1.2 million people in France just got dragged into a fresh banking data mess, and the ugly part isn’t some Hollywood “hack the mainframe” fantasy. It’s humans. People getting talked into handing over the keys.
French banks spent the last few years beefing up “strong authentication” (their post-2021 push for tougher logins). So crooks adjusted. They’re going after your phone number, your voice, and your nerves.
The price tag is already nasty: direct losses hit€340 millionin the first six months of 2026, about$370 million, up23%from the same stretch in 2025.
SIM swapping, voice deepfakes, and phishing that hits you from three directions
The workhorse scam in 2026 isSIM swapping. France’s cybersecurity agency,ANSSI, says it now accounts for45%of successful bank-account attacks. The play is simple: the thief impersonates you with your mobile carrier, moves your number to a SIM they control, then catches the SMS security codes your bank texts you. Once they own your number, they own your “two-factor authentication,” too.
Then there’s the creepier upgrade:voice deepfakes. Criminals can clone a voice from a handful of audio clips, often scraped from social media, and use it to sweet-talk a bank rep over the phone into approving a fraudulent transfer. If you’ve ever left a chirpy voicemail greeting or posted a few videos, congratulations: you’ve donated raw material.
And phishing has gotten meaner. Banks are seeingmulti-channel phishing, email plus SMS plus phone calls, designed to box people in with urgency and confusion. That coordinated approach is landing an18%success rate, compared with3%for old-school phishing blasts.
This isn’t a couple of teenagers in a basement. The groups are getting corporate about it, bringing in behavioral psychology specialists to tune the scripts and pick off the most vulnerable targets.
French banks are staring down 2,400 intrusion attempts a day
French banks say they’re dealing with an average of2,400 intrusion attempts per day, triple the level in 2024. Their answer: more surveillance, more biometrics, more “behavioral AI” watching how you normally bank and flagging anything weird in real time.
BNP Paribasrolled outvoice biometricsin January 2026, analyzing147 voice parametersduring calls. The bank claims it can spot deepfake impersonation with99.2%accuracy.Crédit Agricoleis leaning onbehavioral geolocation: if a login pops up from a place that doesn’t fit your usual pattern, alarms go off.
Biometrics are spreading fast.Société Généralenow offers fingerprint login across its mobile apps.La Banque Postaleis testingiris recognitionfor sensitive transactions. France’sObservatoire de la sécurité des cartes de paiementsays these tools cut identity-impersonation risk by67%.
Carriers are getting pulled into the fight, too. A tougher verification protocol launched in October 2025 requiresin-person validation at a storeto move a number to a new SIM. Reported SIM-swapping cases dropped43%after that.
The uncomfortable truth: most victims “gave permission”
The stat that should make you wince: investigations found73%of victimsvoluntarilyhanded over their information, after being manipulated. That’s the whole ballgame. The tech can be solid, but if someone convinces you they’re your bank and you panic-click your way into disaster, the crooks don’t need elite hacking skills.
France’s central bank, theBanque de France, is trying to brute-force the problem with education. In March 2026 it launched “Cyber-Réflexe,” a mandatory training program built into school and university tracks. The goal: reach2 millionyoung people by 2028. Early results show a34%improvement in spotting phishing attempts among participants.
Seniors are getting hammered. They represent58%of victims while making up only23%of active online-banking customers. Banks are responding with simplified interfaces and louder alerts. One group,BPCE, is testing a “family validation” option: certain high-risk transactions by an older customer can require approval from a pre-designated trusted person.
And regulators are tightening the screws. A revised EU payments directive in 2026 forces banks tofully reimburse scam victims within 24 hours, unless the customer was grossly negligent. Translation: banks are being pushed to eat more of the fraud bill, which is exactly why they’re pouring money into cybersecurity and identity checks. They’re not doing it out of kindness. They’re doing it because the tab is landing on their desk.
