Phishing via Facebook Marketplace and Payconiq: should the bank refund your stolen money?

Have you been a victim of phishing through platforms such as Facebook Marketplace, where your bank account was looted? In most cases, the bank is obliged to refund this amount to you in full, including interest. A judgment of the Dutch-speaking Enterprise Court in Brussels on October 16, 2025, confirms that clicking on a fake Payconiq link or missing warning text messages during the night should not automatically be classified as “gross negligence”.

The facts: a ‘classic’ scam via Marketplace

The case brought before the court concerns a scenario that is unfortunately becoming more common. A consumer wanted to buy used video games through Facebook Marketplace. The alleged seller suggested arranging payment through a Payconiq link.

The facts played out as follows:

• The buyer received a link that led to an environment that closely resembled the familiar payment environment.
• To confirm payment of a small amount (€204.40), the buyer used his card reader and entered codes.
• Without the buyer realizing it, the fraudsters used these codes not for a payment, but to install the app Itsme on their own device.
• With this, the criminals gained access to the victim's bank accounts and made wire transfers for more than €13,000 that same night.

When the victim woke up the next morning, he saw several text message alerts that had been sent during the night. He immediately called the bank and Cardstop. However, the bank refused a refund, arguing that the customer had been ‘grossly negligent“.

The decision: bank fully liable

The Dutch-speaking Enterprise Court Brussels ruled in favor of the duped customers. The bank was ordered to repay the full amount (€13,211), plus statutory interest from the day of the theft.

The court rejected the bank's arguments, stating that there was no gross negligence on the part of the victims. The ruling emphasized that consumers cannot be held responsible for sophisticated fraud that they could not reasonably detect.

Legal analysis and interpretation

For victims and legal professionals, this judgment contains important interpretations of the regime regarding unauthorized payment transactions from the Code of Economic Law (CEL).

1. The burden of proof of gross negligence (Art. VII.44 CEL)

The premise of the legislation (PSD2 directive) is consumer protection. The bank must refund the amount immediately (Art. VII.43 CEL), unless it can prove that the customer acted fraudulently or was grossly negligent. The court confirms that the bar for “gross negligence” is very high. It involves an imprudence so severe that a normally careful person would never commit it.

• Deception: The fact that the URL was slightly off or that Payconiq does not normally operate through a card reader does not suffice as evidence of gross negligence. The fraud was professionally set up and looked legitimate.
• Night alerts: Ignoring text message alerts is normally risky. However, the court ruled that a consumer cannot be expected to wake up at night to messages. On the contrary, the fact that the customer responded promptly in the morning demonstrates diligence.

2. No force majeure due to third-party systems (Itsme).

The bank tried to invoke force majeure (Art. VII.55/9 CEL) by pointing to security breaches at Itsme or the other banking institution. The court decisively rejected this. When a bank allows its services to be accessed through an external app such as Itsme, the bank is responsible for its security. Any flaws in that system are attributable to the bank and do not constitute “extraneous cause”.

3. Compensation and interest

It is noteworthy that the court allows the compensatory interest to run from the date of the facts (Oct. 4, 2023) and not only from the notice of default. This compensates the victim for the period when he could not dispose of his money.

What does this mean for you?

This ruling significantly strengthens the position of the bank customer.

• For victims: Do not be deterred if the bank initially rejects your refund request with the term “gross negligence.” If you acted in good faith and became a victim of deception, you are in a strong legal position.
• Responsiveness is crucial: Although you may sleep at night, take immediate action as soon as you notice the fraud. Block your cards through Cardstop and notify your bank.
• Keep evidence: Screenshots of the Marketplace calls, the fake links and your text message history are essential to show that the scam appeared credible.

Frequently Asked Questions (FAQ)

Is clicking a link in a post always ‘gross negligence’?
No. The court ruled specifically. If the link and website look professional and legitimate, the consumer cannot be blamed for falling into the trap. Gross negligence requires gross carelessness, not mere mistake.

Do I need to be available to my bank at night?
No. A normally careful citizen is not expected to monitor his text messages or banking app during the night. Missing alerts during your sleep is no reason for the bank to deny repayment.

What if the fraudsters log in through Itsme?
The bank remains responsible. If the bank allows Itsme to be used as a means of authentication, the bank cannot shift responsibility for fraud to Itsme or the user unless the user himself was grossly negligent with his codes.

Conclusion

Consumer protection in digital payments is robust. Banks have a legal duty to provide secure systems and cannot simply pass losses due to fraud onto the customer, especially in the case of sophisticated phishing. As long as you, the victim, react quickly after discovery and do not voluntarily give codes to third parties (but were misled in a payment environment), the bank must compensate you.