore, they requested the financial institution to arrange for the corresponding amount to be credited back to their account as they disavow the transaction charged to them.

Previous degrees of judgment

In first instance, the Court of Palermo agrees with the account holders on the fact that the institution failed to take “all security measures technically appropriate to prevent damages such as those that occurred to the plaintiffs.”
On appeal, the decision is overturned because the trial record shows that the institution instead adopted “a security system such as to prevent access to the account holder’s personal data by third parties“, as corroborated by the certification issued by a third party body regarding compliance with the international standard BS 7799 (later merged into ISO/IEC 27001), precisely regarding best practices in information security management.

The appellate judges come to the conclusion that, given the adequacy of the security measures adopted by the institution, the telematic operation carried out for the transfer of the sum of € 6,000 to another bank account in the name of a third party “can only have taken place with the use of the personal identification codes of I, which, in turn, leads to the belief that, most likely, the same has been the victim of one of the increasingly frequent computer scams, as a result of which the appellant has been induced to provide “online” his personal codes (user id, password, pin), then used by the fraudster (so-called hacker) for the accomplishment of the fraudulent transaction.”

In addition, in the information sheet provided to the account holders at the opening of the account “it is specified that “the customer is responsible for the safekeeping and proper use of the user ID, password, activation code, secret device code and access key to the service and that the lack of precautions by the holder in keeping the aforementioned codes secret may result in the risk of illicit access to the service and fraudulent operations by third parties” furthermore, the institution on its website and in an easily readable location had warned its users of the dangers of scams – particularly phishing – through which third parties carry out attempts to obtain personal access codes by artifice and deception.