Phishing and bank fraud: is logging into a fake website ‘gross negligence’?

Have you been the victim of online bank fraud or phishing and your bank refuses to compensate you for the damage because you “entered your codes yourself”? A judgement by the Justice of the Peace in Antwerp of 15 April 2025 confirms that the bank cannot simply refuse. Even if the bank card and card reader were used to log in, the bank must prove that there was ‘gross negligence’ in order to avoid reimbursement.

The facts: a classic case of phishing?

In a case brought before the Justice of the Peace of the second district in Antwerp, the dispute concerned a customer who had been the victim of fraud. The woman in question attempted to log in to her bank's website via her computer. However, she was unable to do so. Shortly afterwards, she received a phone call from someone claiming to be an employee of the fraud department, who offered to take control of her computer. The woman became suspicious, ended the call, and had her card blocked via Card Stop.

But the damage had already been done: via the app on her phone, she saw that two payments of €1,000 had been made to PayPal in Singapore.

The bank (Crelan, formerly Axa Bank) refused to refund the €2,000. Its argument was twofold:

1. The payments were technically executed correctly using the card's chip and PIN code, which, according to the bank, indicated the customer's consent.
2. The bank accused the customer of gross negligence because she had presumably ended up on a fake website via a search engine and entered her details there.

The decision of the justice of the peace

The Justice of the Peace did not follow the bank's reasoning and ordered the financial institution to repay the full amount of the damages.

The judge ruled first of all that the mere fact that a payment has been correctly registered (with chip and PIN code) does not automatically prove that the customer has also given consent for that specific transaction. After all, the customer had immediately disputed that she wanted to make these payments and had taken immediate action (calling Card Stop, filing a complaint).

In addition, the court ruled that the bank had failed to meet its burden of proof with regard to gross negligence. The bank claimed that the customer must have ended up on a fake website, but was unable to prove this. Furthermore, the bank had failed to request the customer's browser data in a timely manner (within a month), resulting in the loss of potential evidence. Without proof that the website was “so clearly fake that logging in to it constitutes gross negligence,” the damage cannot be recovered from the customer.

Legal analysis and interpretation

This ruling touches on the core of payment transactions in the digital age: the balance between ease of use and security, regulated in Book VII of the Code of Economic Law (CEL).

Authentication is not authorization

A crucial distinction that must be made is that between authentication and authorization (permission). Article VII.42, § 2 CEL explicitly states that the use of a payment instrument (such as a bank card with a PIN code) is not in itself sufficient to prove that the payer has authorized the transaction. A transaction can be technically perfectly authenticated (via 3D Secure), while the customer's consent is lacking. If a fraudster intercepts the codes (e.g., via a fake website) and uses them immediately, this constitutes an unauthorized payment transaction.

The burden of proof for gross negligence

If it is established that the payment was not authorized, the bank must compensate for the damage, unless the customer acted fraudulently or showed gross negligence (Art. VII.44 CEL). The threshold for gross negligence is high. It is assessed in abstracto: would a normally cautious and reasonable person in the same circumstances also have fallen into the trap? The judgment of the Justice of the Peace in Antwerp emphasizes that the burden of proof for this lies entirely with the bank. The mere presumption that a customer was careless is not sufficient. The bank must demonstrate specifically that the customer behaved recklessly, for example by logging into a website that was clearly amateurish or fake.

Specifically, what does this mean for you?

For victims of fraud

• Immediately contested: If the bank refuses to refund you because you used your card reader, do not simply accept this. Technical use of the card does not equate to legal consent for fraud.
• Keep evidence: Take screenshots of your call history and browser history. In the case discussed, the bank lost the argument partly because they requested this information too late, but as a customer, you are in a stronger position if you keep this information yourself.
• Reporting requirement: Notify Card Stop and your bank immediately. A quick response is a strong indication that you did not authorize the transactions.

For banking institutions

• Duty to investigate: The standard response that “the PIN code was used” is not sufficient. An active search must be conducted for evidence of gross negligence or fraud.
• Speed is essential: If, as a bank, you want to prove that a customer visited a clearly fake website, you must immediately secure or request the technical log data (URLs, browser history).

Frequently asked questions (FAQ)

Is logging in via a link in an email or search engine always considered ‘gross negligence’?
No, not automatically. The bank must prove that the fake website was so amateurish or suspicious that a normally cautious person should have noticed this immediately. If the fake website is a perfect copy of the real bank website, there is usually no gross negligence.

The bank says that I gave ‘consent’ because I used my card reader. Is this correct?
Not legally necessary. The Code of Economic Law makes a distinction. You can enter your codes to log in (authentication), but that does not mean that you give permission for a transfer to an unknown account (authorization). If fraudsters intercept your codes, the transaction is ‘unauthorized’ and the bank is in principle liable.

Who has to prove that I was careless?
The burden of proof lies entirely with the bank. As long as the bank cannot prove that you were grossly negligent or committed fraud yourself, the bank must refund the unauthorized transactions.

Conclusion

The fight against phishing is complex, but case law is increasingly protecting consumers against the heavy burden of proof that banks often impose. The ruling by the Justice of the Peace in Antwerp confirms that a bank cannot simply wash its hands of responsibility by referring to the use of the card reader. Without hard evidence of gross negligence, the bank in Belgium remains liable for the loss.