Cybersecurity

EU Adviser: Banks Must Refund Phishing Victims, Even If It's Your Fault

Mar 9, 2026 1 min read by Ciro Simone Irmici
EU Adviser: Banks Must Refund Phishing Victims, Even If It's Your Fault

A top EU court official suggests banks must refund phishing victims promptly, even if the victim made an error, strengthening consumer protection against online fraud.

Phishing attacks are more sophisticated than ever, making it increasingly difficult for even vigilant users to spot a scam. Falling victim can be financially devastating, leaving individuals feeling helpless and out of pocket. However, a recent opinion from a high-level EU court adviser could significantly change the landscape for consumer protection, offering a vital safety net for those affected by these pervasive online threats right now.

The Quick Take

  • Source: Advocate General Athanasios Rantos of the Court of Justice of the EU (CJEU) issued a formal opinion.
  • Core Recommendation: Banks should immediately refund customers for unauthorized transactions resulting from phishing.
  • Key Condition: This refund obligation applies even if the customer inadvertently facilitated the fraud (e.g., by clicking a malicious link or disclosing credentials).
  • Legal Basis: The opinion interprets the EU's Payment Services Directive 2 (PSD2), which aims to enhance consumer rights in payment services.
  • Bank's Burden: Banks can only refuse a refund if they can prove "gross negligence" on the part of the account holder, a high legal bar.
  • Status: This is an advisory opinion, not a final ruling, but CJEU judges frequently follow their Advocates General's recommendations.

What's Happening

In a move that could significantly bolster consumer rights across the European Union, Athanasios Rantos, the Advocate General of the Court of Justice of the EU (CJEU), has issued a formal opinion recommending that banks must swiftly refund account holders who have fallen victim to unauthorized transactions, particularly those stemming from phishing attacks. This recommendation is particularly noteworthy because it suggests banks are obligated to refund even when the customer's actions, such as clicking a malicious link or inadvertently providing credentials, directly led to the fraud.

The Advocate General's opinion centers on the interpretation of the EU's Payment Services Directive 2 (PSD2). This directive, implemented to make payments safer and more consumer-friendly across the EU, places a strong emphasis on protecting account holders from unauthorized transactions. Under PSD2, if an unauthorized payment occurs, the payment service provider (the bank) is generally required to refund the amount immediately and restore the account to its pre-transaction state. The crucial element of Rantos's opinion is his interpretation of the conditions under which banks can refuse such refunds.

Specifically, the opinion states that banks can only refuse a refund if they can prove "gross negligence" by the customer. This is a much higher legal standard than simple negligence or user error. Simple negligence might include inadvertently falling for a convincing phishing email, while gross negligence would imply a significant, reckless disregard for security measures, such as openly sharing PINs or consistently ignoring clear security warnings. The burden of proof for gross negligence lies firmly with the bank, making it more challenging for them to deny claims. While this opinion is not yet legally binding, Advocates General's recommendations are often, though not always, adopted by the CJEU in its final rulings, signaling a potential major shift in liability for online fraud in the EU.

Why It Matters

For everyday users, this opinion carries immense practical significance, particularly in the realm of cybersecurity. Phishing remains one of the most prevalent and effective cyber threats, constantly evolving to trick unsuspecting individuals. The financial repercussions for victims can be devastating, often leading to significant personal losses. By shifting the primary financial liability to banks, this recommendation provides a crucial safety net, empowering consumers who might otherwise face insurmountable losses from sophisticated social engineering tactics.

This potential shift in responsibility also puts greater pressure on financial institutions to invest more heavily in robust security measures, advanced fraud detection systems, and effective customer education initiatives. If banks are more consistently held accountable for losses, they have a stronger incentive to prevent fraud from occurring in the first place, rather than solely relying on customer vigilance. This could lead to better overall cybersecurity infrastructure within the banking sector, ultimately benefiting all users.

Beyond the financial aspect, this opinion addresses the psychological toll on phishing victims. The blame often falls on the individual for making a mistake, but this interpretation acknowledges the increasing sophistication of cybercriminals and the inherent difficulty for non-experts to always discern legitimate communications from fraudulent ones. By recognizing that even simple user error should not automatically absolve banks of responsibility, it offers a more balanced approach to shared risk in the digital age, fostering greater trust and security in online financial transactions for millions of EU citizens.

What You Can Do

  • Report Fraud Promptly: If you suspect you've been a victim of phishing or an unauthorized transaction, contact your bank immediately. Time is often critical in fraud recovery.
  • Enable Multi-Factor Authentication (MFA): Activate MFA on all your online banking and email accounts. This adds a crucial layer of security, making it significantly harder for criminals to access your accounts even if they have your password.
  • Exercise Skepticism: Be wary of unsolicited emails, texts, or calls, especially those asking for personal information, login credentials, or to click on suspicious links. Always verify the sender through an official channel if unsure.
  • Check Sender Details Carefully: Before clicking links or downloading attachments, scrutinize the sender's email address for slight variations or misspellings that indicate a spoofed address.
  • Understand Your Bank's Fraud Process: Familiarize yourself with your bank's procedures for reporting fraud and what steps they require you to take.
  • Know Your Rights (EU Residents): If you are in an EU member state, be aware of your rights under PSD2 concerning unauthorized transactions, particularly regarding the bank's burden to prove gross negligence to deny a refund.

Common Questions

Q: Is this Advocate General's opinion a final legal ruling?

A: No, it is a formal advisory opinion issued by an Advocate General of the CJEU. While these opinions are highly influential and often followed by the Court's judges, they are not legally binding until the CJEU delivers its final judgment on the case.

Q: Does this opinion apply to banks and customers outside the EU?

A: Currently, this opinion, based on the EU's Payment Services Directive 2 (PSD2), specifically applies to financial institutions and account holders within the European Union's member states. Other regions may have different laws and regulations concerning liability for financial fraud.

Q: What exactly does “gross negligence” mean in this context?

A: Gross negligence is a legal term implying a severe lack of care or a deliberate disregard for safety that goes significantly beyond simple carelessness or an honest mistake. For a bank to prove gross negligence, they would need to demonstrate that the customer acted with a profound and reckless indifference to their account security, making it a challenging standard for banks to meet.

Sources

Based on content from BleepingComputer.

Key Takeaways

  • EU court adviser recommends banks refund phishing victims.
  • This applies even if the victim made an error.
  • Banks must prove 'gross negligence' to deny refunds.
  • Opinion is based on the Payment Services Directive (PSD2).
  • Not a final ruling, but often influential in CJEU decisions.
#Cybersecurity#Banking#Phishing#EU Law#Consumer Protection
Original source
BleepingComputer
Read Original
Ciro Simone Irmici
Ciro Simone Irmici
Author, Digital Entrepreneur & AI Automation Creator
Written and curated by Ciro Simone Irmici · About TechPulse Daily

Related Articles

Patch Tuesday May 2026: AI Secures Your Software Faster
Patch Tuesday May 2026: AI Secures Your Software Faster Cybersecurity · May 13, 2026
AI Develops Zero-Day 2FA Bypass: A New Cyber Threat
AI Develops Zero-Day 2FA Bypass: A New Cyber Threat Cybersecurity · May 12, 2026
Mac Malware Delivered via Google Ads and Claude.ai Chats
Mac Malware Delivered via Google Ads and Claude.ai Chats Cybersecurity · May 11, 2026
Millions Download Fake Android Apps Stealing Money on Google Play
Millions Download Fake Android Apps Stealing Money on Google Play Cybersecurity · May 9, 2026
Ransomware Defenses: Why Your Backups Might Not Be Enough
Ransomware Defenses: Why Your Backups Might Not Be Enough Cybersecurity · May 8, 2026
Anti-DDoS Firm Accused of Attacking Brazilian ISPs
Anti-DDoS Firm Accused of Attacking Brazilian ISPs Cybersecurity · May 7, 2026

More from Cybersecurity

Patch Tuesday May 2026: AI Secures Your Software FasterAI Develops Zero-Day 2FA Bypass: A New Cyber ThreatMac Malware Delivered via Google Ads and Claude.ai ChatsMillions Download Fake Android Apps Stealing Money on Google PlayRansomware Defenses: Why Your Backups Might Not Be Enough

View all Cybersecurity articles →