Phishing and bank fraud: when should the bank refund your stolen money?

Are you dealing with money that disappeared from your account due to phishing or bank fraud? In many cases, the bank refuses repayment by citing ‘gross negligence. A judgment of the Dutch-speaking Enterprise Court in Brussels of May 15, 2025, however, confirms that the bank cannot simply invoke this: without hard evidence of your recklessness, the bank must compensate the loss.

The facts: an invisible installation of the banking app

In this case, two account holders discover on the morning of March 1, 2024 that their joint current account was looted overnight. In total, several transfers totaling €10,373.98 took place, including to accounts of web shops and foreign beneficiaries.

The victims reacted immediately: they blocked their cards, notified the bank and reported it to the police.

The bank refused any reimbursement. In fact, their internal investigation revealed the following scenario:

1. Installation on Feb. 9: Three weeks before the fraud, on Feb. 9, the banking application had been installed on an iPhone belonging to the fraudster.
2. Strong Authentication: According to the bank, this installation was only possible through ‘strong client authentication’ (SCA). This requires physical possession of the bank card, card reader and secret PIN.
3. The texting issue: The bank claimed that a text message containing an activation code (OTP) was sent to the customer during installation. According to the bank, the fact that the app was successfully activated proved that the customer must have passed this code to the scammer.

The bank concluded from this that the customers had passed on their personal codes and bank card information to third parties, amounting to gross negligence. The victims formally disputed this: they had not shared codes and had never received an activation text message.

The decision: bank fails in burden of proof

The court ruled in favor of the victims and ordered the bank to repay the stolen amounts, plus interest and court fees.

The judge ruled that the bank did not meet the burden of prooft. The fact that the app was installed on a fraudster's device does not in itself prove that the customer authorized it or shared codes. The bank was able to prove with log files that there was a ‘request’ for activation, but not that the crucial text message containing the OTP (One Time Password) code had actually been handed to the fraudster by the customer.

Moreover, the court ruled that the bank was negligent by not requiring new ‘strong customer authentication’ during the fraudulent transfers themselves (which occurred weeks after the installation.

Legal analysis and interpretation

This judgement is an important application of the Code of Economic Law (CEL), specifically the rules around unauthorized payment transactions. Below, we identify the core legal principles that prevail in this case - and possibly in your case.

1. The starting point: the bank is liable

According to Article VII.44 of the CEL, the rule is that the payment service provider (the bank) bears the loss for unauthorized transactions. The customer is basically protected unless there is fraud by the customer himself or ‘gross negligence.

2. The bar for ‘gross negligence’ is high

Banks often deflect responsibility by arguing that the customer was grossly negligent (e.g., “you clicked on a link” or “you shared codes”). However, case law confirms that mere carelessness is not enough.

There must be a far-reaching form of negligence that a normally careful person would never commit in the same circumstances. Previous cases often involved an accumulation of errors (responding to strange numbers, ignoring warnings, passing codes). This case lacked that pattern.

3. The burden of proof is on the bank

This is the crucial point for victims. It is up to the bank to prove with a reasonable degree of certainty that you were grossly negligent (art. VII.44, §4 CEL). In this case, the bank showed technical logs (“request to enrollment”), but that does not prove that the customer actually received and transmitted the code. Doubt benefits the customer.

4. Strong client authentication (SCA).

Banks are obliged to secure transactions with strong authentication. If the bank fails to do so - for example, by not requiring new authentication for large transfers weeks after an app installation - the customer's liability lapses completely (Art. VII.44, §2 CEL).

Specifically, what does this mean for you?

If you have been a victim of fraud, this verdict provides guidance.

• For the account holder: Do not simply accept a refusal from the bank. The bank's standard letter stating that “the transaction was technically executed correctly with your codes” is often legally insufficient to disclaim liability. You do not have to prove your innocence; the bank must prove your gross misconduct.
• Prevention: Of course, be vigilant. Never share codes from your card reader or itsme via phone or e-mail. But know that if you do fall victim to an advanced trick, you are in a strong legal position as long as you did not act recklessly.
• Action: Block your cards immediately via Card Stop (078 170 170) and file a police report. This prompt response will be seen by the court as evidence of good faith.

Frequently asked questions (FAQ)

What is considered gross negligence in bank fraud?
Gross negligence is more than a simple mistake. It involves behavior where you ignore the most basic security rules, such as giving your PIN or response code to a stranger over the phone, despite warnings from the bank.

Do I have to prove that I did not make the payment?
No, the burden of proof is reversed. If you deny that you gave consent, the bank must prove that you did give consent or that you were grossly negligent. Simply proving that your card or app was used is often insufficient evidence.

Will I always get my money back when phishing?
Not always, but often. Up to an amount of €50, there may be a deductible, unless the bank did not apply strong authentication or you could not have noticed the loss. In cases of gross negligence, you get nothing back, but as this post shows, that is difficult for the bank to prove.

The bank says the transaction was done with “strong authentication” (SCA). Does that make me hopeless?
No. The bank often confuses the installation of the app with the payment transaction. Even if the installation happened with SCA, the bank must prove that you knowingly took that action or were grossly negligent. Moreover, if the payment itself happened weeks later without a new SCA, you are often fully protected.

What if I accidentally clicked on a phishing link?
Clicking on a link is usually not grossly negligent in itself. It only becomes problematic if you then enter personal codes (such as your PIN or card reader response code) on the fake website. Even then, the bank has to prove that a “normally observant person” should have recognized the counterfeit.

Does this ruling apply to all banks?
This is a judgment of the Brussels Enterprise Court. Although it is not a binding precedent such as a judgment of the Court of Cassation, it is a reasoned judgment confirming the strict application of the Code of Economic Law. This judgment can therefore be used in similar cases to increase pressure on banks.

Conclusion

Banks in Belgium have a heavy burden of proof when they refuse to reimburse victims of fraud. A technical record of a transaction is not conclusive proof of your liability. This ruling underscores that doubts about the facts speak in favor of the consumer.