Judicial Court of Bordeaux, General Litigation Division, 14 March 2025, No. RG 24/01018 – No. Portalis DBX6-W-B7I-ZBEN
Table of Contents ▼
- 1. Spoofing, a fraud that deceives even the most cautious
- A well-rehearsed scheme in just a few minutes
- The chronology of events, a key element of the case
- 2. The legal framework: who must prove what?
- The presumption of liability of the bank
- The concept of gross negligence: a high threshold
- 3. The court’s decision: no gross negligence found
- The bank fails to prove its client’s fault
- Strong authentication is not sufficient to exonerate the bank
- 4. Financial consequences: reimbursement and penalties
- The 15-point surcharge on the statutory rate
- The rejection of the non-pecuniary damage claim
- Conclusion
1. Spoofing, a fraud that deceives even the most cautious
A well-rehearsed scheme in just a few minutes
On 5 September 2023, around 4:00 PM, a customer of La Banque Postale receives an SMS alerting him that a transaction of 699.99 euros is pending on his account, for a purchase he did not make. The message invites him to contact a telephone number if he did not initiate this transaction. The reflex is natural: he calls back.
On the other end of the line, a reassuring voice introduces herself as an adviser from La Banque Postale. She explains that his bank card has been compromised and that he needs to cut it and hand it over to a courier who will come to collect it and issue him a new one. The customer complies, convinced he is doing the right thing to protect himself. Five minutes later, a man in a yellow vest, posing as a La Poste delivery person, arrives at his home and leaves with the card.
What the customer does not yet realise is that the fraudsters have already acted. At the very moment this staging is taking place, four withdrawals of 1,000 euros each are being made at La Banque Postale ATMs. When he checks his account shortly afterwards, the finding is incontrovertible: 4,000 euros have disappeared.
The victim receives a message imitating their bank, reporting a suspicious transaction and inviting them to call a number.
A fraudster, posing as a bank adviser, establishes trust and requests information or the surrender of the card.
An accomplice arrives at the home, often disguised (yellow vest, La Poste uniform), to collect the bank card.
With the card (and the PIN obtained beforehand through other means), the fraudsters quickly make several withdrawals at ATMs, having previously increased the withdrawal limits.
The chronology of events, a key element of the case
In this case, the precision of the timestamps proves decisive. The Certicode Plus operation history reveals a very tight sequence: at 4:30 PM, an activation code expires and an activation request is confirmed via mobile internet; at 4:31 PM, the Certicode Plus enrolment is completed from an iPhone 12.8; at 4:32 PM, the withdrawal limit is increased from the same device. In the minutes that follow, at 4:30 PM, 4:33 PM, 4:35 PM and 4:36 PM, the four withdrawals of 1,000 euros are recorded.
However, the phone conversation with the fake adviser that led to the surrender of the card did not begin until 4:54 PM, as evidenced by the call log produced by the customer. In other words, the withdrawals took place before the card was physically handed over to the fraudsters. This point is central: the customer did not enable the withdrawals by surrendering his card, since they had already been completed at the time of the handover.
2. The legal framework: who must prove what?
The presumption of liability of the bank
The Monetary and Financial Code (CMF) precisely organises the distribution of responsibilities between the bank and its customer in matters of unauthorised payment transactions. Article L. 133-18 of the CMF imposes on the bank a principle of near-immediate reimbursement: as soon as a customer reports a transaction they did not authorise, the institution must reimburse them no later than the end of the first business day following the report. The bank may only avoid this obligation if it has serious grounds to suspect fraud by the user, which it must then communicate in writing to the Banque de France.
Article L. 133-23 of the CMF goes even further by establishing the burden of proof: when a user disputes having authorised a transaction, it is for the payment service provider to prove that the transaction was properly authenticated, duly recorded, and was not affected by a technical failure. And the law is explicit on a crucial point: the mere use of the payment instrument is not sufficient to prove that the customer consented to the transaction, or that they were grossly negligent.
The concept of gross negligence: a high threshold
Article L. 133-19 IV of the CMF provides that the customer bears the full amount of losses resulting from unauthorised transactions if they acted fraudulently or if they failed, intentionally or through gross negligence, to comply with their obligations. The question then arises as to the definition of this “gross negligence”.
Case law, notably the Commercial Chamber of the Court of Cassation in a ruling of 20 November 2024 (No. 23-15-099) cited by the Bordeaux court itself, has clarified the contours of this concept: before being able to allege gross negligence on the part of the customer, the bank must first establish that the transaction was properly authenticated and that no technical failure was involved. It is only once this step has been completed that the question of the customer’s fault can be examined. Proof of authentication is therefore not an end in itself: it constitutes a necessary but not sufficient prerequisite.
In practice, gross negligence presupposes particularly reckless behaviour on the part of the user, such as the spontaneous and deliberate communication of their PIN to a third party, or keeping this code written on the card itself. Being deceived by a sophisticated identity theft scheme cannot, in principle, be equated with such fault.
3. The court’s decision: no gross negligence found
The bank fails to prove its client’s fault
La Banque Postale argued that the customer had committed gross negligence by calling back the number shown in the fraudulent SMS, by transmitting his banking information to the fraudsters, and by handing over his card to a courier. It also argued that all of this had occurred before the withdrawal transactions, which, according to the bank, established the causal link between the customer’s fault and the loss suffered.
The court does not follow this reasoning. Judge Tamara Maric-Sanchez notes that the modus operandi of spoofing is precisely designed to put the victim at ease and make them believe they are acting in their own interest. The customer, by calling back the number in the SMS, believed he was contacting his bank to report a fraud. By surrendering his card, he believed he was neutralising the risk. This is not irrational or seriously reckless behaviour: it is the reaction of a person who succumbs to a sophisticated manipulation.
Furthermore, the bank fails to demonstrate that the customer communicated his confidential codes or online login credentials. Yet it was precisely access to this data that enabled the fraudsters, almost simultaneously, to activate Certicode Plus, increase the withdrawal limit and carry out the withdrawals. The bank provides no explanation as to how this access was obtained without the conscious and culpable participation of the customer.
Strong authentication is not sufficient to exonerate the bank
La Banque Postale produced a so-called “authentication” document attesting that the withdrawals had benefited from the strong authentication system, meaning they had been validated by means of a confidential code. It drew the conclusion that its liability was necessarily excluded, since this code is strictly personal.
The court recalls here the rule established by Article L. 133-23 of the CMF and confirmed by the Court of Cassation: the recorded use of the payment instrument, even with strong authentication, is not sufficient to prove that the customer authorised the transaction, or that they were grossly negligent. The bank therefore cannot simply produce technical logs to exonerate itself. It must go further and positively demonstrate the user’s fault. In the present case, it fails to do so.
| The bank’s argument | The court’s response |
|---|---|
| The customer called back a fraudulent number | He believed he was contacting his bank — sophisticated manipulation, no gross negligence |
| The customer handed over his bank card | The withdrawals predate the surrender of the card (4:30-4:36 PM vs call at 4:54 PM) |
| Strong authentication proven | Insufficient on its own — the bank must prove negligence, not just authentication |
| Account agreement requiring code protection | No proof that the customer communicated his code or online credentials |
4. Financial consequences: reimbursement and penalties
The 15-point surcharge on the statutory rate
The primary order is the reimbursement of the 4,000 euros in fraudulent withdrawals. But the court goes further by applying the penalty provided for in Article L. 133-18 of the CMF for failure to reimburse within the time limits. This article establishes a system of progressive penalties: the sums owed bear interest at the statutory rate plus five points up to seven days late, plus ten points between seven and thirty days, and plus fifteen points beyond thirty days.
In the present case, the customer had formally requested reimbursement by letter of 12 October 2023. The bank had refused by letter of 30 October 2023, less than thirty days later. But since no reimbursement has been made since then, and the thirty-day deadline has been well exceeded by the date of the judgment, the court applies the maximum surcharge of fifteen points from 12 November 2023, thirty days after the request. This penalty is not insignificant: it represents a substantial additional cost for the bank and is specifically intended to discourage unjustified refusals to reimburse.
The rejection of the non-pecuniary damage claim
The customer was also claiming 1,500 euros in compensation for non-pecuniary damage which he attributed to the bank’s abusive and unjustified resistance to reimbursing him. The court rejects this claim, not through lack of empathy, but for a purely procedural reason: the customer provides no concrete evidence to establish the existence of this non-pecuniary damage, nor to justify its amount.
This point is important to remember for anyone considering a similar action: merely claiming a loss is not sufficient. It must be proven, for example by producing testimonials, medical evidence, correspondence demonstrating the psychological impact of the situation, etc. Without this, even bank resistance recognised as unjustified does not automatically give rise to separate damages.
In contrast, the bank is ordered to pay 800 euros under Article 700 of the Code of Civil Procedure, representing a contribution towards the legal fees incurred by the customer in asserting his rights, as well as all costs of the proceedings.
Conclusion
The decision rendered on 14 March 2025 by the Judicial Court of Bordeaux provides a clear and balanced answer to an increasingly common question: are victims of bank spoofing systematically condemned to absorb their losses on the ground that they “reacted poorly” when faced with fraudsters? The answer is no, and this case is a concrete illustration.
This judgment confirms that the sophistication of a fraud may itself exclude the gross negligence of the victim. When scammers deploy an elaborate staging — SMS imitating bank communications, fake adviser on the phone, disguised courier — falling for it does not reflect characterised recklessness, but simply human vulnerability in the face of organised manipulation. And it is for the bank, not the customer, to prove otherwise.
For victims of this type of fraud, the message is clear: dispute the transactions, report the fraud immediately and, if the bank refuses to reimburse, do not hesitate to bring the matter before the court. The law is on your side — provided you follow the proper steps and build a solid case from day one.
FAQ
My bank refused to reimburse me after a spoofing attack: what remedies do I have?
If your bank refuses to reimburse fraudulent transactions that you did not authorise, you have several avenues. First, send a written formal notice to your institution, expressly relying on Article L. 133-18 of the Monetary and Financial Code which requires near-immediate reimbursement. If the refusal persists, you may refer the matter to the banking ombudsman, then, if mediation fails, bring legal proceedings before the competent Judicial Court. A lawyer specialising in banking law can assist you in building the case file and drafting correspondence, which significantly increases your chances of success.
What deadlines must be observed to dispute fraudulent transactions with my bank?
Under Article L. 133-24 of the Monetary and Financial Code, you have 13 months from the date the transaction was debited to dispute it with your bank, failing which you will be time-barred. But in practice, it is strongly recommended to act as soon as possible: report the fraud to your bank as soon as you become aware of it, file a complaint with the police within the following days, and send a registered letter of dispute without delay. Each day of delay may weaken your case.
Can the bank really refuse to reimburse me if I handed my bank card to someone?
The bank may attempt to invoke your gross negligence to refuse reimbursement. But as this Bordeaux decision illustrates, surrendering the card under the influence of a sophisticated manipulation — a very convincing fake bank adviser — does not necessarily constitute gross negligence in the legal sense of the term. The court assesses the concrete circumstances: if you acted in the genuine belief that you were protecting yourself, if the fraudsters used an elaborate modus operandi, and above all if the bank fails to prove that you communicated your confidential codes, the judge may decline to find gross negligence and order reimbursement.
What is strong authentication and why can the bank not rely on it to refuse to reimburse me?
Strong authentication (or SCA, Strong Customer Authentication) is a two-factor verification system used to validate certain banking operations, particularly large withdrawals. The bank often invokes it to argue that the transaction was validated by a personal code, and therefore the customer is responsible. But Article L. 133-23 of the CMF, confirmed by the Court of Cassation, is clear: the mere proof that the payment instrument was used and authenticated is not sufficient to establish that the customer authorised the transaction or that they were grossly negligent. The bank must go further and positively prove the user’s fault. Strong authentication is a necessary prerequisite to examine, not conclusive proof of exoneration.
Can I claim late payment interest if my bank delays in reimbursing me?
Yes, and it is even automatic once the reimbursement is not made within the legal deadlines. Article L. 133-18 of the Monetary and Financial Code provides for a scale of progressive penalties: a surcharge of 5 points on the statutory rate up to 7 days late, 10 points between 7 and 30 days, and 15 points beyond 30 days. In the decision commented upon, it was this maximum surcharge of 15 points that was applied from the 30th day following the customer’s reimbursement request, i.e. from 12 November 2023. These penalties apply automatically and do not need to be specifically negotiated.
Must I prove my non-pecuniary damage to be compensated beyond the reimbursement?
Yes. The reimbursement of fraudulently debited sums is an automatic right provided by law if your bank fails to prove your gross negligence. However, any additional compensation — particularly for non-pecuniary damage related to stress, anxiety, or the bank’s abusive resistance — falls under the classic civil liability regime (Article 1240 of the Civil Code). You must therefore provide concrete evidence proving the existence and extent of this loss: testimonials, medical evidence, correspondence demonstrating the impact on your daily life. Without such proof, as the Bordeaux court recalled, the claim for damages will be rejected, even if the fraud is established and the refusal to reimburse recognised as unjustified.
