Is the bank liable for phishing if I passed on the codes myself?

Victims of phishing often receive zero response from their banks when they ask for refunds. The bank then often invokes ‘gross negligence’ because the customer passed on codes themselves. However, a ruling by the Antwerp Court of Appeal on 3 September 2025 calls this practice into question. The court ruled that even when passing on codes, the bank remains liable if their own security systems fail.

The facts: a sophisticated trap

In this case, an account holder fell victim to a sophisticated form of ‘bank help desk fraud. The facts played out as follows:

• The initial mail: The customer received an e-mail that appeared to come from his bank (Argenta) about the replacement of his card reader. The email was written in perfect Dutch and did not arouse suspicion.
• The phone call: After entering some basic information (without codes), the man received a call from a scammer posing as an employee of the fraud service. The scammer reported that a suspicious transaction of 20,000 euros had been observed and that quick action was needed.
• The manipulation: The fraudster knew specific details, such as the name of the victim's office manager, which inspired a great deal of confidence. Under the fraudster's guidance, the victim performed actions with his card reader, believing he was stopping the fraud.
• The theft: In reality, the fraudsters at that time installed the banking app on their own device and transferred 23,150 euros to their account.

Argenta initially refused any refund, arguing that the transaction was ‘authorized’ and that the customer had been grossly negligent.

The decision: bank must repay in full

However, the Antwerp Court of Appeal ruled in favor of the victim:

1. No authorized transaction: Although the codes were generated with the customer's card reader, the customer had never agreed to pay the fraudster. Indeed, he thought he was taking actions to secure his account. The fact that codes were used is not in itself evidence of consent.
2. No gross negligence: The court ruled that the customer was not grossly negligent, given the fraudsters' sophisticated approach (including perfect Dutch, knowledge of bank details).
3. Bank failure: A decisive element was that the fraudsters had installed the banking app on a new, unknown device. The bank had failed to warn the customer about this (via text or email), which the Court said indicated a “serious and serious failure of the bank's IT system and fraud detection system”.

The bank was ordered to repay the full amount, plus interest.

Legal analysis and interpretation

This ruling contains important nuances about the application of Book VII of the Code of Economic Law (CEL).

Burden of proof in ‘permitted’ transactions

According to Article VII.32 CEL, a payer must consent to a transaction. Banks often argue that the use of the card reader and PIN (‘authentication’) is equivalent to consent. The Court rejects this automatic equivalence. Article VII.42 §2 CEL explicitly provides that the recorded use of a payment instrument does not necessarily prove that the payer authorized the transaction. When a customer makes it likely that he was misled, the burden of proof shifts to the bank.

The bar for gross negligence

Article VII.44 CEL provides that the customer pays for damages in cases of ‘gross negligence. Here, however, the Court confirms the strict interpretation of this term: gross negligence presupposes ’conduct that shows a considerable degree of imprudence“ and that is ”not comprehensible to a reasonable person“. In this case, the Court held that a normally prudent person could be misled in the circumstances (stress, persuasive ‘bank teller,’ correct context information). It is up to the bank to prove gross negligence, and the mere fact of phishing does not suffice as evidence.

The bank's general duty of care

Legally very interesting is the consideration of the bank's duty of care. The Court found that the bank failed in its contractual and legal security obligations. The fact that an app could be installed on a foreign device (foreign IP address) without any warning to the customer was charged as an error by the bank. This opens the door for bank liability even in doubtful cases surrounding customer negligence.

What this specifically means

This ruling has direct implications for several parties:

• For victims: Has your bank denied a refund after phishing? Don't accept this lightly. Especially if you were not warned about installing a banking app on a new device, you are in a strong legal position. Even if you passed on codes, refunds are possible if the manipulation was sophisticated.
• For banks: The focus is shifting from “customer error” to “bank systems.” Banks need to tighten their fraud detection. If a system allows a new app to be linked without explicit notification to the account holder (e.g., via text message to the registered number), liability is imminent.
• For evidence: As a victim, it is crucial to gather as much evidence as possible (screenshots, phone logs). However, this case held that the victim's deletion of the phishing email was not fatal to the claim as long as the story is credible.

FAQ: Frequently Asked Questions

Is passing codes over the phone always ‘gross negligence’?
No, not by definition. The court looks at the specific circumstances. If the fraudsters acted very professionally and pressured you (for example, by claiming they were stopping fraud), the court often rules that there was no gross negligence.

Who is to prove that I was careless?
The burden of proof is on the bank. The bank must prove that you were grossly negligent. The mere fact that your codes were used is insufficient evidence under the law to prove negligence.

My bank and Ombudsfin have rejected my complaint. Is there anything more I can do?
Yes. In the case discussed, Ombudsfin had ruled against the client. An Ombudsfin opinion is not binding. The court, after a thorough analysis of the facts and logs, may come to a very different opinion.

Conclusion

The fight against phishing in Belgium is not only a technological battle, but also a legal one. This ruling by the Antwerp Court of Appeal is an important victory for consumers. It confirms that banks have a great responsibility to make their systems watertight and detect anomalies (such as new device registrations). Your ‘mistake’ of falling into a trap often outweighs the failure of the bank's security.