A case at the EU’s highest court has prompted a law officer to issue a formal opinion stating that banks cannot refuse to immediately refund victims of unauthorized payments caused by phishing scams, even if it appears that the customer is at fault.

According to the opinion issued by ​​Athanasios Rantos, Advocate General of the Court of Justice of the European Union (CJEU), banks must refund the transaction first, unless they can later prove that the customer acted fraudulently or with “gross negligence.”

The opinion was issued in response to a request for a preliminary ruling submitted by the District Court in Koszalin, Poland, in a dispute between the PKO bank Polski and one of its customers.

In a press release issued on the court’s website, it details how the customer became the victim of phishing fraud. A third party posed as a buyer on a sales platform and sent her a fraudulent link imitating her bank’s website.

The victim entered her details, which enabled the fraudster to retrieve them and make an unauthorized payment.

The customer reported the fraudulent transaction to her bank the next day. However, the bank refused to refund the amount, arguing that the customer had been grossly negligent in disclosing her bank details.

Following that refusal, the customer took legal action.

In his opinion, Rantos considered that the EU Payment Services directive requires a bank, “as a first step, to refund immediately the amount of the unauthorized transaction, unless it has good reason to suspect fraud, which it must communicate in writing to the competent national authority.”

However, this process is not final, as banks can still seek recovery of the losses from the customer if the bank can establish that the customer failed “intentionally or through gross negligence” to fulfil their personalized security obligations.

In this instance, the court said that it was up to the bank to pursue legal action.

“If the customer refuses to reimburse the amount of the unauthorized transaction, it is up to the bank to take legal action against that person to obtain payment.”

This opinion is not a CJEU ruling, but an indication of the direction the court may take when the matter reaches that stage.

“It’s like giving away your car keys"

Phishing scams have surged across Europe in recent years. According to EU security agency ENISA’s Threat Landscape 2025 report, phishing accounted for 60% of 5,000 observed intrusions between July 2024 and June 2025.

Banks have sometimes argued that when correct authentication codes are used, the transaction is effectively authorized by the customer.

In 2024, Dutch neo bank Bunq initially refused to compensate phishing victims and help desk fraud scams. Victims were tricked by criminals posing as bank employees and persuaded to share login details to transfer funds.

At the time, Bunq’s CEO and founder, Ali Niknam, controversially said that this action was “like giving someone your car keys outside on the street. Then your car is gone,” a statement that the Dutch finance minister later said was “completely inappropriate.”

The bank argued that customers had effectively allowed access to their accounts by sharing security information. However, Bunq later agreed to reimburse customers an average of 85% of their losses.

---

Unlock more exclusive Cybernews content on YouTube.