HomeInsightsUnauthorized Payment Transactions

Unauthorized Payment Transactions in Bulgaria — How to Protect Your Money from Fraud and Phishing (2026)

Published: 11 April 2026 | Last updated: 11 April 2026

You wake up, open your banking app and see: “Outgoing transfer — EUR 1,200” — a transaction you never authorized. Or you receive an SMS that appears to come from your bank, click the link, enter your credentials, and an hour later your account is empty. What happens next? Who bears the risk and how do you react quickly to recover your money? In this practical guide we walk you through your rights under the Bulgarian Payment Services and Payment Systems Act (PSPSA) and PSD2 — and how to enforce them effectively.

What is an unauthorized payment transaction

The definition is set out in Article 70, paragraph 1 of the Bulgarian Payment Services and Payment Systems Act (PSPSA): a payment transaction for which the payer has not given consent — regardless of whether that consent was required before or after the transaction. The law is unambiguous: for every single transaction on your account, your consent must be expressed in the manner agreed with your bank (PIN entry, mobile app confirmation, biometrics, 3D Secure code and so on).

Typical scenarios where an unauthorized transaction occurs:

  • A transfer made after a criminal obtained your credentials via a phishing email or fake website impersonating your bank;
  • A payment with a lost or stolen card, before you managed to block it;
  • A cash withdrawal from an ATM using a cloned card (skimming);
  • An online purchase using your card data after a third party accessed it following a database breach;
  • A transfer made by a minor who did not understand what they were doing, or by another person without your express authorization;
  • A duplicated transaction recorded twice due to a technical error in the provider’s system.

Regardless of the mechanism — if you did not initiate the transaction and did not subsequently approve it, it is an unauthorized transaction within the meaning of the law, and the law grants you a specific set of rights.

Legal framework — PSPSA, PSD2 and secondary legislation

Consumer protection against unauthorized payment transactions in Bulgaria is governed by the following instruments:

  • Payment Services and Payment Systems Act (PSPSA) — the current version dates from 2018 and transposes into Bulgarian law Directive (EU) 2015/2366 on payment services in the internal market (PSD2). The PSPSA contains the key rules on liability for unauthorized transactions, Strong Customer Authentication and refund procedures.
  • Ordinance No. 3 of 16 July 2009 of the Bulgarian National Bank — regulates the conditions and procedure for executing payment transactions and the use of payment instruments.
  • Bulgarian National Bank (BNB) — the competent supervisory authority before which complaints against payment service providers are filed and which monitors compliance with the PSPSA.
  • Consumer Protection Act — provides an additional layer of protection in the relationship with payment service providers.

Because the PSPSA transposes PSD2, the Bulgarian protection regime is harmonized with that of all other EU Member States. The core rights described below apply equally to customers of every bank, electronic money institution and licensed payment institution operating within the EU.

Core principle: the bank bears the risk (Article 79 PSPSA)

One of the most important provisions in the entire act is Article 79 PSPSA. As a general rule, the risk of an unauthorized payment transaction is borne by the payment service provider — that is, by the bank, e-money institution or licensed payment institution through which the transaction is processed.

The legislator adopted this allocation of risk for three reasons:

  • Economic asymmetry — the bank is institutionally and technically many times stronger than an individual consumer. It has the resources, infrastructure and expertise to design secure systems and to absorb the losses caused by their defects.
  • Control over the system — the consumer has no influence over how the bank designs its authentication system, which security measures it deploys or how it maintains them. The consumer should not pay the price for flaws in someone else’s infrastructure.
  • Incentive to invest in security — when the risk sits with the provider, it has a strong economic interest in continuously improving its protection standards.

Another critical provision is Article 78 PSPSA, which deals with the burden of proof. When a consumer disputes a transaction as unauthorized, it is the provider who must prove that the transaction was authenticated, accurately recorded, properly entered in the accounts and not affected by any technical breakdown or other deficiency. The mere fact that the payment instrument was used (for example with a correct PIN or successful 3D Secure confirmation) is not in itself sufficient evidence that the consumer gave consent or acted fraudulently or with gross negligence.

This rule is fundamental: you are not the one who has to prove that you did not make the transaction — the bank has to prove that you did authorize it.

Refund obligation — immediately!

Once notified by the consumer of an unauthorized transaction, the payment service provider is subject to a clear and strict refund obligation. The key parameters are:

  • Deadline — the refund must be made immediately and in any event no later than the end of the following business day after the provider became aware of or was notified about the unauthorized transaction.
  • Full restoration — the payer’s account must be returned to the state in which it would have been had the unauthorized transaction never taken place. This covers not only the amount transferred but also all resulting fees and interest.
  • Value date — the credit value date cannot be later than the date on which the account was debited with the unauthorized transaction. This protects the consumer from loss of interest or overdraft charges.

The single exception

The provider may deviate from the short refund deadline in one case only: where it has reasonable grounds to suspect fraud on the part of the payer, provided that it notifies the competent authorities in writing. This is not a simple option to delay — the provider must cite concrete facts giving rise to the suspicion and document them. Otherwise, it must refund the funds within the standard deadline.

If the provider fails to refund on time, the claim becomes due and statutory default interest starts to accrue on it under the general rules.

Your liability — maximum EUR 51.13

The law carefully limits the financial risk that may fall on a good-faith consumer. The levels of liability are tiered and depend on the timing of notification to the bank and on the degree of your own fault.

Before notification — up to EUR 51.13 (BGN 100)

If the payment instrument is lost, stolen or misappropriated and is used by a third party before you notify the provider, your maximum liability is capped at EUR 51.13 (BGN 100). This is a significant change compared to the old regime, under which the cap was BGN 300 — following the transposition of PSD2 and the introduction of the euro, the cap has been sharply reduced in favour of consumers.

After notification — zero liability

From the moment you notify the provider of the loss, theft or unauthorized use of the instrument, you bear no liability whatsoever for any subsequent unauthorized transactions — with a single exception: if you acted with fraudulent intent against the bank itself.

Zero liability due to provider failures

The payer also bears no liability at all (save for fraudulent intent on their part) in the following cases:

  • Where the provider does not require Strong Customer Authentication (SCA), even though it is legally required to do so;
  • Where the provider has not provided any means for the consumer to notify it 24 hours a day, 7 days a week;
  • Where the loss is caused by acts or omissions of an employee, agent, branch of the provider or of a person to whom the provider has outsourced its functions.

Full liability — when?

There are three scenarios in which the payer bears full liability for all unauthorized transactions, without any cap and without the benefit of the EUR 51.13 limit:

  • Fraud on the part of the payer himself — for example a staged “theft” aimed at obtaining a refund;
  • Wilful breach of the obligations set out in Article 75 PSPSA;
  • Gross negligence in performing the obligations under Article 75 PSPSA — but this assessment is strictly case-by-case and the courts are relatively reserved when it comes to qualifying specific conduct as gross negligence.

Step by step — what to do if you see an unauthorized transaction

Time is of the essence. Every minute of delay may mean new unauthorized transactions or the movement of the funds beyond the reach of banking recovery procedures. Here is the exact sequence of actions to follow:

  1. Minutes 0 — 10: Call the bank’s 24/7 hotline. Every bank in Bulgaria operates a round-the-clock line precisely for such cases. The number is printed on the back of the card and published on the bank’s website. Instruct the operator to immediately block all payment instruments linked to the account.
  2. Minutes 5 — 15: Block the card from your mobile app. Most modern banking apps allow instant temporary or permanent blocking of the card with a single button. Do it in parallel with the phone call — not instead of it, but in addition.
  3. Within the first hours: File a written refund request. Send an email to the bank’s official address expressly disputing the specific transactions (date, time, amount, beneficiary) and requesting their refund under Article 79 PSPSA. Also visit a branch and file a written application with an incoming registration number — this is the safest way to prove the moment of notification.
  4. Preserve all evidence. Take screenshots of SMS messages, emails, transaction history in the app, phishing websites (if any), incoming and outgoing calls. All of these can be decisive in further disputes and potential litigation.
  5. 21 days: Wait for the bank’s position. Under the procedure of Article 78 PSPSA and current BNB practice, the bank has up to 21 days to examine the complaint and issue a decision. If no refund or reasoned written rejection follows within this period, your claim becomes due and statutory interest starts to accrue on it.
  6. If refused: File a complaint with the BNB. The Bulgarian National Bank is the supervisory authority and accepts complaints against the payment service providers it supervises. The complaint is not a mandatory prerequisite for court action, but it can exert significant pressure on the bank to reconsider.
  7. Conciliation Commission for Payment Disputes (with the Consumer Protection Commission). An alternative, free mechanism for resolving disputes between consumers and payment service providers. The proceedings are not compulsory before court action but are useful in moderately complex cases where both parties are open to compromise.
  8. Court action under Article 79 PSPSA. If all previous steps have been exhausted without result, you can sue the bank before the competent court for refund of the amount together with statutory default interest. Given the specific burden of proof, it is advisable to be represented by a lawyer.
  9. Report to the police. File a report with the local police station or with the General Directorate Combating Organized Crime. This is important not only for possible criminal prosecution of the perpetrators, but also because the case reference from the prosecution is often required by banks as additional evidence of the consumer’s good faith.

Notification deadline — 13 months maximum

One of the most important limitations that consumers often overlook is the dispute deadline. Under Article 78 PSPSA, the consumer must notify the provider without undue delay upon becoming aware of the unauthorized or incorrectly executed transaction and in any event no later than 13 months from the date on which the account was debited.

After the 13-month period expires, the possibility of obtaining a refund under the PSPSA procedure is lost. This does not necessarily mean the loss of all possible rights (general civil law and potentially tort claims remain), but the preferential regime of eased proof and expedited refund is no longer available. This is why regularly checking your bank statements is not simply a matter of financial discipline but also of legal protection.

Review your statements at least once a month and enable SMS or push notifications for every transaction above a set threshold. At the slightest suspicion of an unauthorized transaction, launch the procedure immediately — do not postpone.

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is one of the key innovations introduced by PSD2 and transposed into the PSPSA. The provider’s obligations to apply SCA for a defined range of operations are absolute, and breaching them shifts the entire risk back to the provider.

SCA requires, for every online transaction and every account access, the use of two or more independent factors drawn from the following three categories:

  • Knowledge — something only the user knows (PIN, password, answer to a security question);
  • Possession — something only the user possesses (physical card, mobile phone running the app, hardware token);
  • Inherence — something the user is (fingerprint, face recognition, voice biometrics).

The key requirement is that the factors must be independent: the compromise of one must not entail the compromise of the others. Thus, if someone knows your password but has no physical access to your phone, they cannot complete the transaction.

The practical impact of SCA on the liability question is the following: if the bank failed to apply SCA when it was required to do so, and the consumer becomes a victim of an unauthorized transaction — then the consumer bears no liability at all, not even within the EUR 51.13 cap, unless they acted with fraudulent intent. The risk sits entirely with the bank.

When you bear full liability — gross negligence

The most contested issue in practice is the assessment of when the consumer’s conduct qualifies as “gross negligence”. This is not ordinary carelessness but a significantly more serious form of fault — one that case law describes as “indifference to an obvious risk”.

Scenarios which courts tend to qualify as gross negligence:

  • Writing the PIN on the card itself or keeping it in the wallet together with the card;
  • Storing passwords in an unprotected text file on the desktop or in a readily accessible notes app;
  • Intentionally disclosing credentials to a third party — for example to a “bank employee” over the phone, or entering them on a website that is obviously not the bank’s;
  • Reusing the same password which has already been compromised in a known breach.

On the other hand, case law is relatively tolerant and does not qualify as gross negligence the following types of conduct:

  • Failing to update antivirus software on a personal device;
  • Not changing online banking passwords regularly;
  • Failing to use two-factor authentication where it was not mandatory;
  • Clicking in good faith on a link in an email which convincingly looks as if it came from the bank.

It is important to emphasise that the burden of proving gross negligence lies with the provider (Article 78 PSPSA). The bank cannot simply allege that you were negligent — it must produce concrete evidence to persuade the court of qualified fault on your part.

Typical phishing and fraud scenarios in Bulgaria

Understanding the most common schemes will allow you to recognise an attack in time and minimise the damage. Here are the most frequent scenarios in the Bulgarian context:

“SMS from the bank” with a reactivation link

You receive an SMS that appears to come from a familiar name (UniCredit, DSK, FIB, UBB and so on) with text along the lines of: “Your card has been blocked, click here to reactivate it.” The link leads to a fake website, visually almost identical to the original, where you are prompted to enter your username, password and even the SMS code for two-factor authentication.

Fake emails about “courier fees”

You are expecting a parcel and receive an email in which “Econt”, DHL or “Bulgarian Posts” inform you that you need to pay a small delivery fee (EUR 1—3) via an attached link. The website is once again a fake and the goal is to harvest card data.

“Bank security officers” on the phone

Someone calls you claiming to be from the bank’s Security department. They explain that an unauthorized transaction attempt has been detected and, “for your protection”, you must immediately confirm a code they are about to send by SMS. The code in fact authorises a transfer to the criminal.

Investment scams and “crypto” platforms

Ads on social media for “guaranteed” high returns from investments in cryptocurrencies, Forex or shares. After a small initial deposit and seemingly successful “gains”, the victim is pushed to deposit ever larger amounts, and at some point the “platform” disappears.

Tech support and fake antivirus scams

A pop-up tells you the computer is infected and that you must contact “Microsoft technical support”. The “technician” takes remote control and eventually asks you to log into online banking so they can “refund” some amount.

Social engineering on social networks

Fake Facebook and Instagram profiles contact relatives or friends and request an urgent transfer on the pretext of an accident, illness or unavoidable travel. Profiles are often cloned to look authentic.

Case law — key principles

Although the PSPSA is a relatively recent statute, Bulgarian courts — as well as the Court of Justice of the EU in the context of PSD2 — have already articulated a number of important principles when applying it:

  • Use of the payment instrument does not prove consent. The Supreme Court of Cassation has repeatedly held that the mere fact of registered use (PIN entry, 3D Secure confirmation and so on) is not sufficient to conclude that the consumer gave informed consent to the transaction. The provider must prove elements beyond the purely technical authentication.
  • General terms cannot reduce the provider’s liability. Courts refuse to apply clauses in general terms that shift to the consumer a risk that the law places with the provider. Such clauses are considered null and void as contrary to mandatory provisions of the PSPSA.
  • Requirements for consumer cyber hygiene have limits. The Sofia City Court has held in several decisions that the lack of an up-to-date antivirus or of regular password changes does not amount to gross negligence and does not relieve the provider of liability.
  • The burden of proof is on the bank. In any dispute over a transaction alleged to be unauthorized, the burden of proof lies with the bank — not the consumer. This covers authentication, the absence of a technical fault and any potential gross negligence.

Frequently asked questions

How quickly must the bank refund my money?
Under Article 79 PSPSA, the bank must refund the amount of the unauthorized transaction immediately and in any event no later than the end of the following business day after notification. The account must be returned to the state it would have been in had the transaction never taken place. The only exception is where there are reasonable grounds to suspect fraud by the payer and the bank has notified the competent authorities in writing.
What is the maximum I can lose if my card is stolen?
Your maximum financial liability before notifying the bank when a lost, stolen or misappropriated payment instrument is used is capped at EUR 51.13 (BGN 100) under Article 80 PSPSA. After notification you bear no liability for subsequent transactions, save for fraudulent intent. If the bank did not apply Strong Customer Authentication (SCA), you bear no liability even within the cap.
What is the deadline to dispute an unauthorized transaction?
Under Article 78 PSPSA — 13 months from the date on which your account was debited with the unauthorized transaction. Nevertheless, notification should take place without undue delay — on the same day you become aware of the transaction. After the 13-month period the preferential PSPSA regime no longer applies.
What should I do FIRST if I see an unauthorized transaction?
Within the first minutes: call the bank’s 24/7 hotline (the number is on the back of the card) and request immediate blocking. In parallel, block the card from your mobile app. Then file a written refund request — email to the bank’s official address and an in-branch application with an incoming registration number. Preserve all evidence (SMS, emails, screenshots). Time is of the essence.
If the bank refuses to refund — what are my options?
Parallel options: (1) complaint to the BNB as supervisory authority; (2) referral to the Conciliation Commission for Payment Disputes with the Consumer Protection Commission — a free out-of-court mechanism; (3) court action under Article 79 PSPSA seeking refund plus statutory default interest. Legal assistance is recommended.
I paid via a phishing link — is the bank liable?
It depends on several factors. If the bank failed to apply Strong Customer Authentication (SCA), the risk sits entirely with it and you bear no liability, absent proven fraudulent intent. If SCA was applied but you were misled by a convincingly imitated website, case law generally does NOT qualify this as gross negligence, provided there were no obvious red flags. An individual assessment of the specific case is recommended.
Should I report the incident to the police?
Yes, it is recommended and often necessary. A criminal investigation may lead to identifying the perpetrators and the wider network. Moreover, the prosecution case reference is often required by banks and insurers as additional evidence of the consumer’s good faith.

Have you fallen victim to an unauthorized transaction or bank phishing?

The Innovires team provides dedicated legal assistance in disputes with banks and payment institutions — from drafting written disputes and complaints to the BNB, through proceedings before the Conciliation Commission, to court action under Article 79 PSPSA. Get in touch for a quick case assessment.