A customer of Caisse d’Épargne in France has won a four-year legal battle to get reimbursed after losing €5,900 to a sophisticated bank spoofing scam. The Bordeaux Court of Appeal ruled in his favor in May 2026, ordering the bank to refund the stolen money plus legal costs — despite the bank’s argument that the customer himself was negligent.
How the Scam Unfolded
The timeline is a masterclass in how modern fraud works. On January 27, 2022, the customer — identified in court documents as M.E. — received a phishing email asking for his banking credentials. He entered them, but quickly realized something was off and contacted his bank that same evening to change his password.
The next morning, a real bank advisor (M. Q.) emailed him saying he could update his login details and recommended contacting the fraud department. M.E. did exactly that, changed his password again, and spoke with the advisor. So far, so good.
Then the afternoon turned. He started receiving messages about fraudulent transactions and, thinking he was continuing the morning’s security process, called the hotline number in those messages. It wasn’t his bank. It was the scammers, who’d spoofed the number. They told him they needed his full card details — 16-digit number, expiration date, security code — to “block” his cards. He gave them everything.
The fraudsters called back to say unauthorized transfers were in progress. When he couldn’t log into his online banking, the person on the phone assured him they were handling it. Believing he was following official procedure, he confirmed adding new payees through the bank’s own Securipass authentication system. The scammers walked away with €5,900.
The Bank Said It Was His Fault
Caisse d’Épargne refused to reimburse M.E., arguing he’d shown “gross negligence” by handing over his personal data. The bank claimed the transactions were technically “authorized” because the customer had validated them through the strong authentication system.
A Bordeaux judge disagreed in August 2023, ordering the bank to refund the €5,900 plus interest and €750 in legal fees. The bank appealed. Four years after the original scam, the Court of Appeal upheld the ruling — adding another €1,500 for appellate legal costs.
Why This Ruling Matters
The case hinges on a critical distinction: validating an action through authentication isn’t the same as consenting to it. The customer added new payees because a scammer told him to, under the false belief that he was working with his bank. The court found that no reasonable person should be expected to second-guess a process that appeared to come from legitimate bank channels.
Under France’s Monetary and Financial Code, banks must refund unauthorized payments immediately unless they can prove gross negligence. This ruling reinforces that the bar for “gross negligence” is high — and that banks can’t hide behind their own authentication systems when social engineering tricks customers into using them.
For anyone reading this: your bank will never ask for your full card number, security code, or to add new payees over the phone. Ever. If someone claiming to be your bank asks for any of that, hang up and call the number on the back of your card. The scammers are getting more convincing, but that rule hasn’t changed.
