A French court has delivered a landmark ruling that should make every bank in Europe nervous. After a Caisse d’Épargne customer lost €5,900 to a sophisticated spoofing scam, the bank refused to refund him, arguing he’d been grossly negligent. Four years later, the Bordeaux Court of Appeal disagreed — and ordered the bank to pay up.
The case highlights a growing tension in fraud prevention: banks increasingly weaponize “customer negligence” to avoid reimbursing scam victims, even when the fraud techniques involved are devastatingly convincing.
How the scam worked
The victim, identified only as M.E., was a Caisse d’Épargne customer in the Aquitaine region. On January 27, 2022, he received a phishing email that tricked him into sharing his login credentials. He suspected something was wrong and contacted his bank that same evening to change his password.
The next morning, things got worse. A real advisor — or someone claiming to be one — emailed saying he should reset his codes immediately. M.E. contacted the bank’s fraud department, changed his password again, and spoke with the advisor.
Then the scammers struck. Fraudulent transaction alerts came through, and M.E. called the hotline number in the messages — except it wasn’t the real hotline. The person on the line claimed to be a bank advisor and asked for his full card numbers, expiry dates, and CVVs to “block” the cards. Later, the scammer called back to say unauthorized transfers were in progress and guided M.E. through confirming new payees via the bank’s own Securipass authentication system.
€5,900 vanished in minutes.
The bank’s defense: “Your fault”
Caisse d’Épargne refused to reimburse a single cent. Their argument? M.E. had committed “gross negligence” by handing over his personal data. The bank even claimed the transactions were technically “authorized” because the customer had confirmed them through the strong authentication system.
That’s the ugly reality of modern banking fraud. Scammers have gotten so good at social engineering that they can manipulate victims into willingly passing every security check the bank requires. The authentication worked exactly as designed — it just authenticated the wrong person’s instructions.
What the courts said
The Bordeaux Judicial Court first sided with M.E. in August 2023, ordering the bank to refund the €5,900 plus legal interest and €750 in legal fees. Caisse d’Épargne appealed. In May 2026, the Court of Appeal upheld the ruling and increased the compensation, ordering an additional €1,500 for procedural costs.
The court’s reasoning was clear: even though the customer confirmed the addition of new payees, he never consented to the actual fraudulent transactions. The strong authentication was manipulated by fraud, not bypassed by it.
Why this matters beyond France
This ruling reinforces the EU’s regulatory framework that banks bear responsibility for unauthorized transactions — period. The French Monetary and Financial Code requires immediate reimbursement, and banks can only refuse if they prove gross negligence. This court decided that falling victim to sophisticated spoofing doesn’t meet that bar.
As spoishing (spoofing + phishing) attacks become more sophisticated, with criminals now able to mirror bank phone numbers and email addresses almost perfectly, banks can’t keep shifting blame onto customers for falling for increasingly convincing schemes. The gap between what security systems technically verify and what customers actually intend is where these scams thrive.
The ruling won’t stop the scammers. But it puts banks on notice: improving customer protection isn’t optional, and “the customer should have known better” is a defense that’s running out of runway.
