In a decision rendered on 15 January 2026, the Paris Judicial Tribunal ordered BNP PARIBAS to reimburse a customer who fell victim to “spoofing”, while also requiring the telecom operator BOUYGUES TELECOM to indemnify the bank on account of a breach of its technical security obligations.
Paris Judicial Tribunal, Pcp jtj proxi fond, 15 January 2026, No. 24/04856
I. Background: An Identity Theft Scam
On 17 November 2023, Ms [V] [C] received a call from an individual claiming to be an adviser from her banking institution. The court noted that “the telephone call was made from a phone displaying the number of the banking institution”, a technique known as spoofing.
The fraudster convinced the customer to enter her client number and password on her phone. Subsequently, two fraudulent payments totalling 8,861.34 euros were identified. Faced with the bank’s refusal to reimburse her, the customer brought the matter before the court.
II. The Absence of Gross Negligence on the Customer’s Part
BNP PARIBAS invoked gross negligence to avoid its obligation to reimburse. The court dismissed this argument by highlighting the specific nature of this type of fraud.
The judge thus recalled that it is well established that the modus operandi of the fake bank adviser “inspires trust and diminishes the vigilance of the person receiving the telephone call, which moreover references a hacking incident” compared to email fraud.
In this case, the court noted that the customer “demonstrates […] that the telephone number displayed on her handset was the one printed on the back of her bank card” and that she had been “put at ease by the fraudster’s reference to a recent purchase she had made shortly before”. Her immediate reaction (changing her password and blocking the card) ultimately convinced the judge that no gross negligence could be attributed to her.
III. The Telecom Operator’s Liability: Application of the “Naegelen Law”
The major significance of this judgment lies in the order requiring BOUYGUES TELECOM to indemnify the bank. The court relied on Article L.44 IV of the Postal and Electronic Communications Code, introduced by the law of 24 July 2020.
A Clear Breach of the Security Obligation
The court recalled that operators are required to ensure the authenticity of telephone numbers and that, where the authentication mechanism does not confirm the authenticity of a call, “the operator must terminate the routing of the call or message”.
The judge underlined the operator’s failure in the following terms:
“It was therefore incumbent upon it either to confirm the authenticity of the call attributed to SA BNP PARIBAS, or to terminate the routing of the communication. This was not the case, all the more so given that the evidence submitted shows that the telephone exchange between the fraudster and Ms [V] [C] lasted 21 minutes”.
The court rejected the operator’s technical argument, stating that it “does not explain at the hearing in what respect it would have been prevented from complying with the law of 24 July 2020”. It concluded that the failure to block “a telephone number that is particularly sensitive given its association with a banking institution” constituted an established breach.
IV. The Court’s Ruling
The judge of the Paris Judicial Tribunal ruled as follows:
- Orders SA BNP PARIBAS to pay Ms [V] [C] the sum of 8,861.34 euros, plus interest at the statutory rate.
- Orders SA BOUYGUES TELECOM to indemnify SA BNP PARIBAS for its liability.
- Orders SA BOUYGUES TELECOM to bear the costs and to pay legal costs under Article 700 of the Code of Civil Procedure.
This decision establishes a cascading liability framework, protecting the end user and reminding operators of their pivotal role in the digital security chain.
