Judgment of the 3rd Panel of the STJ reignites debate on bank scams, fake customer service center, and limits of bank liability when criminals use calls, personal data, and transfers made by the victim themselves to complete financial frauds.
The 3rd Panel of the Superior Court of Justice upheld, on Tuesday (16), the decision that removed the responsibility of a bank for the loss suffered by a client victim of the fake customer service center scam.
Reported by Minister Humberto Martins, the case reached the STJ through REsp 2.209.868, after the account holder tried to hold the financial institution responsible for the losses resulting from the fraud.
The decision, however, does not create an automatic rule to prevent compensations against banks like Caixa, Banco do Brasil, Itaú, Bradesco, Santander, Nubank, or other financial institutions.
-
Using plastic from just 6 ocean-recovered bottles, a 25-year-old engineer creates a bionic prosthetic in 24 hours in a country where 95% of amputees have never had access to a new leg.
-
Scientists Discover Monkey Laughter Resembles Human Laughter from 15 Million Years Ago, Investigating Links to Language Origins
-
Brazilian Artisan Transforms Forest Waste into $400 Necklaces Sold at MASP and Exported to London
-
Retired Engineer Transforms Boeing 727 into a 99 m² Home in the Brazilian Forest
In the judgment, the decisive point was the absence of a link between the bank’s conduct and the loss claimed by the client, according to the analysis made by the previous instances.
According to the process, the account holder received a call from an 0800 number, made by a person who introduced themselves as an employee of the financial institution.
During the conversation, the client provided personal data and was told by the scammers that there was a supposed suspicious movement in her bank account.
Then, the criminals convinced the woman to withdraw money and transfer the amounts to another institution, under the false justification of protection against fraud.
The plaintiff argued that the bank should be liable for the loss because the scammers used personal information to give the appearance of legitimacy to the fake service.
STJ analyzed the link between the bank and the fake customer service scam
Before the case reached the STJ, the São Paulo Court of Justice had already rejected the claim for compensation for material and moral damages.
For the São Paulo court, there was no demonstration of failure in the provision of banking services, but exclusive fault of the plaintiff and third parties, which broke the causal link.
When examining the special appeal, Humberto Martins highlighted that changing this conclusion would require a new analysis of facts and evidence already evaluated by the ordinary instances.
This type of review is not allowed by the STJ in a special appeal, according to Summary 7, which prevents the re-discussion of the evidentiary set of the process.
Unanimously, the 3rd Panel followed the rapporteur and upheld the decision that dismissed the indemnity action filed by the account holder.
As a result, the client was unable to transfer civil liability to the bank for the scam perpetrated by individuals unrelated to the financial institution.
The plaintiff sought compensation for material and moral damages in the amount of R$ 41,000, alleging a failure in the protection of banking secrecy.
However, in the assessment of the court of origin, the operations were carried out by the consumer herself after being approached by the fraudsters, without sufficient proof of a defect in the banking service.
When the bank can be held liable for banking fraud
The understanding adopted in this judgment does not rule out the responsibility of financial institutions in all cases of fraud against clients.
In October 2025, the 3rd Panel itself decided that banks and payment institutions must compensate consumers when security failures enable social engineering scams.
In that case, the STJ stated that liability may occur when there is a failure in data protection or in identifying suspicious transactions.
It was also highlighted that banking systems must detect transactions outside the client’s usual profile, considering value, time, location, interval between operations, and the means used.
The difference between the judgments lies in the set of evidence presented in each case, especially in demonstrating the bank’s failure during the execution of operations.
When the institution validates atypical transactions, allows an unusual sequence of transactions, or fails to identify clear signs of fraud, the Judiciary may recognize a defect in the service provision.
In such situations, the consequence may be compensation to the consumer, provided that the damage is linked to banking activity and the failures pointed out in the process.
Conversely, when the fraud results solely from the actions of third parties and the conduct of the victim herself, without proof of banking failure, the tendency is to dismiss the duty to compensate.
This was the interpretation adopted by the TJ-SP and upheld by the STJ in REsp 2.209.868, given the specific circumstances of the case analyzed.
Súmula 479 and the responsibility of financial institutions
The STJ’s Summary 479 states that financial institutions are objectively liable for damages caused by internal fortuitous events related to fraud and crimes committed by third parties in banking operations.
This statement frequently appears in cases about scams, digital fraud, and improper transactions, especially when the consumer points out a defect in the service’s security.
In the case of the fake 0800 central now analyzed, however, the court of origin dismissed the application of this summary when examining the evidence of the case.
The assessment was that the transactions made by the plaintiff did not constitute an internal fortuitous event, as they were not considered inherent to the banking services provided by the institution.
This distinction is relevant because objective responsibility does not turn the bank into a universal guarantor of any damage caused by fraudsters.
Even in consumer relations, the duty to compensate depends on the existence of a defect in the service or a connection between the banking activity and the damage suffered.
The Consumer Defense Code, applied to financial institutions according to STJ jurisprudence, allows for the exclusion of liability when there is exclusive fault of the consumer or a third party.
Based on this logic, the dismissal of the request was upheld, as the previous instances did not identify sufficient bank failure to hold the institution accountable.
Fake central scam requires case-by-case analysis
The fake central scam usually involves calls, messages, or numbers that simulate official service channels, often with language similar to that used by banks.
In these approaches, criminals pose as attendants, mention supposed purchases or suspicious transactions, and induce the client to provide data, access apps, make transfers, or withdraw money.
Despite the similarity between the frauds, the judicial outcome may change depending on the evidence gathered and the way the operations were executed.
Out-of-pattern transactions, atypically contracted loans, authentication failures, absence of preventive blocking, or misuse of confidential data can alter the analysis of responsibility.
In the judgment reported by Humberto Martins, the 3rd Panel did not reopen the discussion on how the transfers occurred, as this would require reevaluating evidence.
The panel limited itself to applying the procedural restriction of Summary 7 and upheld the conclusion of the TJ-SP on the exclusive fault of the client and third parties.
The decision reinforces that victims of bank fraud need to demonstrate, in addition to the loss, the involvement of the banking service in the occurrence of the damage.
Without this link, the compensation claim may be rejected, even if the scam used the appearance of official service and an 0800 number to convince the victim.
