Phishing victim? When does the court rule that you were ‘grossly negligent’ (and lost your money)?

You are the victim of phishing. You were tricked by a fake email and a sophisticated phone call, and thousands of euros disappeared from your account. You expect the bank to rectify this, but it refuses. The crucial question is: were you ‘just’ inattentive, or were you ‘grossly negligent’? A ruling by the Antwerp Court of Appeal on 28 November 2024, shows that those who ignore clear alarm bells are liable for the full damages themselves.

The facts: a classic phishing scenario with a heavy account

The case that came before the Antwerp Court of Appeal began with a professional-looking phishing email, supposedly from the bank Belfius. The director of a company clicked on a link to request a new card reader. Shortly thereafter, the director was called by a person posing as an employee of Card Stop.

This fraudster employed a sophisticated strategy of psychological manipulation:

1. He convinced the director to log into the online banking environment.
2. He announced that the screen would go “black for a while,” allegedly to reverse the fraudulent transactions.
3. He asked the director to relay the codes that appeared on the card reader over the phone.

The director followed instructions, after which the fraudster looted a total of 14,398 euros. The company went to court to recover this amount from the bank.

Appeal court decision

The court had to answer two crucial legal questions at the heart of every phishing case.

1. Was the payment transaction ‘authorized’?

According to the law (Book VII of the Code of Economic Law), the bank must prove that a transaction was properly authenticated and therefore ‘authorized. If not, the transaction is ’unauthorized‘ and the bank must, in principle, refund the money.

The court ruled that the transactions were unauthorized. The reasoning is technical, but essential: the bank could not prove that the customer had completed the authentication procedure entirely by himself. After all, the director had not himself entered the final ‘response code’ in the banking environment, but had passed it on to the fraudster by telephone. As a result, it was the fraudster, and not the customer, who finally confirmed the transaction.

2. Was the victim ‘grossly negligent’?

This is the bank's ‘escape. If a transaction is ’unauthorized,‘ the bank must refund the amount unless the bank can prove that the customer was guilty of gross negligence. If the bank succeeds, the victim himself or herself will pay for all losses.

The court found that the victim in this case was indeed grossly negligent.

Legal analysis and interpretation

This ruling is a perfect example of the “gray area” of liability in phishing. It shows how judges analyze the victim's behavior in detail.

The striking split in assessment

The most instructive part of the judgment is the way the court divided the victim's conduct into two parts:

• NOT grossly negligent: The mere clicking on the phishing link and not noticing the suspect email address (‘diens.belfiu@t-online.de’). The court found the email professional enough (with logo, correct formatting) and considered this to be, at best, an ‘oversight. A mere carelessness is not yet gross negligence.
• WELL grossly negligent: The behavior after clicking on the link. The court found that the victim had ignored “multiple alarm bells.” A “normal, careful and foresighted” person, the court stated, should have been alerted by:
  1. An unusual telephone call from (allegedly) Card Stop asking to make payments;
  2. The announcement that the screen would go black;
  3. The fact that no prior checks were carried out on the bank accounts.

By acting on these instructions and passing on the codes, the victim committed “inexcusable negligence” and disregarded the duty to ensure the safety of personal security data.

Note: the victim was not a consumer

An important legal footnote: the victim here was a corporation (BV), not a consumer. For non-consumers, the liability provision of Article VII.44 of the Code of Economic Law can be contractually excluded. Although that did not appear to have happened in this case, this is a crucial concern for corporations.

What this specifically means

• For victims (individuals and companies): This ruling is a harsh warning. While a judge may understand if you click on a persuasive link, the leniency stops there. Once you find yourself in an unusual situation (a phone call, a black screen, being asked to provide codes), the court expects you to stop, disconnect and contact your bank yourself through official channels. If you do not do so, there is a real chance that you will be considered grossly negligent and lose your money permanently.
• For banks: The burden of proof is on the bank. They must show that the customer was grossly negligent. This ruling gives them a strong argument in cases where victims, despite clear warning signs, still cooperate with the fraudsters.

FAQ (frequently asked questions)

I clicked on a phishing link. Does that always make me grossly negligent?

No, not automatically. This court of appeal ruled that clicking on a professional-looking fake email is not in itself gross negligence. The gross negligence began only when the victim followed the fraudster's further, highly unusual instructions over the phone.

What if my bank was unreachable during the fraud?

In this case, the victim also tried to argue that the bank was unreachable. The court rejected that argument. It stated that there was no legal requirement at the time for the bank to be permanently accessible. Moreover, the victim could also have simply disconnected from the fraudster.

Is phishing legislation final?

No, legislation is evolving. New rules are being considered both in Belgium and at the European level. A Belgian bill is on the table to limit the victim's liability even in cases of gross negligence. Europe is also considering whether the definitions of ‘consent’ and ‘gross negligence’ should be clarified. So the legal battle is not yet over.

Conclusion

This ruling by the Antwerp Court of Appeal highlights a painful reality: the line between inattention and gross negligence is wafer-thin, but has far-reaching financial consequences. A judge in Belgium will analyze your entire behavior. Clicking on a link can be forgiven, but ignoring obvious alarm bells - such as a call from “Card Stop” or a sudden black screen - will be seen as an unforgivable mistake that will cost you full damages.