A local cybersecurity firm is calling on Bermuda to require banks to reimburse clients who have fallen victim to phishing scams, following the example of new European Union regulations.

The EU’s Payment Services Regulation and Directive is expected to be finalised this year, aiming to strengthen fraud protection, improve consumer rights and increase transparency.

The new rules say that if a fraudster impersonates a bank employee, known as spoofing, the payment service provider is liable for the full amount.

Banks must offer immediate refunds for unauthorised transactions, even if they suspect user error and must use mandatory name-matching to prevent fraud.

In the last three months alone, Fernando de Deus’s firm Ingine has worked with two families who have lost hundreds of thousands of dollars to phishing scams and received zero dollars in compensation from their banks.

“I’m sure there must be a lot more people out there like this family,” Mr de Deus said. “Going through something like this is a life-changing event. Victims often do not want to talk to others about it, because they feel ashamed.”

In one fraud case he dealt with, a business owner fell victim to an invoice scam and paid a fake $80,000 invoice via wire transfer.

“Within five minutes, our client thought, oh, this seems a little bit suspicious,” said Henryk Marszalek, Ingine’s chief information security officer. “They phoned up the vendor to say, I have just received an invoice from you for such and such amount, Is this legitimate?”

When the vendor said no, the victim immediately phoned his bank and reported the transaction as fraudulent.

The bank said the payment was instant and there was nothing they could do.

The bank justified its lack of action by saying the activity fit the client’s profile, even though the payment was to a new jurisdiction and beneficiary with no prior history.

Only months later did the bank mention there was an optional “workflow” feature that involved dual authorisation that could have reduced the risk.

“During our last communication it was commented that there were other options that the client could put on his account, so that if you put a payment through there was essentially a second pair of eyes to look at it,” Mr de Deus said.

“If that option is available, why don’t they mention that to to everybody when they open their account? Even I did not know about that.”

Mr de Deus also told the story of a local family, who became embroiled in a long running social-engineering scam, after someone called them claiming to be from the bank.

They were told that someone else in their bank was suspected of defrauding them.

If they went directly to the bank about it, their lives would be in danger. In order to fix the problem the scammers wanted to set up another account and transfer some of the family’s money to it, to catch the supposed fraudster in the act.

The real bad actors kept calling and transferring more and more of the family’s money. To add legitimacy to the situation, people claiming to be from the Bermuda Police Service also called them, seemingly using the BPS’s telephone number.

Despite several large transactions over the next few months, there was no fraud alert triggered by their bank, until the family had lost so much money their client status fell.

In the end, they lost more than $300,000. The bank refused to refund them a penny.

Mr de Deus thought that Bermuda’s banks rely too much on sending generic awareness e-mails and not enough on real safety measures.

He insisted he is in no way against local banks, but thought that requiring banks to reimburse victims would be an incentive for them to put up more guardrails.

“From an EU perspective, if there is proof that shows I have been defrauded, there has to be some type of responsibility on the institution,” he said. “They are supposed to protect the customer.”

To prevent fraud, Mr de Deus recommends businesses use dual authorisation for business payments.

He also stresses that people should see secrecy requests as a red flag.

“If you receive an e-mail from, supposedly, the bank, saying, ‘don’t tell anyone,’ then that is a concern,” he said.