Dutch payment fraud is moving the burden toward limits, second checks, and a clear incident timeline.
At a small company, a bad payment rarely looks bad at first glance. It looks like a supplier change, a bank warning, a familiar voice, or a payment link that arrives at the wrong time. The founder is busy. The bookkeeper is closing the week. The token sits on the desk.
The signal has to become readable
DNB put that problem in sharper focus in June 2026. It called external payment fraud a significant social issue. It also noted that bank helpdesk fraud usually involves authorized payments, because the victim starts the payment under false pretences.
That single word matters. Authorized does not mean wise. It means the banking route was used in the normal way, by someone with the right access. For a small firm, that is where the legal and cash pressure starts.
Authorized on paper
Dutch payment law begins with consent. Article 7:522 of Book 7 Civil Code treats a payment as authorized when consent is given in the agreed form and procedure. Article 7:528 covers refunds for unauthorized transactions. Article 7:533 says a payment service provider does not refuse an authorized order if the framework conditions are met.
In practice, a scam can be obvious to the victim and still be hard to unwind. If the right person approved the transfer through the normal banking route, the first questions are about consent, timing, warning signs, and what the bank knew at that moment.
That is not a lecture about blame. The fraudster remains the wrongdoer. But a company that expects the bank to refill the account after every deceived payment is building cash flow on hope, not control.
DNB's 2026 work goes beyond a consumer warning. It examined seven banks, payment institutions, and electronic money institutions in early 2026. DNB found transaction detection, analyst review, standard daily limits, a four-hour wait after limit changes, high-risk payment warnings, and campaigns. It also said fraud management often sits mainly at operational level, not at the level of clear strategic objectives.
Why small firms are exposed
Small companies often keep payment authority close to one person. That person knows the suppliers, answers the phone, changes limits, talks to the bank, and explains the payment afterwards. It works on a calm day. It becomes fragile when pressure and deception arrive together.
What the signal changes
DNB's Payments Strategy 2026 to 2028 says fraud is moving from card payments to online payments. In those cases, users often give consent without meaning to, and larger amounts are usually involved. DNB also says criminals target businesses by mimicking invoices or payment links.
KvK describes spoofing as criminals pretending to be someone else, including a trusted organization such as a bank. That can happen through email, SMS, or a phone number that looks familiar.
CBS adds a useful market picture. In the Veiligheidsmonitor 2025, 16.8 percent of people aged 15 or older were victims of one or more online offences or incidents. Online scams and fraud affected 10.3 percent, and payment-traffic fraud affected 1.2 percent. Those figures concern private citizens, but they explain why the fake call no longer feels exotic.
Company controls lag behind more often in smaller firms. In CBS cyber data for 2025, only 13 percent of companies with 2 to 10 employees used ten or more of twelve surveyed cybersecurity measures. Among companies with 250 or more employees, the share was 86 percent. Fewer layers mean fewer chances for someone to pause the transfer and ask for a second check.
After the money moves
Once the transfer goes out, wages, rent, VAT, suppliers, stock, and loan dates do not wait for the complaint file. That timing gap is where fraud turns into working-capital pressure.
Court signals point away from easy assumptions. Rechtbank Amsterdam held in 2024 that a bank acting as payment service provider has no general duty to monitor all transactions for fraud. The court also said no fraud-monitoring system is fully watertight.
In 2025, Rechtbank Amsterdam dealt with a B.V. that lost nearly €115,000 after helpdesk fraud through its bunq account. The court found bunq not liable on those facts. The lack of a warning or blocking system for those transfers was not, by itself, a care-duty breach.
What founders should check
The picture is still fact-sensitive. Gerechtshof Arnhem-Leeuwarden looked at a case with fraud contact, a raised daily limit, and the bank's care duty. The court treated timing and bank knowledge as relevant. If a bank knows more, or should react to clear indicators, the analysis changes. That is why the timeline matters as much as the transfer itself.
AFM added a separate compliance layer on 8 June 2026. It fined bunq B.V. €170,000 for not responding on time to seven complaints from customers who were victims of online fraud. AFM says payment service providers must give a substantive response within 15 working days. Even when compensation is disputed, complaint handling has its own weight.
Discipline before the call
The small company's answer is not fear. It is payment discipline that can survive a convincing voice on the phone.
Start with authority. Who can approve payments? Who can change limits? Who can add beneficiaries? Who can use the banking device? Who can install remote access software? Then check whether daily limits match real payment needs. Extra limit space is not convenience. It is exposure waiting for a story.
Supplier bank-detail changes deserve a second route of confirmation using contact details already held by the company. Remote access and banking sessions need a hard pause unless there is a clear business reason and a visible record. Unusual payment links, urgent calls, and pressure tactics deserve a second person where the company has one.
When the founder returns to the banking screen, the fraudster wants speed. The company needs delay. Stop the call. Stop screen sharing. Use the bank's known contact route. Record the time. Save warnings, emails, app alerts, screenshots, and call notes. If the money has moved, the company memory is no longer administration. It is evidence under stress.
Future European payment rules may change part of the reimbursement position for consumers. DNB has pointed to PSR and PSD3 duties under certain conditions. That direction matters, but it is not a reason for today's small firm to loosen its controls.
The uncomfortable truth is simple. A socially engineered payment can damage a business like theft and still carry a valid signature. Stronger protection starts before the call arrives, not after the account is already lighter.
Sources
- Wettenbank – Authorized versus unauthorized payment law
- De Nederlandsche Bank – DNB supervisory signal on payment fraud
- De Nederlandsche Bank – Fraud controls at banks and payment institutions
- De Nederlandsche Bank – DNB Payments Strategy 2026-2028
- Autoriteit Financiële Markten – Complaint handling after online fraud
- Autoriteit Financiële Markten – AFM reporting duty when fraud by payer is suspected
- CBS – Scale of online crime and bank spoofing among citizens
- CBS – Cyber resilience of businesses
Referenced in the article
Column | Compliance
The BSN Question Makes Tax Payments a Discipline Issue
Privacy may improve, but the payment reference still decides where tax cash lands.
Column | Compliance
When Fraud Complaints Wait, Compliance Starts Counting
The bunq fine shows why a late answer can outlive a later refund.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
