A recent judgment of the Athens Court of First Instance (ΜΠρΑθ 4682/2026) offers important protection to victims of online banking fraud.
In this case, a bank customer fell victim to a phishing scam and lost €19,660 within one hour, after being misled into entering SMS-OTP codes on a fake banking website.
The Court held the bank liable, finding that it had failed to detect suspicious, unusually high and successive transactions, and had delayed in blocking the fraudsters’ accounts, despite being promptly notified by the victim.
Importantly, the Court rejected the bank’s attempt to rely on contractual clauses excluding liability in cases of disclosure of security credentials, holding such clauses invalid under Greek law implementing PSD2.
The bank was ordered to reimburse the customer €17,789.51, corresponding to the stolen amount minus the sum recovered.
This decision confirms that banks have a strict duty to maintain effective fraud detection and prevention systems and cannot automatically shift the entire burden of phishing fraud onto customers acting in good faith.