The year 2026 has brought a fundamental change for phishing victims across the European Union. The ruling of the CJEU (Court of Justice of the European Union) in case C-70/25 (Tukowiecka) introduces a rule that significantly strengthens the rights of victims of unauthorised transactions against banks. What does this mean in practice?
What Is Phishing and Why It Is Growing
Phishing is a form of fraud in which the perpetrator impersonates a trustworthy institution - a bank, postal service, online shop or public authority - and lures the victim into entering login credentials or payment card details on a fake website.
Types of phishing in 2026:
- Email phishing - fake emails from “your bank” with a link to a fraudulent page
- Smishing (SMS phishing) - fraudulent text messages with a link, typically “Your parcel is waiting” or “Verify your transaction”
- Vishing (voice phishing) - calls from fake “bankers” requesting login credentials
- Voice cloning - a new form using AI to clone the voice of real bank employees
- Fake websites - perfect replicas of internet banking portals with a URL differing by a single character
According to data from the Czech Banking Association, the number of phishing attacks in the Czech Republic has doubled year-on-year. In the first quarter of 2026, over 3,000 cases were reported.
Old Rules vs New - What the CJEU Changed
Before decision C-70/25:
Banks routinely refused to refund phishing victims, arguing that the client “failed to observe security measures” and “entered credentials on a fraudulent page themselves”. The burden of proof effectively lay with the client, who had to demonstrate that they had acted with due care.
After decision C-70/25 (Tukowiecka):
The CJEU (Court of Justice of the European Union) established clear rules:
- D+1 Rule: The bank must refund the victim no later than the end of the first business day after the unauthorised transaction is reported
- Shift of the burden of proof: The bank bears the burden of proof - it must demonstrate that the client acted with gross negligence
- Gross negligence is not ordinary carelessness: Simply clicking on a phishing link or entering credentials on a fake page does not in itself constitute gross negligence
How to Proceed - the D-Day Algorithm
If you discover that you have fallen victim to phishing, follow this algorithm:
Day 0 (immediately upon discovery):
- Call the bank - report the unauthorised transaction on the helpline (24/7)
- Request a block - block internet banking and your card
- Request confirmation - the bank must issue you a written confirmation of the report
- Change passwords - for all accounts where you used the same or a similar password
Day 1 (first business day):
- Check the refund - the bank is obliged to return the money by the end of this day
- If it has not refunded - file a written complaint citing C-70/25
Within 3 days:
- File a criminal complaint - with the Czech Police or the state prosecutor’s office
- Secure evidence - screenshots of the fake page, emails, text messages
- Consult a lawyer - especially if the bank has refused to refund
What the Bank Does, What the Victim Does, What the Lawyer Does
| Who | Action | When |
|---|---|---|
| Victim | Reports the unauthorised transaction to the bank | Immediately |
| Bank | Investigates and refunds (D+1) | Within 1 business day |
| Victim | Files a criminal complaint | Within 3 days |
| Lawyer | Drafts the criminal complaint, communicates with the bank | Ongoing |
| Bank | May seek recovery if gross negligence is proven | Within 13 months |
When the Bank Refuses to Refund
The bank may refuse a refund if it proves gross negligence on the part of the client. What this means:
Constitutes gross negligence:
- Knowingly disclosing login credentials to a third party
- Repeatedly ignoring the bank’s security warnings
- Using a device the client knows to be infected with malware
Does not constitute gross negligence:
- Clicking on a phishing link in a convincing email
- Entering credentials on a perfect replica of the bank’s website
- Responding to a fake text message that appeared to be from the bank
- Responding to a call from a person impersonating a banker
If the Bank Refuses - the Court Route
If the bank refuses to refund the money, you have the following options:
- Financial Arbiter of the Czech Republic - out-of-court dispute resolution with banks; proceedings are free of charge
- Civil action - for unjust enrichment or breach of contract
- Criminal complaint against an unknown perpetrator - and subsequent joinder of a civil claim in criminal proceedings
We recommend consulting a lawyer who can assess your specific situation. Our office specialises in helping victims of online fraud and the initial consultation is always free of charge.
Conclusion
The D+1 rule introduced by the CJEU ruling in case C-70/25 fundamentally changes the balance between the bank and the client in favour of phishing victims. If you have fallen victim to phishing, do not hesitate to act - time works in your favour if you act quickly.
Need help? Contact us - we specialise in representing victims of online fraud and liaising with banks.