An SMS from your bank, followed shortly by a call from someone claiming to be your security team, and just minutes later, several thousand euros are missing from your account. Online banking fraud is now one of the most common crimes on the internet. For victims, a crucial question immediately arises: Is the bank obligated to reimburse the amount, or are they left with the loss? The answer isn't based on the bank's gut feeling, but rather on the German Civil Code's (BGB) regulations governing payment services.
Phishing in online banking: These are the tricks currently being used by perpetrators
The 2026 Cybersecurity Monitor, published by the Federal Office for Information Security (BSI) and the police crime prevention units of the German states and the federal government, paints a clear picture. Eleven percent of internet users in Germany have fallen victim to cybercrime within the past twelve months. Among those affected, 13 percent reported online banking fraud or misuse of account data, 12 percent reported phishing, and 14 percent reported unauthorized access to online accounts. Almost nine out of ten victims suffered damages, with a third reporting direct financial losses.
The attack vectors have shifted. Poorly translated mass emails hardly play a role anymore. Instead, perpetrators rely on smishing via fake SMS messages in the message history of the real bank, quishing with manipulated QR codes, and vishing, i.e., a call from a supposed bank employee with a spoofed phone number. The Cybersecurity Monitor explicitly identifies online fraud and artificial intelligence as a focus topic because generative systems produce forgeries that are virtually flawless in terms of language and design. Phishing is therefore just one manifestation of this. Online fraud, which now reaches consumers through virtually every digital channel.
A crucial technical point for the legal assessment is that login credentials alone are no longer sufficient for perpetrators. Since the introduction of mandatory strong customer authentication, every transfer requires a second authorization, such as via pushTAN or chipTAN. Therefore, attacks no longer target the password, but rather the person using it. In so-called real-time phishing, the perpetrator is simultaneously present in the genuine banking environment and immediately forwards the TAN entered by the victim. A particularly damaging variant involves authorizing device registration: those who confirm this grant the perpetrator permanent, fully functional access to their own device. Typical procedures and damage patterns are described on our page [link to relevant page]. online banking fraud Explained in detail.
If you notice such an incident, every hour counts. Have the legal situation reviewed before making any statements to the bank that could later be used against you.
Unauthorized payment: When the bank must refund according to § 675u of the German Civil Code (BGB).
The legal starting point is simpler than many affected parties assume. According to Section 675j Paragraph 1 of the German Civil Code (BGB), a payment transaction is only valid if the payer has consented to it. Without this consent, it is an unauthorized payment transaction. The consequences are governed by Section 675u of the BGB: In this case, the bank is not entitled to reimbursement of its expenses. It must immediately refund the payer the payment amount and restore the account to the balance it would have had without the debit.
The legislator has set a clear deadline for this. Reimbursement must be made immediately, at the latest by the end of the business day following the day on which the bank became aware of the unauthorized payment or received a corresponding notification. The claim is therefore not contingent upon the bank having completed its internal investigations. In practice, however, this is regularly claimed. The same principles apply to other payment instruments, for example, if you Victims of credit card fraud have become.
The most difficult distinction concerns cases where the victim has entered a TAN themselves. The bank often concludes from this that the payment is authorized and the matter is closed. This conclusion is too simplistic. Consent under Section 675j of the German Civil Code (BGB) always refers to a specific payment transaction with a particular amount and recipient. Anyone who enters a TAN on a fraudulent website because they are led to believe a security check or a chargeback is taking place is not consenting to the transfer actually being executed to an unknown third party. Legally, the transaction therefore remains unauthorized. Whether the bank can nevertheless reclaim any funds is a separate question and is governed by Section 675v of the German Civil Code (BGB).
Furthermore, the notification obligation under Section 676b of the German Civil Code (BGB) is important. Affected individuals must report the unauthorized debit immediately upon discovery. Claims are excluded after a maximum of 13 months following the debit entry. Therefore, anyone who fails to check their bank statements risks losing all their rights.
Immediately check whether your case qualifies as an unauthorized payment transaction. This decision will determine who has the burden of proof in the further proceedings.
Gross negligence according to § 675v BGB: When your right to reimbursement lapses
The right to reimbursement under Section 675u of the German Civil Code (BGB) is not unconditional. Pursuant to Section 675v Paragraph 3 of the BGB, the bank can demand full compensation for damages if the payer caused the loss fraudulently or intentionally or with gross negligence violated their obligations under Section 675l Paragraph 1 of the BGB or the agreed terms and conditions for using the payment instrument. In practice, this counterclaim means that the customer receives no financial compensation. This is precisely where banks almost always resort in phishing cases, as our experience from numerous cases has shown. Fraud cases at Commerzbank and at other institutions.
Gross negligence means that the care required in traffic was violated to a particularly serious degree, and even the simplest, most obvious considerations were not taken into account. This is an assessment of the individual case and not a blanket category. A general statement by the bank that the victim simply provided a TAN is not sufficient.
The circumstances of the attack often argue against the charge of gross negligence. Was the bank's phone number technically spoofed? Was the fake page visually identical to the original? Did the perpetrator provide accurate personal data? Or did the attack run in real time, parallel to the genuine banking session? The design of the authorization message itself is also relevant. If the recipient and the amount are not clearly identifiable in the pushTAN text, the customer can hardly be blamed for not noticing the discrepancy.
Two further provisions are regularly overlooked. According to Section 675v Paragraph 4 of the German Civil Code (BGB), the payer is not liable if the bank has not required strong customer authentication as defined in Section 55 of the German Payment Services Supervision Act (ZAG) or if it has not provided a suitable means of reporting the loss. And according to Section 675v Paragraph 5 of the BGB, liability is waived for all damages incurred after the loss has been reported. A single unclear point in the bank's systems can therefore completely reverse the outcome.
If your bank has refused the refund on the grounds of gross negligence, you should have this justification reviewed by a lawyer instead of accepting it.
Burden of proof according to § 675w BGB and immediate measures after a phishing attack
In a dispute over a phishing transfer, the burden of proof often outweighs the substantive legal situation. Section 675w of the German Civil Code (BGB) clearly places the burden of proof on the bank. If the authorization of a payment transaction is disputed, the bank must prove that the transaction was authenticated, properly recorded, booked, and not affected by any malfunction.
The most practically important part of the standard is at the end. The mere recording of the use of a payment instrument, including authentication tools, is not sufficient in itself to prove that the payer authorized the payment transaction or intentionally or grossly negligently breached their obligations. Therefore, if a bank presents nothing more than a system log documenting a correctly entered TAN, it has not yet fulfilled its burden of proof. Such logs do not automatically create a prima facie case against the customer.
For those affected, this means: Securing your evidence from the very beginning. The following steps are paramount after a phishing incident:
- Block account: Immediately block access and cards via the blocking hotline, note the time and contact person.
- Demand a refund: Report the charge in writing and in a verifiable manner as unauthorized and demand a refund in accordance with § 675u of the German Civil Code (BGB).
- Secure evidence: Document screenshots of the fake website, SMS messages, emails, phone numbers, timestamps and the wording of the release message.
- File a criminal complaint: Reporting the incident to the police secures evidence and supports the account given to the bank.
- Check devices: Check registered devices, sharing settings and stored phone numbers in online banking and change access data.
- Observe deadlines: Keep an eye on the notification period of § 676b BGB and the exclusion period of 13 months.
If the money has already been transferred, tracing the payment paths is often necessary. When converting to cryptocurrencies, we use the same tools for this purpose that we also use in the area of... Crypto fraud Use tools such as blockchain analysis and the involvement of participating payment service providers. Avoid any hasty wording that might admit fault, and have your correspondence with the bank reviewed before sending it.
When is legal advice worthwhile in cases of phishing in online banking?
Legal support is always advisable if the bank refuses a refund, reviews the case for weeks, or makes a blanket statement alleging gross negligence. Responding to a letter from the bank claiming damages under Section 675v Paragraph 3 of the German Civil Code (BGB) should also not be done without legal assessment. The same applies to large sums of money, multiple transactions over several days, and cases involving international transactions.
The legal review addresses several points: Was there actually effective authorization for the specific payment transaction? Did the bank implement strong customer authentication in accordance with Section 55 of the German Payment Services Supervision Act (ZAG), and was its design suitable for clearly identifying the payment transaction? Does the bank substantiate the requirements of Section 675v Paragraph 3 of the German Civil Code (BGB), or does it rely solely on logs that are insufficient under Section 675w of the BGB? And were there any unusual transaction patterns that might have triggered a duty of warning on the part of the bank? You can obtain an initial assessment through our initial consultation.
Rogert & Ulbrich represents clients nationwide in banking law and at fraud cases of all kinds. The law firm around Dr. Marco Rogert and Tobias Ulbrich The firm has taken on over 40,000 cases and filed over 25,000 lawsuits, a significant portion of which are against banks and financial service providers. Cases are handled out of court with the bank and, if necessary, through litigation. Separate offices exist for the Rhineland and Ruhr region, for example, for... Düsseldorf, Cologne and Eat.
If your bank refuses the chargeback, Get in touch, as long as documents, records and time information are still fully available.
Conclusion: Phishing in online banking and the bank's liability
Phishing in online banking is no longer a fringe phenomenon, but according to the Cybersecurity Monitor 2026, it affects a significant portion of the population. The legal situation is better than the initial reaction of many banks would suggest. In the case of an unauthorized payment transaction, there is a right to reimbursement under Section 675u of the German Civil Code (BGB), immediately and without reservation of internal investigations. The bank can only be exempt from this obligation if it demonstrates and proves the conditions of Section 675v Paragraph 3 of the German Civil Code (BGB).
The accusation of gross negligence is not automatic, but rather a case-by-case assessment that depends on the quality of the forgery, the design of the release notification, and the specific sequence of events. Furthermore, according to Section 675w of the German Civil Code (BGB), the burden of proof lies with the bank, which cannot simply rely on a system log. Anyone who reports the matter promptly, secures evidence, adheres to the deadline stipulated in Section 676b of the BGB, and does not accept the bank's rejection as final, significantly improves their position.



