July 9, 2025, 1:16 pm | Read time: 3 minutes
A ruling by the Dresden Higher Regional Court is currently drawing attention. Despite gross negligence by a bank customer in a phishing scam, the savings bank must reimburse part of the damages. The reason: According to the court, the bank’s security measures were insufficient to prevent the attack.
After a phishing attack on a savings bank customer, the Dresden Higher Regional Court ruled that the bank must cover 20 percent of the resulting damages. Although the customer acted with gross negligence by revealing his login details and carelessly approving TAN authorizations, the savings bank also shares some blame for not implementing strong customer authentication during login, according to the ruling from May 5, 2025 (Case No. 8 U 1482/24).
Overview
Phishing Attack with Dramatic Consequences
The case centers on a savings bank customer who used the S-pushTAN procedure. Through a phishing email, fraudsters obtained his login details. In several phone calls, they convinced him in February of this year to approve an increase in his transfer limit and two payments totaling 49,421.44 euros in real time via the TAN app.
The customer testified in court that the S-pushTAN app did not display details of the transactions, such as the amounts or the recipient. He only received generic approval requests for “orders.” The Higher Regional Court found this statement unconvincing but noted the unusual situation of approvals during an ongoing phone call.
Court Recognizes Sparkasse Shares Blame
The court clearly classified the plaintiff’s behavior as grossly negligent. He entered his login details on a fake website and approved sensitive payments without sufficiently verifying the information. The ruling states: “Due to the numerous cases made known by various media in recent years, the understanding that customers are being prompted by fraudulent messages and calls from supposed bank employees to disclose online banking login details must be considered common knowledge.”
However, the court also acknowledged the savings bank’s shared responsibility. The judges criticized the lack of strong customer authentication during online login. This allowed sensitive data, such as birth dates or card numbers, to be accessed—information the fraudsters used to prepare the fraudulent transfers.
The absence of legally required “strong customer authentication” during online banking login clearly contributed to the perpetrators gaining access to online banking through a spear-phishing email, a fake website, and by reading the PIN.
There, again without requiring strong customer authentication, sensitive payment data as defined in Section 1, Paragraph 26 of the Payment Services Supervision Act (ZAG) was accessible (credit limit, daily limit, IBANs of the plaintiff’s various account numbers, account balance and transactions in debit and credit, plaintiff’s birth date and mobile number, etc.).
Excerpt from the ruling 8 U 1482/24
Security Gaps in Savings Bank’s pushTAN Procedure
The Dresden Higher Regional Court clarified that the savings bank’s pushTAN procedure can generally meet the requirements for strong authentication if adequate protective measures are implemented. In this specific case, however, additional authentication during login, such as a second factor like biometrics or device binding, was missing. This violated the bank’s regulatory obligations.
The ruling is not surprising. As early as 2023, another court addressed the security of the pushTAN procedure. At that time, the Heilbronn Regional Court ruled that “the so-called pushTAN procedure […] poses an increased risk potential,” particularly when the TAN and banking app are installed on the same device.

How to Protect Yourself Against Errors and Fraud when Making ransfers

Collect Bonus Points with Your Sparkassen Card! What the Change Means for Customers

These are neobrokers – this is what makes them different
Sparkasse Must Reimburse Almost 10,000 Euros
Due to the aforementioned shared responsibility of the savings bank, the customer who lost his money was able to achieve partial success. The Dresden Higher Regional Court awarded him a compensation claim of 20 percent, which the savings bank must pay, amounting to 9,884.29 euros. The bank must also cover the customer’s pre-litigation attorney fees of 1,119.79 euros. The ruling is final, and an appeal was not permitted.