Close this search box.
Close this search box.

Digital scams: Bank liability for Phishing

Tabla de contenidos

Digital scams: Bank liability for Phishing

Estafas digitales: Responsabilidad del banco por Phishing
Digital scams: Bank liability for Phishing

Updated 01/10/2022

The increasing digitization of banking services has led to a significant increase in bank fraud (also known as “phishing”), consisting of the computer artifice by which the fraudster obtains the access codes of the consumer’s bank account to then unlawfully take away his patrimonial asset. Our courts have determined that banking entities will be liable to their customers when they have been a victim of phishing. Therefore, it is possible to claim from the bank the return of all the amounts stolen by the fraudster, plus the accrued interest.

What is Phishing

Phishing, as defined by jurisprudence, is a practice by which the phisher (this is the name given to the fraudster who uses this criminal formula) impersonates the identity of the bank to obtain by deceit confidential information of the banking client. This information may consist of access codes to online bank accounts, credit card details, bank signature codes, etc.

Usually the victim receives an email apparently sent by her trusted bank. That email shows any image of veracity, where the client is requested to modify their passwords or confidential data through that email or a link to a website that has also been falsified. In reality, it is an email designed by the fraudster to deceive the bank client and obtain, through this request for information, the necessary data to enter their bank account and transfer funds.

The cases in which the scammed person expects a package or a bank transfer from a supposed buyer and by text message (for example, by SMS or WhatsApp message) are also common ) you receive a link that by clicking on it you are inadvertently giving the scammer access to remote control of your phone.

This is a crime of cyber fraud whose fit is framed in article 248.2 of the Penal Code, within the type of fraud involving computer manipulation with penalties of up to 3 years in prison. The sentence varies depending on the amount of funds stolen and financial loss caused to the injured party.

However, the victim will find considerable difficulties in pursuing the offender and in many cases the identity of the offender is never ascertained. This problem is repeated in digital crimes or frauds like others that we have already analyzed in previous articles.

Read: “Digital scams: Paying invoices to the fraudster who pretends to be a real supplier

The responsibility of the bank against phishing

Given the difficulty of identifying the perpetrator of the crime of bank fraud and of being able to compensate the damage, the most viable and guaranteed alternative is to demand the bank to return the all appropriate amounts from the offender. The bank is a perfectly identifiable and solvent entity, obtaining through the opportune claim a more direct formula to recover the money.

This is possible thanks to Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures (hereinafter, RDL 19/2018 ), which repealed the Payment Services Law of 2009, which establishes a “quasi-objective” responsibility of the bank when the victim has not given actual authorization to transfer money. This means that the responsibility is attributed directly to the bank regardless of whether the entity has incurred in fault or fraud, being exonerated only in cases of force majeure or exclusive fault of the injured party.

Specifically, article 45 of Royal Decree-Law 19/2018 establishes the following:

“(…) in the event that an unauthorized payment transaction is executed, the payer’s payment service provider will refund the payer the amount unauthorized operation immediately and, in any event, no later than the end of the business day following the one on which you observed or were notified of the operation, except where the payer’s payment service provider has reasonable grounds to suspect the existence of fraud and notifies said grounds in writing to the Bank of Spain, in the manner and with the content and terms determined by the latter. If applicable, the payer’s payment service provider will restore the payment account in which the debit has been made to the state in which it would have been if the unauthorized operation had not been carried out”.

Thus, this article establishes that the payment service provider (or, what is the same, the bank depositary of the affected funds) has the legal obligation to return the victim the total amount that has been stolen through unauthorized operations.

Can legal action be taken cumulatively against both the offender and the bank?

The return of the same amount cannot be claimed, against two different subjects and by different means. That is to say, if we have been the object of a hoax through which 10,000 euros were transferred from our bank account, we will not be able to claim the refund of the 10,000 euros from the fraudster, and in turn request the delivery of that same amount to the bank.< /p>

But it is possible to prosecute the criminal responsibility of the fraudster through criminal proceedings, and claim at the same time civil liability and delivery of amounts to the bank before the courts of first instance

And what do the Spanish courts say?

The jurisprudence is unanimous when it comes to considering that the bank must return the amounts unlawfully taken by a third party while as the depositary of the funds it has the legal obligation to preserve and return the money deposited. You can only be exonerated from said obligation when you can prove that the client has acted fraudulently or with gross negligence when it comes to protecting your personal and confidential data, and it cannot be considered as negligence or fault having fallen into the fraud of an email or web page. apparently true.

However, prior to the claim, the victim of deception must notify the bank that an unauthorized or incorrectly executed payment operation has been carried out, as established in article 43 of the same Law. It will be understood that said communication was made diligently as long as it was made within a period of 3 months from the date of the criminal act.

It May Interest You: “Cybercrime and abuse in criminal investigation

José Luis Casajuana Ortiz
Partner of J. L. Casajuana and head of the international area< /a>


Artículos relacionados

Get information without obligation


    Under the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, CASAJUANA ASESORES S.L.P informs you that your personal data included in this form, will be included in a file created under our responsibility, in order to communicate with you to carry out the maintenance and control of the business relationship that binds us and may be transferred to third parties to manage the business relationship.
    According to Regulation (EU) 2016/679 of 27 April 2016, you may exercise your rights of access, rectification, opposition and deletion by writing to CASAJUANA ASESORES S.L.P at Calle de Diego de León, 47, 28006, Madrid or email


    Scroll to Top
    Abrir chat
    Scan the code
    ¿En qué podemos ayudarte?