Joris DeeneInvoice fraud is a persistent and growing problem for businesses, with fraudsters intercepting payment transactions and manipulating bank data. If you as a customer unknowingly pay into a scammer's forged account number, you basically bear the financial risk yourself. Both the unpaid supplier and the performing bank go free in the vast majority of cases, unless there are very specific grounds for exception.
The facts and legal context
In a recent case before the Leuven Enterprise Court, the judges, in a judgment dated December 18, 2025, dealt with a typical case of invoice fraud between two companies, BV S.S. (the contractor) and BV C. (the principal). Between the two parties, after disputing the initial billing, it had been agreed that the principal would pay an advance of 15,000 euros before the contractor would perform repair work.
Shortly before the scheduled payment, the client received fraudulent emails from third parties. These fraudsters sent emails from an address very similar to that of the contractor, saying that payment should be made to a new account number at AION Bank. The principal executed the 15,000 euro transaction almost immediately. Later, this account number was found to belong to an unknown third party, after which the funds disappeared without a trace.
The principal claimed that she had paid in discharge by this transfer and refused to pay the outstanding debt to the contractor. Secondarily, she held her own bank (KBC) liable for the damages suffered.
The decision and the law
The court rejected the client's argument and ruled in favor of the contractor and the bank. The decision rests on two main legal pillars:
First, based on article 1239 (old) Civil Code, the court ruled that a payment is valid only when made to the actual creditor or his agent. A payment to a fraudster does not constitute a payment to the creditor. The severe penalty for this is “qui paie mal, paie deux fois” (whoever does not pay to the right person does not pay in discharge and must pay again). Consequently, the risk of this fraudulent request is borne entirely by the debtor.
Second, the claim against the bank was dismissed under Article VII.55/2 of the Code of Economic Law (CEL). This provision states that a payment service provider (the bank) is not liable for the execution of a transaction as long as it is done in accordance with the ‘unique identifier’ entered by the customer, being the IBAN account number. The bank is not legally required to verify that the name of the payee is correct with the IBAN number provided.
Legal analysis and interpretation
This ruling illustrates a strict application of contract law combined with modern banking law. The court ruled that objective carelessness in the payment process lies exclusively with the debtor. The fact that the debtor could or could not have reasonably seen through the fraud is, in itself, the court finds irrelevant to the allocation of risk.
There is only one escape route for the duped debtor: the trust theory. Under this theory, a payment can exceptionally count as dischargeable if the creditor (for example, through a compromised IT system or extreme negligence) contributed to the creation of an appearance. In that case, the debtor must have gained a legitimate expectation that he was paying correctly. Here, however, the court dismissed this argument: the supplier had always provided the correct bank details on its invoices and could not be held responsible for third-party emails. The mere fact that the supplier did not immediately respond to an email chaining the wrong account number does not create a legitimate expectation.
Also read our blog : Who pays for the damage when invoice fraud occurs via a hacked mailbox?
Regarding the financial institution, the court confirms the supremacy of the European PSD2 Directive. This directive aims at a fully harmonized and contained liability regime for payment service providers. A party cannot invoke a bank's ‘general duty of care’ to override these strict European and national provisions.
What this specifically means
- For the debtor (client): As a rule, you bear the full loss in the event of invoice fraud. It is absolutely important to be vigilant whenever a bank account number is changed. Always verify it through another channel (e.g. by phone) before proceeding with payment. The lack of verification may result in you having to pay the outstanding invoice a second time.
- For the creditor (supplier): As long as you deliver correct invoices yourself and do not create an active appearance of changed bank information, you retain the right to demand payment. It is essential to properly secure your IT systems, as demonstrable ‘malware’ on your systems could potentially well lead to shared or full liability.
- For banks and financial institutions: You enjoy broad protection under the Economic Code as long as payments are processed strictly according to the IBAN numbers entered. You have no additional obligation to verify the identity of the payee.
Frequently asked questions (FAQ)
Am I released from my debt if I unknowingly pay a fraudulent invoice?
No, the general rule states that you bear the risk if a payment is made to the wrong person. The law rules that a payment must be made only to the legitimate creditor. Consequently, you will still have to pay the original, correct invoice.
Is my bank required to verify the name and account number (IBAN) on a wire transfer?
No, there is no additional verification obligation for the bank. Under current legislation (Article VII.55/2 CEL), a bank is not liable when it executes a payment transaction based solely on the IBAN number entered by the customer.
Can I prove that it was the supplier's fault?
This is possible, but the burden of proof is very strict. You must prove through the so-called trust doctrine that the creditor himself, by his actions or omissions, gave the appearance that the payment to the fraudster was legitimate. This may be the case, for example, if you can prove that the supplier's systems were hacked.
Conclusion
Invoice fraud carries significant financial risks, with the careless payer usually bearing the brunt. Recent case law once again shows that judges in Belgium strictly apply legal principles: by default, neither the supplier nor the bank bear responsibility for the actions of fraudsters. Strict internal control procedures for payments are therefore indispensable.
Dutch 
English