In Belgium, banks will now be required to immediately compensate victims of phishing attacks for the damages they suffer. Lawyers are calling this a “groundbreaking” precedent.
-
Belgian banks must reimburse phishing victims immediately, unless they later prove gross negligence.
-
Antwerp ruling sets a groundbreaking precedent, shifting liability away from defrauded customers.
-
EU legal opinion reinforces faster refunds and pressures banks to respect consumer protections.
A summary proceedings judge in Antwerp has seemingly changed the way Belgian law addresses phishing fraud, VRT NWS reports.
The judge ruled in favor of an elderly couple who lost €50,000 to a hacker posing as a bank employee in Portugal. They were persuaded to transfer the money to the crook's account.
Banks in Belgium and elsewhere have traditionally refused to refund the money, arguing that customers were guilty of gross negligence for transferring their funds to a fraudulent recipient.
But the judge in Antwerp was the first to actually rule against the bank. According to lawyer Geert Lenssens, who spoke to VRT NWS, this could become an important precedent.
Has your password leaked?
“The principle is simple. The bank is obliged to reimburse a customer who is a victim of phishing, unless the bank proves that the customer has committed a gross error,” said Lenssens.
The concept of “gross error” is key here: that’s why banks have typically refused to pay up.
Now, though, it looks like the banks will have to first compensate the customer and only then take additional action – if, of course, they believe and can prove that the victim has committed a “gross error.”
According to Lenssens, the latter will rarely happen: “A gross error is different from a mistake: if, for example, you enter or hand over your code as a result of a scam, that is not a gross error.”
In recent years, amid surging phishing scams across the continent, European banks have pushed back against demands to compensate victims.
The lawyer is also hoping the banks will finally wake up and start respecting the law. Already in March, the European Union’s highest court issued a formal opinion stating that banks cannot refuse to immediately refund phishing victims. Belgium is a member of the EU.
According to the opinion issued by Athanasios Rantos, Advocate General of the Court of Justice of the European Union, banks must refund the transaction first, unless they can later prove that the customer acted fraudulently or with “gross negligence.”
In recent years, amid surging phishing scams across the continent, European banks have pushed back against demands to compensate victims.
For example, in 2024, Dutch neo bank Bunq initially refused to compensate victims of phishing and help-desk fraud. Victims were tricked by criminals posing as bank employees and persuaded to share login details to transfer funds.
At the time, Bunq’s CEO and founder, Ali Niknam, controversially said that this action was “like giving someone your car keys outside on the street. Then your car is gone,” a statement that the Dutch finance minister later said was “completely inappropriate.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked