https://usancen.lawthek.eu/en/blog/lawthek/ger-altered-iban-buyers-bear-resulting-loss-146dd621/
Civil Law 

GER: Altered IBAN – Buyers Bear Resulting Loss

Benn-Ibler Rechtsanwälte

GDPR  bennibler  civil law  cyber fraud  damage  All tags

Instead of receiving valuable gold bars, the buyers in the case at hand ultimately incurred a six-figure loss. Criminals had altered bank details on an emailed invoice, resulting in the buyers transferring over EUR 100,000 to a third-party account. The German Regional Court of Karlsruhe was tasked with determining which party bears the risk for such cyber fraud and whether companies have an obligation to send invoices exclusively in encrypted form.

Remittance directed to an incorrect account after altered invoices

The plaintiffs had acquired 42 fine gold bars from the defendant, remitting a total purchase price of EUR 109,185. Prior to making payment, they received invoices via email that appeared identical to the original versions; however, the bank account information provided had been altered. Consequently, the plaintiffs transferred the full amount to an account held by a third party.

Following the failure to deliver the gold bars, it was discovered that the defendant did not possess ownership of the referenced account. Consequently, the plaintiffs sought either the delivery of the gold bars or, alternatively, compensation equivalent to the transferred amount. They specifically contended that the defendant was obligated to issue invoices exclusively in encrypted form, thereby asserting liability for the resultant damages.

If funds are transferred to an incorrect account, no fulfilment occurs

The court determined that the transfer to the manipulated account did not constitute performance under Section 362 of the German Civil Code (Bürgerliches Gesetzbuch, BGB), as the purchase price was not unconditionally credited to an account belonging to the seller. Typically, the debtor is responsible for the risk of loss associated with misdirected transfers.

The court further rejected the defendant’s liability for breach of ancillary contractual duties. The purchase contract and prevailing traffic obligations did not impose a requirement to employ end-to-end encryption in commercial email communications. Moreover, no specific safety standards were mutually agreed upon by the parties.

A claim pursuant to Article 82 of the General Data Protection Regulation (GDPR) was also dismissed. The court determined that it was solely the seller’s account data, rather than the plaintiffs’ personal data, that was altered. Consequently, the material scope of the GDPR does not apply in this case.

LG Karlsruhe 8 O 266/25 (20 May 2026)



More Services

LawThek Efficient Legal Information LawThek uses cutting-edge technologies like graph databases and AI to make legal information accessible. (opens in new tab) JobThek Legal Jobs The job board for legal professionals – find your next career opportunity in the legal sector. (opens in new tab) LegalNetics Innovative LegalTech Solutions Transform your legal documents into connected knowledge with LegalNetics. (opens in new tab)