Table of Contents
The Growing Threat of Bank Phishing Scams
Online banking customers face constant risks from phishing attacks. Criminals regularly trick users into providing their login credentials. The criminals then empty the compromised accounts. Many people wonder how these unauthorized transfers happen. Typically, fraudsters need manual authorization, like a transaction authentication number (TAN), to approve new payments. However, scammers continually find ways to bypass these security measures.
The PKO BP Bank Case in Poland
A recent lawsuit in Poland highlights this legal and financial conflict. A customer sued the Polish bank PKO BP S.A. at the District Court in Koszalin. The customer listed an item for sale on an online auction platform. A scammer contacted the seller and sent a fraudulent link. This link directed the customer to a fake website that looked exactly like the bank’s login page.
The customer entered her online banking credentials. The fraudster captured these details and initiated an unauthorized money transfer to a different account. The victim reported the theft to the bank and the local police the very next day. Authorities could not identify the fraudsters.
The Bank’s Refusal and the ECJ Referral
The bank refused to reimburse the stolen funds. The institution argued that the customer acted with gross negligence by giving away her login details. Consequently, the customer filed a lawsuit against the bank. The Polish district court then asked the European Court of Justice (ECJ) for guidance. The court needed to know if European Union payment laws require banks to refund unauthorized transactions immediately, even when the bank suspects gross negligence.
The Advocate General’s Recommendation
On March 5, 2026, Advocate General Athanasios Rantos delivered his formal opinion on the case. He stated that EU law strictly requires payment service providers to refund unauthorized transactions immediately. Banks must issue this refund even if the customer carelessly disclosed their access data.
Rantos noted only one strict exception to this rule. A bank can delay the refund only if it has solid evidence of actual fraud committed by the customer. In that scenario, the bank must report its suspicions in writing to the relevant national authority. The law provides no other exceptions. Banks cannot use gross negligence as an excuse to withhold the initial reimbursement.
The Recovery Process for Banks
This immediate refund does not end the dispute. The bank can investigate the incident after reimbursing the customer. If the bank proves that the customer breached their security obligations intentionally or through gross negligence, the bank can reclaim the money. The bank must pursue legal action against the customer if the customer refuses to return the funds. This process ensures high consumer protection while still holding careless users accountable in court.
Implications for Online Banking Security
This legal opinion sets a clear direction for consumer rights. Customers will receive immediate financial relief after a phishing attack. The financial burden shifts temporarily to the banking institutions.
However, customers must still protect their authorization methods. The recommendation protects users who lose their login credentials but does not cover users who actively authorize fraudulent transfers. Banks must provide secure authorization systems. German courts already ruled that SMS-TANs lack sufficient security because hackers can intercept them via SIM swapping.
If the ECJ adopts this recommendation, liability risks will increase for banks that rely on single-device mobile apps for both logging in and authorizing payments. If malware compromises a phone and authorizes a payment without the user’s input, the bank will struggle to prove gross negligence. This legal precedent will force banks to develop stronger, more reliable security systems for online transactions.