Fake Bank Adviser: The Court of Appeal of Paris Confirms Bank Liability and Victim Reimbursement (CA Paris, 22 May 2025, RG No. 24/02286 and 24/02984)

Online and telephone banking fraud has become a scourge for individuals and financial institutions alike. Among these, the so-called “fake adviser” or “vishing” (voice phishing) scam is particularly insidious.

Recently, the Court of Appeal of Paris rendered two decisions (both dated 22 May 2025) that illuminate the position of French courts regarding these sophisticated frauds, balancing the liability of banks against the alleged “gross negligence” of victims. These two decisions follow the victim-favorable jurisprudential trend initiated by the Court of Cassation on 23 October 2024 (Cass. com., 23 October 2024, No. 23-16.267).

Let us analyze these two cases to understand the approach adopted by the judges.

Cour d’appel de Paris, 22 May 2025, RG No. 24/02286

Cour d’appel de Paris, 22 May 2025, RG No. 24/02984

Case 1: Banque Populaire (Court of Appeal of Paris, 22 May 2025, RG No. 24/02286)

The facts of the fraud: a highly convincing identity theft

On 5 March 2022, Mrs. [N] was contacted by phone by a person posing as her bank adviser. What made this fraud particularly difficult to detect was that the call came from a number that was that of the Banque Populaire branch of [Localite 10] ([XXXXXXXX01]). This technique, called “spoofing,” was confirmed by Mrs. [N] and deemed “of a nature to put her at ease” by the Court.

Under this influence, Mrs. [N] was led to activate a link sent by SMS (labeled “BPOPULAIRE” with the link “https://connexionbp.com,” different from the official “https://banquepopulaire.fr”) directing her to a “mirror site”. She believed she was refusing fraudulent transfers, but in reality, this link enabled the capture of her credentials and the authentication of several fraudulent transactions: the addition of a third-party account, a card purchase of 840 euros for “Kenzo COM,” and two transfers totaling 3,800 euros to “[N] [H] France.” The Court even noted a “suspicious” fact: the couple’s account was contacted “both by the Free mobile network in France and by a Vodafone Spain network in Spain within one or two minutes of each other” on the day of the fraud.

Mrs. [N] never knowingly validated the payments and “did not divulge her personal and confidential data consciously”. As soon as she suspected fraud, she acted quickly, taking screenshots and contacting the bank the same day.

The court’s decision: no gross negligence

The first instance judge had already ordered Banque Populaire to reimburse 4,012.72 euros, finding that the bank had not proved the authorization of the transactions and that Mrs. [N] had not committed gross negligence. The Court of Appeal fully upheld this decision.

It reaffirmed that the mere fact of a client having their security data stolen does not necessarily constitute a fault, especially if the person responds to a phone number appearing to be that of their bank. The court held that the circumstances of the fraud, notably the spoofed phone number and the deceptive nature of the link and labels, did not allow for a finding of gross negligence on the part of Mrs. [N].

Case 2: Societe Generale (Court of Appeal of Paris, 22 May 2025, RG No. 24/02984)

The facts of the fraud: urgency and false security

Mr. [F], aged 92 and a long-standing client of Societe Generale, had already been the victim of an Ameli phishing attack. On 4 November 2022, a Friday in the late afternoon, he was contacted by phone by a person posing as an “employee of the Societe Generale security department”.

The fraudster alarmed Mr. [F] by announcing an “ongoing hack of his bank account” and the imperative to “react quickly”. To “preserve his accounts,” he was asked to make transfers to a “new bank account” that the fraudster claimed to have “opened in his name at the same bank”. Mr. [F] complied, believing he was the beneficiary of these transfers, using his banking application and his strong authentication device (Pass Securite). Two transfers of 4,000 euros each were made on 4 and 6 November 2022.

Mr. [F] “never transmitted his personal credentials, such as his identifiers or secret codes, to his telephone interlocutor or by email”. The fraud was based on manipulating him to initiate the transfers himself. He did not realize the fraud until the following Monday, 7 November 2022, and filed a complaint the same day.

The court’s decision: manipulation that diminishes vigilance

The first instance court had already held Societe Generale liable. The Court of Appeal confirmed the bank’s liability and the absence of gross negligence on the part of Mr. [F].

It emphasized that the call, which created a sense of urgency and the false impression that the funds remained within the same institution and in the client’s name, had “legitimately created a sense of urgency” in Mr. [F] and “diminished the client’s vigilance”. The Court also noted that Mr. [F]’s age (92 years at the time of the events) was a vulnerability factor.

The Court insisted that Mr. [F] never communicated his confidential codes, and that his prompt action in reporting the fraud was appropriate. The bank, on the other hand, did not prove that the authorization procedure had been correctly carried out, and the possibility of a technical failure could not be ruled out.

Analysis of the decisions: the jurisprudential approach of the Court of Appeal of Paris

1. The Burden of Proof on the Bank:

• The Court consistently recalls that it is for the payment service provider (the bank) to prove that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical failure.
• Above all, if the client denies having authorized the transaction, the bank must “provide evidence to prove the fraud or gross negligence committed by the user”. The mere fact that the payment instrument or personal data were used is not sufficient to prove this gross negligence.

2. A Strict Definition of “Gross Negligence”:
   • “Gross negligence” is interpreted as a “failure of basic prudence expected of a normally attentive person”. However, the Court is very demanding of banks regarding the proof of such negligence.
   • What is not gross negligence:
     • Answering a call from a spoofed number: For Mrs. [N], the fact that the displayed number was that of her branch was a major factor excluding gross negligence. The Court considers this was “of a nature to put her at ease”.
     • Being manipulated by a scenario of urgency and “false security”: For Mr. [F], the sense of urgency and the belief that the funds remained under his control, even if transferred, “diminished the client’s vigilance” and do not constitute gross negligence.
     • Failing to detect subtle “anomalies”: Despite the banks’ arguments about “manifest anomalies” (poor language skills, different link names), the Court holds that the sophistication of the fraud renders these elements insufficient to characterize gross negligence on the client’s part, especially when the starting point is an element of trust (such as spoofing).
     • The absence of direct data transmission: The fact that the victims never communicated their identifiers or secret codes is a strong argument in their favor, emphasizing that it was the fraudsters who took control of the transactions through deception, and not the clients who divulged their information.

3. Strong Authentication Does Not Exonerate the Bank:
   • Even if the transactions were carried out with strong authentication (Pass Securite, SMS validations), this is not sufficient to prove that the transaction was authorized by the payer or that they committed gross negligence. The bank must always provide additional evidence to prove the client’s fault.

4. The Victim’s Post-Fraud Diligence:
   • The Court always examines the client’s responsiveness after discovering the fraud. In both cases, Mrs. [N] and Mr. [F] acted promptly to report the fraud to their bank and file a complaint. This diligence is a positive factor for the victim.

In sum, the Court of Appeal of Paris reaffirms that the primary liability rests on the bank in the event of an unauthorized transaction. It requires banking institutions to exercise a reinforced duty of protection of their clients against increasingly sophisticated fraud techniques. For a bank to be exonerated from its liability, it must demonstrate gross, obvious and inexcusable negligence on the part of the client, which is difficult to prove when the fraud relies on social engineering and credible identity theft, particularly through “spoofing.”

These decisions underscore the firm position of the Court of Appeal of Paris in favor of fraud victims, so long as their gross negligence is not clearly established by the bank, particularly when fraudsters exploit victims’ trust by impersonating the banking institution.

Moreover, if you have been the victim of a banking scam, particularly through a fake adviser or a suspicious call that misled you, know that these recent decisions of the Court of Appeal of Paris considerably strengthen your reimbursement rights. Case law confirms that banks are required to prove that the transaction was authorized or that gross negligence on your part is established, the mere use of your payment instrument being insufficient to prove your authorization or gross negligence.

Do not wait any longer to assert your rights. If you have suffered a loss as a result of this type of banking fraud, these recent decisions constitute major support. Contact LE BOT AVOCAT now to assess your situation and initiate the necessary steps to obtain reimbursement of the sums you have lost.