A French man who fell victim to a “fake bank advisor” spoofing scam has won a significant legal victory against his bank, Caisse d’Épargne, which had refused to refund his stolen money — arguing that he was the negligent one.
The Bordeaux Court of Appeal disagreed and ordered the bank to reimburse him, setting an important precedent in France’s ongoing battle against authorized push payment (APP) fraud.
How the Scam Worked
The victim received calls from fraudsters posing as bank advisors — a scheme known as “spoofing” where attackers make their phone number appear legitimate, often mimicking the actual bank’s customer service line. Convinced he was speaking to a real representative, the victim authorized transfers that emptied his account.
Caisse d’Épargne’s defense was straightforward: the customer made the transfers himself, so the bank argued he bore responsibility for not verifying the identity of the person he was speaking to. It’s a line of reasoning banks have relied on for years to deny fraud reimbursements.
What the Court Said
The appeal court’s ruling leans on France’s Monetary and Financial Code, which states that unauthorized payment operations must be refunded by the payment service provider “immediately.” The key finding: despite the customer technically initiating the transfers, they were deceived about the fundamental nature of the transactions — meaning they never truly “authorized” them in the legal sense.
This distinction matters enormously. It shifts the burden away from customers being expected to outsmart sophisticated social engineering attacks, and back onto banks whose infrastructure and branding are being exploited by criminals.
The Bigger Picture on Spoofing Fraud
Spoofing scams targeting bank customers have surged across Europe. In France alone, billions of euros are stolen through social engineering schemes each year. The fake advisor scam — sometimes called “vishing” (voice phishing) — remains one of the hardest to combat because it exploits the inherent trust customers place in their bank’s identity.
Telecom providers have started building STIR/SHAKEN-style caller ID authentication frameworks, but adoption is uneven and criminals adapt fast. Some have moved to SMS-based spoofing or even AI-generated voice clones to make their impersonations more convincing.
What This Means for Consumers
The ruling doesn’t make banks automatically liable for every spoofing case. But it does establish that banks can’t simply point to the customer pressing “confirm” as evidence of informed consent when that customer was actively deceived by spoofed communications that exploited the bank’s own identity.
If you’re reading this and wondering how to protect yourself: never trust inbound calls claiming to be from your bank, even if the caller ID looks right. Hang up, and call the number on the back of your card. It’s tedious, but it’s the only reliable defense against spoofing.
What’s Next
This ruling could prompt similar cases across the EU, where the revised Payment Services Directive (PSD2) already places strong customer authentication requirements on banks. Expect regulators to push harder on caller ID authentication standards, and watch for banks to invest more in real-time transaction monitoring that can flag unusual transfer patterns before the money’s gone.
