The so-called “fake bank advisor” fraud, often associated with the technique of “spoofing” (hijacking the bank’s phone number), is a growing phenomenon that has given rise to abundant case law. A recent decision of the Douai Court of Appeal, rendered on 6 March 2025, provides important clarifications on the obligations of the payment service provider (PSP) and the concept of gross negligence of the client who falls victim to these scams.
The Facts
The case concerned Ms [H] [T], a client of the Caisse d’Epargne. She was contacted by telephone to validate a transaction of 2,095 euros that was presented to her as fraudulent, with the stated aim of protecting her from it. Having given in to this request and validated the transaction, she fell victim to the scam.
The Hazebrouck Magistrates’ Court, hearing Ms [T]’s reimbursement claim, had dismissed it, finding gross negligence on her part. Ms [T] appealed this judgment.
Before the Court of Appeal, the central questions were twofold: was the disputed transaction authorized? If not, had Ms [T] committed gross negligence justifying the bank’s refusal to reimburse?
Characterization of the Transaction: Unauthorized in Cases of Fraud
The Caisse d’Epargne argued that the transaction had been authorized by Ms [T] through the strong authentication device Secur’Pass, thereby validating the transaction.
The Court of Appeal begins by recalling, based on Articles L. 133-3 and L. 133-6 of the French Monetary and Financial Code, that a payment transaction initiated by the payer is deemed authorized only if the payer has consented to the amount of the transaction.
Crucially, it specifies that the validation of a debit by the payer corresponding to a purchase they did not make, and the completion of which was carried out as part of a scheme designed to convince them of the need to proceed, constitutes an unauthorized payment transaction.
The Court adds that the mere fact that the payer used the strong authentication device provided by the PSP does not imply that they authorized the fraudulent transaction. This precisely raises the question of the payer’s possible gross negligence, within the framework of the unauthorized transaction regime.
In this case, the Caisse d’Epargne did not dispute that the payment occurred during a fraudulent telephone call from a third party, even though the number of its own “fraud” department was displayed on Ms [T]’s phone. The Court held that the fact that Ms [T] initially refused to validate the transaction, then very quickly alerted her branch to oppose the debit, sufficiently establishes that the disputed transaction was not authorized by the payer.
Proof of Authentication: A Burden on the Bank
In the context of an unauthorized transaction disputed by the client, Article L. 133-23 of the French Monetary and Financial Code provides that it is incumbent upon the PSP to prove, as a prerequisite, that the transaction was authenticated, duly recorded and accounted for, and that it was not affected by a technical or other deficiency.
The Court notes that the Caisse d’Epargne, while asserting that the transaction was validated by a strong authentication device, fails to provide proof thereof. The mere production of a general description of security measures is not sufficient. The bank did not produce the “digital evidence” of the recording of an authenticated transaction or the absence of any deficiency in its own technical system. By failing to provide the digital log of recording, the bank is found to have failed in discharging this preliminary burden of proof that rests upon it.
Gross Negligence: An In Concreto Assessment
Even in the case of an unauthorized transaction, the payer bears all losses if they acted fraudulently or intentionally or through gross negligence failed to meet their security obligations (protection of personalized data, prompt notification in case of loss/theft/misuse). The burden of proving gross negligence rests on the PSP.
The Court recalls that while the Court of Cassation exercises “light” review over the characterization of gross negligence, the trial judge must assess it in concreto (on a case-by-case basis).
In this case, the Court finds that no gross negligence within the meaning of the aforementioned provision can be attributed to an account holder who, contacted by telephone by a person impersonating a bank employee whose number was displayed, uses, at their request, the personalized security device to validate a payment.
The bailiff had moreover confirmed that Ms [T] had indeed been contacted by the number assigned to the PSP’s “fraud” department, and that she or her husband had subsequently called back that number to be put in contact with the genuine department.
The Court acknowledges the paradox of being asked to validate a fraudulent transaction in order to prevent it. However, the undisputed circumstance that Ms [T] legitimately believed she was in contact with the “fraud” department of her PSP leads to the finding that her negligence does not reach such a degree of gravity as to constitute an exception to the principle of reimbursement by the PSP for an unauthorized transaction. Moreover, Ms [T] immediately alerted the bank.
Bank Ordered to Reimburse
Consequently, the Court of Appeal reverses the first-instance judgment that had found gross negligence and dismissed Ms [T]’s claim.
Finding an unauthorized transaction and the absence of proof of the client’s gross negligence or of a properly recorded authentication by the bank, the Court orders the Caisse d’Epargne to reimburse Ms [T] the sum of 2,095 euros, plus interest at the legal rate from the date of the judgment.
No Moral Damages
Ms [T] also sought compensation for moral damages. The Court rejects this claim, finding that the mere deprivation of the diverted sum or the resort to savings does not constitute moral damages. The allegations of contempt by the bank or the fact that an employee mentioned insurance are not established as generating moral damages. The exchanges even showed, according to the Court, an attempt at assistance on the part of the bank.
Conclusion: A Decision Favorable to Spoofing Victims
This decision of the Douai Court of Appeal is significant in that it reaffirms the characterization of an unauthorized transaction for payments validated under the coercion of a fraudulent scheme, including when the client uses their strong authentication device. It also emphasizes the bank’s preliminary burden of proof regarding authentication and the absence of technical deficiency. Above all, it adopts a protective stance towards spoofing victims by holding that believing one is in contact with the bank’s legitimate department, whose number is displayed, precludes the finding of gross negligence, even if the client validated the transaction at the fraudster’s request.
