Legal Standards and Case Law on CEO-Fraud: Phishing and CEO fraud have become prominent tools in the arsenal of organized cybercrime. Increasingly, companies are not just targets but gateways through which substantial sums are misappropriated—often under the guise of legitimate internal instructions. The legal fallout is predictable yet complex: Who bears the financial loss when a manipulated employee executes a fraudulent payment? Can the company hold its bank liable, or does the responsibility fall on internal governance?
This article explores the legal framework governing the liability of phishing and CEO fraud victims, particularly from a civil law perspective. The analysis is grounded in recent German case law, interpreted within the context of the European PSD2 regime and modern organizational security obligations.
I. Phishing as a Precursor to CEO Fraud
While traditional phishing typically aims to steal login credentials, CEO fraud relies on an elaborate blend of technical manipulation and social engineering. Attackers impersonate senior executives, often using convincingly forged email addresses or domains, to direct finance personnel to initiate confidential high-value payments. Such attacks usually succeed only after preparatory steps—phishing for email credentials or insider knowledge.
At their core, these cases raise fundamental questions: Is the payment legally authorized? Can the company be held liable for acting on manipulated instructions? And what level of security diligence is legally required?
II. Legal Framework: The Central Role of Section 675u of the BGB
The legal answer is anchored in Section 675u of the German Civil Code (BGB). This provision requires banks to refund unauthorised payments without delay. Under Section 675j BGB, a payment is deemed authorized only if explicitly confirmed by the account holder or a duly empowered representative.
Accordingly, where a payment is made on the basis of deception or identity fraud, the financial institution is usually required to reverse the transaction—unless the customer acted with gross negligence, triggering an exemption under Section 675v BGB.
These cases, therefore, turn on two pivotal points:
- Was the payment genuinely authorized?
- Did the customer act with gross negligence?
III. Authorization and Apparent Authority: Narrow Interpretation by Courts
German courts have increasingly adopted a narrow view of what qualifies as valid authorization. A forged fax or email with a counterfeit signature does not suffice—even if it appears internally consistent. In a landmark case, the Regional Court of Karlsruhe (LG Karlsruhe, BKR 2019, 151) ruled that a payment order submitted by email, bearing a forged signature, could not be considered authorized. A similar decision by the LG Düsseldorf (BKR 2019, 154) confirmed that the bank bears the risk of acting on facially plausible but fraudulent instructions.
Even the doctrine of apparent authority—where a company’s conduct creates the appearance of consent—has been applied restrictively. The LG Heilbronn (judgment of 02.04.2024, Bm 6 O 378/23) rejected the idea that a customer’s interaction with a fake web form could justify attributing the subsequent Apple Pay activation to that customer.
IV. Gross Negligence: A High Bar for the Bank to Clear
In contrast to ordinary negligence, gross negligence can bar recovery under Section 675u BGB. However, the courts have set the bar high—particularly in cases involving sophisticated deception.
The LG Köln (BKR 2024, 339) found no gross negligence when a customer, tricked by a spoofed caller ID, approved a “card registration” via a banking app—unaware that this would activate Apple Pay on a fraudster’s device. The court emphasized the vague language used in the app and the psychological pressure of the moment.
Similarly, in other decisions, such as those by the LG Berlin and KG Berlin, courts acknowledged that even prudent users can fall victim to highly realistic phishing scenarios. Absent clear security warnings or protocol breaches, customers are not expected to detect every form of manipulation.
V. Internal Controls and the Role of the Company
CEO fraud cases raise the stakes for internal compliance. Courts will examine whether a payment was executed by an authorized signatory, whether a four-eyes principle was implemented, and whether communication channels were secured.
In one key decision, the LG Karlsruhe highlighted a company’s lack of robust internal controls. A mid-level finance employee executed a fraudulent transfer based on emails purportedly from the company’s managing director. The court ruled that the bank should have noticed anomalies—such as missing original signatures—and bore liability for processing the transaction.
Even in the absence of fault, a company’s procedural laxity may contribute to a loss. Courts are increasingly scrutinizing internal workflows, particularly where companies rely on outdated verification methods.
VI. Contributory Negligence and Organizational Fault
While customers are protected in principle, they are not immune from scrutiny. Under Section 254 BGB, contributory negligence can reduce or eliminate claims—especially when companies fail to implement adequate cybersecurity protocols.
In a prominent ruling (OLG Karlsruhe, MMR 2023, 761), a company sent invoices via unencrypted email, which attackers intercepted and modified. The court rejected the debtor’s claim that payment to the wrong account extinguished the debt—but recognized that the creditor’s lax email security may trigger liability under equity principles (§ 242 BGB).
Courts consider several factors: Are passwords regularly updated? Is two-factor authentication enforced? Are employees trained to recognize fraud tactics? The absence of such precautions may shift liability.
The liability framework for phishing and CEO fraud in Germany rests on a nuanced balance. Victims are generally protected unless they failed to implement basic security precautions. However, the burden of proof and procedural diligence is shifting. Organizations must ensure that their internal controls, IT systems, and staff awareness are adequate—not only to prevent loss, but to sustain legal protection if the worst happens.
VII. Implications for Compliance and Risk Management
The legal trend is clear: German courts have shown a growing willingness to protect victims of cyber fraud, as long as their conduct does not rise to the level of gross negligence. At the same time, the expectations for corporate IT governance and process integrity are rising.
Companies must not treat cybersecurity as a technical issue alone—it is a leadership and compliance concern. Risk-aware behavior requires clear protocols for payment approvals, encrypted communication channels, and regular staff training. Internal controls must evolve in step with the changing threat landscape. Simply relying on the presumption that the bank will cover losses is no longer sufficient. In the event of litigation, courts will examine what was done to prevent foreseeable fraud—and what was neglected.
Our law firm specialises in criminal defence, white-collar crime and IT law / technology law. Note our activity in digital evidence in IT security and software law.
- Understanding cyber diplomacy as a strategic necessity - 19. June 2025
- Israel and Iran: Cyber Espionage, Cyber Warfare and Cyber Defense in Comparison - 19. June 2025
- Israel: Cyber Espionage, Cyber Warfare and Cybersecurity - 19. June 2025