Introduction
Phishing — the digital deception that tricks people into handing over their credentials to fake websites — is one of the most widespread threats in the cybersecurity landscape. It doesn’t only affect large companies or tech experts: it targets anyone who uses the internet to sell items, make purchases, or access their bank accounts. A recent case, which emerged in Poland and reached European institutions, shows just how sophisticated this scam can be, and how its legal consequences are still partly undefined.
What happened
A customer of the Polish bank PKO BP S.A. was most likely using an online selling or auction platform when they were contacted by what appeared to be an interested buyer. This unknown individual sent them a link that looked identical to their bank’s login page. The victim entered their credentials on that fake site, without realising the deception. The fraudster, now in possession of the login details, carried out an unauthorised transaction, withdrawing money from the account.
The bank refused to reimburse the customer, arguing that the victim’s behaviour was grossly negligent — meaning they had acted with such carelessness as to absolve the bank of any liability. The case ended up before European judicial authorities. In March 2026, the Advocate General of the Court of Justice of the European Union, Athanasios Rantos, issued an opinion stating that banks are required to immediately refund unauthorised transactions. Only at a later stage, if they can demonstrate that the customer acted with gross negligence, may they seek to recover the refunded amounts. The identity of the fraudster remains unknown.
Why it matters
This case is not just about one person and one bank in Poland. It establishes a principle that could apply to all European consumers: immediate reimbursement is not a concession from the bank, but a right. It reverses the burden of proof, requiring the bank to demonstrate the customer’s negligence, not the other way around. For millions of users who every day receive suspicious messages or click on unexpected links, this distinction is fundamental.
What companies and users can do now
Anyone who sells online should carefully verify any link received from unknown buyers, even if it appears to come from a trusted source. Before entering banking credentials, it is good practice to type the bank’s address directly into the browser, rather than clicking on external links. Companies managing selling platforms should better inform their users about these risks, perhaps through visible warnings during transactions.
Final takeaways
- Phishing targets ordinary people in everyday situations, such as selling second-hand items online.
- According to an EU Advocate General opinion, banks should immediately refund customers who are victims of unauthorised transactions, unless gross negligence can be proven at a later stage.
- The first line of defence remains caution: never enter your banking credentials through links received from third parties.
Sources:
https://www.bleepingcomputer.com/news/legal/eu-court-adviser-says-banks-must-immediately-refund-phishing-victims/
https://curia.europa.eu/site/upload/docs/application/pdf/2026-03/cp260031en.pdf
https://ieu-monitoring.com/editorial/eu-advocate-general-opinion-banks-must-refund-unauthorised-payments-immediately/892645
Source: BleepingComputer