The ruling delivered by the Court of Appeal of Paris on 18 December 2025 (No. 24/19561) marks a decisive step in the protection of bank customers against spoofing (telephone identity theft). Whereas banks often take refuge behind the technical validation of a transaction to refuse any reimbursement, the Court firmly recalls that authentication is not synonymous with consent.
CA Paris, 18 décembre 2025, n° 24/19561
I. The Mechanics of a “Perfectly Orchestrated” Fraud
On 15 December 2022, Ms [Y] fell victim to a now-classic but formidable manipulation scenario. A fraudster contacted her, displaying on her screen the official number of her bank’s opposition service (09 69 39 77 77).
To build trust with his victim, the individual used confidential information:
- He knew her account number and the last four digits of her bank card.
- He claimed to be acting urgently to block ongoing fraudulent transactions.
- He guided the client to change her PIN directly in her app and to validate credit limit increases and then a payment of €3,900.
II. The Heart of the Debate: The Concept of “Gross Negligence”
The bank refused reimbursement by invoking Article L. 133-16 of the Monetary and Financial Code (Code monétaire et financier), asserting that the client had been grossly negligent by validating the transaction herself through her “Pass Sécurité”.
1. Challenging the Presumption of Authorisation
The Court of Appeal clarified a major point of law: the use of personalised security data (strong authentication) is insufficient to prove that the transaction was authorised by the payer. The payer must have consented not only to the technical process, but also to the amount and the beneficiary of the transaction. In cases of spoofing, the client never consents to transferring funds to a fraudster.
2. The Deceptive Nature of the Scheme
Unlike the first-instance judge, the Court of Appeal held that the scheme was sufficiently deceptive that a prudent client could have been misled:
- The display of the official number is the determining factor that creates a climate of legitimate trust.
- The absence of preventive information: The bank reproached its client for not knowing that its opposition service never made outgoing calls. The Court rejected this argument, noting that no specific information was communicated to clients about this particular practice.
- The consistency of the victim’s account: The Court noted that Ms [Y] had maintained a coherent and precise account of her exchanges from the time of her police complaint, which lent credibility to her narrative in the face of the bank’s denials.
III. Sanctions: Reimbursement and Compensation for Moral Damages
The Court of Appeal of Paris reversed the first-instance judgment and imposed substantial penalties on Société Générale:
- Material loss: Reimbursement of the €3,900, together with interest at the statutory rate from the date of the summons.
- Moral damages: Award of €500 in damages. The Court here condemned the “hassle” caused by the bank’s refusal, particularly since the client’s own adviser had internally suggested reviewing the bank’s position, without success.
- Procedural costs: €1,500 under Article 700 of the CPC.
Key Takeaways for Victims
This ruling is in line with the case law of the Court of Cassation (notably the ruling of 23 October 2024 – Cass. com., 23 October 2024, No. 23-16.267). For banks, the mere technical proof of validation through “Pass Sécurité” is no longer sufficient to set aside their liability in cases of complex telephone manipulation.
