National Bank of Serbia tells banks they must reimburse fake SMS fraud victims and reports RSD 5.22m returned

The National Bank of Serbia notified banks whose customers were deceived by a fraudulent scheme using a fake SMS message purporting to be from a mobile operator that, under the Law on Payment Services, they are obliged to compensate users for losses exceeding RSD 3,000, applying gross negligence as the decisive liability criterion. Following the notification, 11 banks reimbursed 124 beneficiaries, returning RSD 5,223,413.02 in total. In the cases assessed, users were treated as having acted with simple negligence when they entered a one-time password for internet payments on a fake website, largely because the link was received from a phone number previously used for genuine operator notifications; by contrast, the National Bank of Serbia indicated that losses typically fall entirely on users where conduct is deemed extremely negligent, such as sharing card details in response to messages from unknown numbers or with unknown individuals. It also noted that its approach is more favourable to fraud victims than the practice described for most European Union countries, where careless sharing of card data is often treated as extreme negligence. The central bank reiterated consumer guidance to scrutinise payment invitations received via SMS, calls or email, verify the sender and URL, compare any suspicious site with the provider’s official site opened via a browser, and confirm purported reward campaigns via customer service, noting that victims will not always be compensated.