Faux Conseiller Bancaire scam in France 2026: how the fake bank advisor steals 40 000 euros per call

Why fake bank advisor calls are the costliest scam in France

Banque de France publishes an annual fraud report through its Observatoire de la Sécurité des Moyens de Paiement. The 2023-2024 edition put the Faux Conseiller Bancaire (FCB) at the top of the loss-per-case table. Other fraud types have higher volume. None has higher financial damage per incident.

The average loss sits around 40 000 euros. The high end clears 100 000 euros for victims who hold larger current accounts or have access to instant transfers on a livret A or PEL. A single call drains a lifetime of savings.

Three things make the damage so severe. First, the attack targets people who already have money in the account. Pensioners and small business owners are the favourite victims. Second, the scammer pushes the victim to authorise SEPA instant transfers, which settle in seconds and cannot be reversed by the sending bank. Third, the victim believes they are the one stopping the fraud, so they hand over every code asked for without hesitation.

By the time the call ends, the money is already moving through mule accounts inside the SEPA zone. Within an hour it is usually outside France. Within a day, untraceable.

How the call actually goes (full script breakdown)

The pattern is consistent across every major French bank: Société Générale, BNP Paribas, Crédit Agricole, La Banque Postale, Caisse d'Épargne, LCL, CIC, Crédit Mutuel. Same script, different name swapped in.

Opening line. "Bonjour Madame Martin, je suis Monsieur Dupont, conseiller fraude à la Société Générale. Nous avons détecté une tentative de fraude sur votre compte ce matin." The scammer uses your real surname. They name your real bank. They give a confident French name for themselves.

The hook. "Quelqu'un essaie en ce moment de virer 4 800 euros vers un compte en Pologne. Nous devons annuler cette opération avant qu'elle ne soit définitive." Now there is a specific amount and a specific country. Specifics build belief.

The validation request. "Pour bloquer cette opération, vous allez recevoir un code par SMS ou dans votre application bancaire. Validez ce code, c'est la seule façon d'annuler la transaction." This is the moment the trap closes. The code is not for cancelling fraud. It is the SCA (Strong Customer Authentication) code for the transfer the scammer just initiated using your stolen credentials.

The urgency. "Si vous ne validez pas dans les 5 minutes, l'argent sera perdu et nous ne pourrons rien faire. La banque ne pourra pas vous rembourser." Five minutes. No remboursement. The clock runs and your brain stops thinking.

The escalation. If the first transfer goes through, the scammer keeps you on the line. "Une deuxième tentative vient d'arriver, plus grosse cette fois, 28 000 euros. Validez le nouveau code." They drain everything available, one validation at a time. Some calls last 90 minutes. Victims report feeling exhausted and confused by the end, which is exactly what the scammer wants.

Why caller ID spoofing makes this so convincing

Open a recent French smishing case file and you will find the same detail: the victim says the number that called was the real customer service number printed on the back of their carte bleue. Not a number that looked like it. The actual number.

This is caller ID spoofing. VoIP gateways let any caller display any phone number they want as the originating number. The technology was built for legitimate use, like a company displaying its main number when calling from any extension. Criminals use the same feature to display 3933 (Société Générale), 3477 (BNP Paribas), or any other bank short code.

Mobile operators in France have started rolling out STIR/SHAKEN authentication to flag spoofed calls, but coverage is partial. Most fixed-line and cross-border calls still arrive with no verification. ARCEP (the French telecoms regulator) reported in late 2024 that operators were preparing to block calls with mismatched origin, but the rollout will take through 2026 to complete.

Until then, you cannot trust caller ID for a bank call. Ever. The number on your screen tells you nothing about who is actually on the line.

How scammers already know so much about you

The other detail victims keep repeating: "He knew my last transaction. He knew my IBAN." How?

Personal data sold on Telegram and dark web forums after a data breach. Two of the biggest French exposures in recent years were the 2024 Free mobile leak (19 million customer records including IBAN) and the Pôle emploi breach (43 million records, sold in bundles). Add to that the regular drip of breaches at e-commerce sites, energy suppliers, and parking apps that store partial card details.

A buyer can stitch together a profile that includes your name, address, phone number, bank, IBAN, and sometimes a recent transaction amount. That profile is what allows the opening line to feel real. The scammer is not guessing. They are reading from a sheet.

If a breach has happened in the last two years, assume your data is in someone's hands. The defence is not hiding the data. It is recognising the script, no matter how much detail the caller already has.

Red flags during the call

Even with a spoofed number and accurate personal details, the call has tells. Listen for these:

• They ask you to validate or confirm a code. No real bank does this. A code in your app is meant to authorise YOUR action, not cancel someone else's.
• They mention a specific euro amount that "fraud is trying to take." The number is a hook to get you emotionally invested.
• They impose a deadline, usually 5 to 10 minutes. Real bank fraud teams do not work on countdown timers. They cancel transactions and call you afterwards.
• They ask you not to hang up under any circumstance. Often dressed as "stay on the line for security reasons" or "do not contact the agency, we are handling this directly."
• They tell you to ignore SMS or app notifications because they are part of the fraud. The notifications are actually the bank warning you about the real transfer the scammer initiated.
• They walk you through Anti-Phishing keywords or push notifications in your bank app and tell you to tap "Yes" or "Authorise."
• They ask for your card PIN, full card number, or 3D Secure code. No real bank employee will ever ask for your PIN over the phone.
• The conversation feels like a script. If you ask an unscripted question (like "what is the name of my branch manager?"), they stumble or change the subject.

What to do during the call (hang up protocol)

If something feels off, follow this exact sequence. Do not improvise.

1. Say "I will call you back" and hang up. Do not announce that you think they are a scammer. Just end the call cleanly. If you accuse them, some scammers escalate with intimidation.
2. Wait two full minutes. Sophisticated scammers keep the line open from their side even after you hang up. If you immediately try to dial out, you reach them again because the carrier is still holding the previous call up. Two minutes is enough for any modern mobile network to release the connection.
3. Use a different phone if you have one. Mobile if the original call came on a landline. Landline if it came on mobile. This removes any chance of the line still being held.
4. Call the number printed on the back of your bank card. Not a number the caller gave you. Not a number you Google in the moment, since malicious sites also rank for bank phone numbers. The number on the back of the card.
5. Ask the real fraud team if anyone called you in the last 30 minutes. They will tell you no. Confirm there is no real fraud on the account. Then ask them to log the incident.

One memorable phrase to keep in mind: a real bank cancels fraud silently. A scammer asks for permission to do it.

What to do if you already validated

If you realise mid-call or just after, you may have minutes to act before the money settles permanently. Move fast.

1. Call your bank's real fraud line immediately using the number on the back of your card. Tell them exactly what happened, which codes you validated, and at what time. Ask them to freeze the account and reverse any pending transfers.
2. Lodge a déposition de plainte at your local commissariat or gendarmerie. You need this for the bank's investigation file and for any chargeback claim. Take a copy of the police report number.
3. Declare the incident on Cybermalveillance.gouv.fr. This is the French national platform for cybercrime victims. It will route you to local victim support and notify the relevant authorities.
4. Request a chargeback under PSD2. The European Payment Services Directive 2 gives you up to 13 months from the transaction date to dispute an unauthorised payment. Banks must refund unauthorised transactions unless they can prove gross negligence on your part. Voluntary code validation can be argued as negligence by the bank, but the law is genuinely on your side if you can show you were under social engineering manipulation.
5. If the bank refuses to refund, escalate to the Médiateur de la Fédération Bancaire Française. The mediator service is free and binding on the bank.
6. If you are an elderly victim, ABEIS (Aide aux Victimes d'Escroquerie) provides specialised help including legal aid and psychological support. Many local Maisons France Services also host victim support sessions.

Chargeback success in France for FCB cases has improved since the Cour de cassation rulings in 2023 that pushed banks to refund more often when the victim was deceived by spoofing. It is no longer a lost cause. File the claim.

How to report it

Even if you did not lose money, reporting helps build the case file that pushes operators and banks to act faster on this scam. Here is the full reporting chain:

• Cybermalveillance.gouv.fr is the first stop. Fill the declaration online. Free, anonymous if you want.
• 33700 by SMS for spam and scam calls. Forward the offending number, then send "STOP" or "BLOCK" depending on prompts.
• 17 (police) only if you are in active danger or money is actively being lost in the next few minutes.
• Banque de France's complaint platform for fraud involving your bank refusing to handle the case fairly.
• AMF (Autorité des Marchés Financiers) for the crypto variant, where the fake advisor pushes you to "secure" your money by sending it to a crypto wallet they control. AMF also maintains the public blacklist of unauthorised investment platforms.
• Tracfin processes the suspicious-transaction reports that banks file. Useful context for understanding where mule accounts get caught, though you do not file directly with them as a private victim.
• ABEIS or France Victimes 116 006 for personal support, especially for elderly victims or anyone in emotional shock after the loss.

Telling friends and family is the underrated step. Most French households have heard of phishing emails. Fewer know how convincing the phone variant has become. Your story is a vaccine for someone in your network who would otherwise have answered the next call.

How SafeBrowz blocks this threat

SafeBrowz cannot stop a phone call. No browser extension can. What it does block is the second half of many Faux Conseiller Bancaire campaigns: the fake bank login pages used to harvest credentials before the call, and the lookalike "secure my account" pages the scammer sometimes directs the victim to mid-call.

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures including all major French banks (Société Générale, BNP Paribas, Crédit Agricole, La Banque Postale, Caisse d'Épargne, LCL, CIC, Crédit Mutuel, Boursorama, Hello Bank, Fortuneo) + Cyrillic and Punycode homograph variants + community lists, all running in the extension before the page renders. The societegenerale-securite.{tld}, bnpparibas-verification.{tld}, credit-agricole-fraude.{tld} pattern family gets caught instantly.
• Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam TLDs for known malicious domains. French phishing infrastructure rotates fast, but the API layer picks up most domains within hours of first being reported.
• Layer 3 - AI deep scan (Premium): 100+ language content analysis catches novel variants in seconds, including French-language fake bank pages that have no historical fingerprint.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. No per-user browsing history is stored.

Frequently asked questions

Will my real bank ask me to validate transactions by phone?

No. Every French bank publishes the same statement on its security page: bank staff will never ask you to validate a transaction by phone, never ask you to read out a code received by SMS or in your app, and never ask for your PIN or full card number. The fraud team's job is to cancel suspicious transactions silently and call you afterwards to inform. If anyone calls you and asks you to confirm a code in real time, it is a scammer, even if the displayed number is correct.

What does the caller ID show when a Faux Conseiller Bancaire calls?

Often the genuine customer service number of your bank, including 3933 (Société Générale), 3477 (BNP Paribas), or local agency landlines. This is caller ID spoofing through VoIP. The displayed number is set by the caller and is not verified by most telephone networks. ARCEP is rolling out STIR/SHAKEN call authentication to combat this, but coverage will not be complete until end of 2026. For now, the number on your screen during an incoming call is not proof of who is on the line.

Is the 40 000 euros average loss real?

Yes. The figure comes from the Observatoire de la Sécurité des Moyens de Paiement, published annually by Banque de France. The 2023-2024 edition placed Faux Conseiller Bancaire at the top of the loss-per-case ranking for retail fraud in France, with an average loss in the 35 000 to 45 000 euros range depending on bank type. High-end cases reach over 100 000 euros, typically against victims with large savings accounts or business current accounts.

Can I get my money back after a Faux Conseiller Bancaire scam?

Often yes, but it requires fast action and a fight. Under PSD2 (European Payment Services Directive 2), banks must refund unauthorised transactions unless they prove gross negligence by the customer. Court rulings in 2023 from the Cour de cassation pushed banks to refund more cases where the customer was deceived by caller ID spoofing. You have up to 13 months from the transaction to request a chargeback. File a police report, declare on Cybermalveillance.gouv.fr, and escalate to the Médiateur de la Fédération Bancaire Française if your bank refuses.

Why do scammers know my recent transactions?

Personal and partial financial data circulates after large breaches. The 2024 Free mobile leak exposed 19 million customer records including IBANs. The Pôle emploi breach exposed 43 million records sold in bundles. Smaller breaches at e-commerce sites, parking apps, and utility providers leak partial card details and addresses. Criminals stitch these sources into profiles. Knowing your name, bank, IBAN, and one transaction amount is enough to sound convincing on the opening line of the call.

How do I verify if a call from my bank is real?

Hang up. Wait two minutes for the line to fully release. Call back using the number printed on the back of your bank card, not a number the caller gave you and not a number you Google in the moment. Ask the real fraud team if anyone tried to contact you in the last 30 minutes. They will be able to confirm or deny instantly. This single habit defeats almost every Faux Conseiller Bancaire call, regardless of how convincing the caller sounded.

Last updated 29 May 2026.