Identity fraud
Did you receive an email from a hotel in Spain asking you to enter your bank details or did you receive a phone call from your bank? Beware! This could be an attempt to steal your identity or spoof you in order to extract money from your bank account without your knowledge.
- What is identity theft?
- A fraudster is impersonating you
- A fraudster posing as your bank adviser
- Better protection against these frauds starting 2026
What is identity theft?
Identity theft occurs when someone uses another person’s data without their permission. This includes any data that is used to identify the person: name, identity documents, bank details etc. The fraudster then uses this data to carry out financial transactions for example.
Identity theft is not always linked to the loss or theft of an ID card or passport. It can also be a digital process by using personal data that you have entered online on a website.
A fraudster is stealing your identity
Description of the fraud
- You receive an email from someone based abroad who makes you a surprising and attractive offer. They want you to receive a sum of money on your account before transferring it to another person’s account. In return, you receive a payment.
- You receive a message on your phone telling you that your subscription is about to expire. The message asks you to reconfirm your personal information.
Methods used
These various methods have one thing in common, taking your personal data. This could be your ID, your bank details, your social security number etc. This type of fraud is called phishing. The fraudster manages to steal your personal details and then, once they have them, uses them for fraudulent purposes.
Depending on what you have given them, the fraudster will be able to make online purchases or even open a bank account in your name with an online bank. The fraudster can generate a deepfake video with your face and validate the opening of an online bank account. All they need is an ID and audio samples of your voice often available on social media. This will then allow the fraudster to write cheques or take out credit in your name.
Tips to prevent your personal data from being stolen
- Do not give your sensitive personal data to anyone whose identity you are not sure of. Do not respond to unsolicited and unidentified calls and emails.
- When you create an online profile, always give only the bare minimum of personal information. Only provide the information that is compulsory for registering for the service. If you need to provide a copy of your ID, use a single-use identity document generator.
- Always be careful when you interact with someone on the internet or by telephone, as soon as they ask you for personal information. Don’t reply to messages that seem dubious!
- Check that your email address or telephone number is not publicly visible.
- Use different, complex passwords for each site where you have entered personal data. Never share your passwords with anyone else.
- Use two-factor authentication whenever possible on sites where you enter personal information. In addition to a password for logging onto the site, you will receive a one-time code sent to your phone.
- Avoid connecting to your banking account from a public Wi-Fi.
As a result of fraudulent use of your identity, you may be registered with the Banque de France. To find out if this applies to you, check the entries in the Personal Credit Reimbursement Incident File.
What should I do if my identity has been stolen?
- File a complaint with the police station or gendarme. You can also file a complaint online or use the PHAROS platform to report internet fraud.
- Notify all the bank and insurancecompanies that you use.
- Check whether any another accounts have been opened in your name. All you have to do is make a request to the French National Committee on Data Protection. It is called the “CNIL” and will grant you access to the national bank account file.
- Check if you are registered with the Banque de France for a credit repayment incident.
A fraudster posing as your bank advisor
Description of the fraud
- You receive a call from an advisor at your bank alerting you to an attempt to hack into your account.
- You receive an email with the logo of your bank, an insurance company, a public authority, the carrier of your parcel, your streaming platform, your hotel or the travel platforms which you have used. The email asks you to enter your bank details and password, or to click on a link.
- You end up on a site that looks authentic and asks you to enter confidential information. For example, your credit card numbers or upload your ID document.
- You fall into the trap and fill in all the information requested. Shortly afterwards, a large sum of money is taken from your bank account.
Methods used
The scammer tries to create a feeling of trust pretending to be someone you know or who you rely on. To do this, they use an email address similar to that of the person they are trying to impersonate. Or they display a number saved in your phone contacts when they call you.
Imitation can go even further, using artificial intelligence software. For example, the scammer may imitate the voice of someone close to you or a bank adviser. They then ask you to make a transfer, stressing the urgency of the situation. You eventually comply without realizing the deception. You are a victim of spoofing.
What is spoofing?
The most widespread variant is the fake bank adviser fraud. A fraudster pretends to be a member of staff at your bank. They either send you an email or call you using your bank’s number. They tell you that they have detected suspicious transactions. To make their message more credible, the fraudster may already have access to some of your bank details from hacking into them. The scammer may ask you for additional bank details or request that you carry out certain actions, such as sending a wire transfer.
Tips
- Don’t reply to an email that seems suspicious. A bank would never ask you to provide personal information by email.
- If you receive an email from your bank that seems dubious, remain vigilant. Look for spelling mistakes, grammatical errors or sentences that do not make sense. Do not click on any links or download any attachments.
- Never share your bank details over the phone! Don’t give in to threats or pressure.
- Hang up, and then check with the organisation whether the phone call is really coming from their services. Call customer service or log in directly to your online account.
- Check your bank statements regularly to spot any abnormal transactions and be able to react quickly.
How can you tell the difference between a trustworthy European trader and a European fraudster?
A professional offering financial products must be authorized to do business. If it is an establishment registered in another European country, check the register in the country of origin. For electronic money and payment institutions, you can consult the European Banking Authority register. It will help you find out which ones are authorised.
Even if the email has the subject ‘verification required’, ‘secure your account’, ‘confirm data’ or ‘update your user data’, this does not necessarily mean that it comes from a reliable source. It’s important to trust the email address. Is it an official address? Does it coincide with the company name, or does it end with a generic email service? Check that the words are spelled correctly. One or two missing letters such as suport@banque.fr can reveal the authenticity of the email address used, provided you pay close enough attention.
What should you do if you are victim of the fraud?
- Stop all contact with the person you are contacting, even if they send you a reminder.
- Report the scam to signal-spam.fr.
- Change your passwords immediately.
- If you have given your bank details, stop payment on your cards and monitor your accounts.
- If you have been debited, file a complaint with the police and contact your bank advisor as soon as possible. For more information, see our article on paying in Europe.
- Ask your bank for a refund of the sums debited. If your bank refuses to reimburse you, it must prove that you were grossly negligent in committing the fraud.
Better protection against such fraud starting in 2026
The European Union has taken steps to combat identity fraud. Thanks to the Payment Service Directive, which should come into force in 2026, consumers will be better protected against this type of fraud.
The text sets out a number of obligations for banks:
- Make consumers more aware of the risks of fraud.
- Strengthen strong authentication systems.
- For each bank transfer, check that the beneficiary IBAN number matches the name of the account.
Europe also wants to change responsibility in cases of fraud to protect victims. Until now, when you lose money as a result of spoofing, the bank only reimbursed you if it had not asked you for strong authentication at the time of payment.
From now on, there will be a right to reimbursement in the event of fraud involving bank identity theft. This means that the bank will be held responsible if you were manipulated by a fake bank advisor. You will be fully reimbursed for the amount taken from your bank account. All you will need to do is file a complaint with the police and notify the bank as soon as possible. The only exception is gross negligence on your part. For example, if you fall for the same type of fraud multiple times. In this case, the bank is not obliged to reimburse you.
In France, banks must now reimburse consumers who have been scammed
On October 23rd 2024, the Court of Cassation (French Supreme Court) ruled that banks are obliged to reimburse victims of a fake bank adviser fraud. If the fraudster impersonates the bank’s phone number, for example, and has had you authorise fraudulent transfers to their account, the bank cannot accuse you of gross negligence. The fraudster methods are precisely designed to reduce your attentiveness and make you trust them in order to obtain confidential information.
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Innovation Council and Small and Medium-sized Enterprises Executive Agency (EISMEA). Neither the European Union nor the granting authority can be held responsible for them.