Joris DeeneIn a recent judgment dated February 18, 2025, the French-speaking court of first instance in Brussels ruled on a case of phishing and resulting liability. The case involved a customer who fell victim to a sophisticated phishing attack in which fraudsters posed as Microsoft employees. According to the court, ING bank was not liable.
Facts of the case
In July 2023, the victim received and alert message, supposedly from Microsoft, asking him to contact a given phone number. On the phone, he was informed that he was the victim of fraudulent transactions on his account and that an "IT engineer" and an "operator" would take control of his computer.
The victim complied with instructions, including:
- Allowing remote access to his computer through the Anydesk application
- Entering codes through his Itsme
- Providing "a host of figures" that would supposedly block fraud
The next day, the realization dawned on him that he had become a victim of fraud. However, by that time, several transactions had already been carried out through his current account and credit card, with a total amount stolen of €12,458. The victim decided to initiate legal proceedings against ING to obtain repayment of the misappropriated amounts.
Key points of the judgment
Legal framework
The court based its analysis on the Code of Economic Law, specifically Book VII which deals with payment services. This distinguishes between "authorized" and "unauthorized" payment transactions. The bank is obliged to refund the misappropriated amounts if there is an unauthorized payment transaction AND the customer was not grossly negligent.
Read more about the liability regime regarding unauthorized payment transactions in Belgium here.
1. Authorized payment transaction
The court clarified that a payment operation is considered "authorized" when the payer has given his consent to the execution of the payment order, according to the agreed procedure between the parties.
According to the court, it must be an objective, explicit and/or "technical" consent and thus not a (subjective) consent as referred to in Articles 5.33 et seq. of the Civil Code.
The court emphasizes that the payer's actual intent regarding the identity of the payee is thus irrelevant. Compliance with the agreed payment procedure is sufficient for a payment to be considered "authorized."
The court concluded that the disputed banking operations had been authorized by the victim himself, as he had used his card and secret code and, in accordance with the card's terms of use, had validly authenticated the payment operations through itsme and given his consent to the disputed operations.
2. Gross negligence
Subordinately, the court pointed out that the victim was guilty of gross negligence within the meaning of Article VII.44, §1, paragraph 4 of the Code of Economic Law. In any event, if the customer has been grossly negligent, a bank is not obliged to proceed with repayment.
The court defined gross negligence as "an unreasonable behavior that a normally prudent and careful person, placed in the same circumstances, would never have exhibited."
In this case, there were several elements that should have alerted the plaintiff:
- He had no evidence that his interlocutor was actually a Microsoft employee
- Microsoft does not access banking data of ING customers
- He allowed an unknown third party to access his computer through Anydesk
- He gave oral access codes over the phone
Conclusion and practical implications
This ruling confirms certain case law that in phishing scams, the assessment of negligence should be made from an objective standpoint, that of a normally prudent and diligent payer in an identical situation, and not taking into account how the account holder himself experienced the situation.
It highlights the importance of vigilance in online banking and following the security guidelines of financial institutions.
Dutch 
English