Chuu Valverde França Advogados
← Insights

Civil & Consumer Law · July 2026

The fake call-center scam: when the bank is liable (and when it is not)

Brazil's Superior Court of Justice (STJ) has clarified when banks are liable in the fake call-center scam. Liability is not automatic: it depends on whether the bank failed to detect transactions outside the customer's profile. Understand the test and what it means for institutions and consumers.

You get a call from your bank's "customer service." The person on the line knows your name, confirms your details and speaks with the confidence of someone who works there. Minutes later, the money is gone. When the scam is this one, does the bank have to refund it? Brazil's Superior Court of Justice (STJ) has made the answer clearer, and it is: it depends.

The general rule: the bank is liable for internal fortuitous events

The starting point is well established. Under STJ Precedent (Súmula) 479, financial institutions are strictly liable for damages arising from an internal fortuitous event related to fraud and offenses committed by third parties within banking operations. In other words, the risk of third-party fraud in the banking environment is, as a rule, borne by the bank itself.

The turn in the fake call-center scam: no automatic liability

In the fake call-center scam, however, the STJ's Third Panel has held that there is no automatic liability. Here there is a distinct element: social engineering. It is often the consumer, misled into error, who provides data, confirms codes or carries out operations. For that reason, holding the institution liable comes to depend on proof of a defect in the service provided.

The decisive test: the customer's profile and the detection of atypical transactions

What sets one case apart from another is not the scam itself, but whether the bank could have perceived that the operation departed from that customer's normal behavior. Recent case law organizes the matter into two scenarios:

  • If the transactions were compatible with the customer's profile and history, and there was no failure by the bank, the exclusive fault of the victim (and of the third party) is recognized, and there is no duty to indemnify.
  • If there were transactions outside that customer's pattern, which the anti-fraud system should have identified and blocked, a defect in the service is established, and the duty to indemnify arises.

The system for detecting atypical operations, therefore, is no longer a mere differentiator: it has become the very center of the liability discussion.

The Consumer Code's exclusion and the victim's exclusive fault

This design fits the Consumer Defense Code (CDC) itself. The supplier is strictly liable for defects in the service (Article 14), but liability is excluded when the damage results from the exclusive fault of the consumer or of a third party (Article 14, § 3, II). In the fake call-center scam, where there is no defect in the banking service and the fraud stems from the scammer's action upon the victim, it is this exclusion that applies.

A reasoning that goes beyond the fake call center

The logic does not stop at this specific scam. The same reasoning tends to apply to most other bank scams built on social engineering: the analysis shifts from the label of the scam to whether or not there was a concrete failure by the bank to detect what departed from the customer's usual behavior.

Two practical readings

  • For financial institutions, the message is direct: investing in systems capable of identifying and blocking operations incompatible with the customer's profile is not merely good security practice; it is the core of the defense itself in any liability dispute.
  • For consumers, distrust is the first line of defense. Not every scam gives rise to a right to compensation, and protection begins before the loss. The old maxim holds: anything that seems too good to be true usually is a lie.

How the firm works

Assessing the civil liability of financial institutions and handling consumer disputes, both in preventive guidance and in court defense, are part of the firm's civil and consumer law practice. Each case, however, depends on its own circumstances — the facts, the documents and the way the operations were carried out and monitored.

Conclusion

The STJ gave neither side a blank check. It set aside the bank's automatic liability but preserved the duty to indemnify where there is a real failure to detect atypical operations. For institutions, the message is to invest in intelligent prevention; for consumers, to keep distrust as a first defense. In the end, the deciding question remains the same: could the bank have perceived that this departed from the normal?

Reference basis for review

  • STJ Precedent (Súmula) 479, on the strict liability of financial institutions for internal fortuitous events.
  • Consumer Defense Code (CDC), Article 14 and Article 14, § 3, II (defect in the service and exclusion for the exclusive fault of the consumer or of a third party).
  • Recent case law of the STJ's Third Panel on the fake call-center scam, which sets aside automatic liability and conditions it on proof of a defect in the service.
  • Brazilian Bar Association Rule (Provimento OAB No. 205/2021), to preserve the informational nature of the content.

Content of a merely informational nature. It does not constitute legal advice, an offer of services or a promise of results. Any concrete analysis depends on the facts, the documents and the context of each case.