Consumer rights

Phishing Fraud in Spain: Is the Bank Liable for Stolen Money?

By the AbogadoAI editorial team · Updated 18 July 2026 · 11 min read

🇪🇸 Read the original in Spanish

Imagine opening your banking app only to discover, to your horror, that your current account has been cleared out or that transfers of thousands of euros have been made without your authorization. This nightmare is becoming increasingly common in Spain due to banking phishing—a social engineering technique where cybercriminals impersonate a financial institution to steal clients' access credentials. In this situation, the initial panic is usually accompanied by a crucial legal question: does the bank have to return the stolen money, or is it lost forever? In this article, we will analyze in depth the Spanish legal framework, the case law of the Tribunal Supremo (Supreme Court), and the exact steps you must take to recover every single cent of your savings.

The short and definitive answer is yes, the bank is liable for the stolen money in the vast majority of cases. However, to understand where this obligation comes from, we must look at the Spanish regulatory framework.

The key legislation regulating this matter is Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago (Royal Decree-Law 19/2018 on Payment Services, which transposes the European PSD2 directive). This regulation establishes a principle of quasi-strict liability for financial institutions.

The General Rule: Liability of the Payment Service Provider

According to Article 45 of the aforementioned Payment Services Law, in the event that an unauthorized payment transaction is executed, the payment service provider (the bank) must return the amount of the unauthorized transaction to the user immediately. The law starts from a clear premise: the bank is the custodian of the money, and if its security systems have been breached or bypassed, the liability falls on them.

Furthermore, Article 46 of the same law limits the liability of the payment service user. The client would only have to bear a maximum loss of 50 euros for unauthorized transactions resulting from the loss, theft, or misappropriation of a payment instrument, unless they have acted with gross negligence.

The Exception: "Gross Negligence" by the User

The only scenario in which the bank can legally refuse to return the money is if it proves that the user acted fraudulently or deliberately failed to comply—or did so through negligence grave (gross negligence)—with one or more of their obligations (such as protecting their security credentials).

This is where the real legal battle is fought. What is considered "gross negligence"? The case law of the Audiencias Provinciales (Provincial Courts) and the Tribunal Supremo in Spain is highly protective of the consumer. The courts understand that:

The General Law for the Defence of Consumers and Users

Additionally, Real Decreto Legislativo 1/2007 (Royal Legislative Decree 1/2007), which approves the recast text of the General Law for the Defence of Consumers and Users, establishes in its Article 147 that service providers will be liable for damages caused to consumers unless they prove that they have complied with the requirements and demands established by regulation. By offering an online banking service, the bank is obliged to guarantee that this environment is 100% secure.

Concrete Examples of Phishing Claims

To understand how these laws apply in practice, let us analyze two common situations with real figures.

Example 1: The SMS Impersonating Carlos's Bank

Carlos receives an SMS on his mobile phone that appears in the exact same message thread as his usual bank. The text reads: "We have detected suspicious access to your account. Verify your identity here: [web link]". Worried, Carlos clicks on the link, which takes him to a website identical to his bank's. He enters his username and password. Minutes later, the scammers make an unauthorized transfer of 4,500 euros to a foreign account.

Example 2: Sofia's Fraudulent Online Purchase

Sofia has her credit card physically stolen from her bag while traveling on the Madrid metro. Before she notices and can block it, the thieves make three online purchases for amounts of 120 euros, 85 euros, and 90 euros (a total of 295 euros), using contactless technology and web purchases without two-factor authentication.

Practical Steps: Step-by-Step to Recover Your Money

If you have been a victim of a phishing attack or banking fraud, you must act quickly. Time is a critical factor. Follow these steps in order:

  1. Block your accounts and cards immediately: Call your bank's customer service (available 24 hours) or use the mobile app to freeze your cards and change your online banking access passwords.
  2. Gather all possible evidence: Take screenshots of the fraudulent SMS, the phishing email, the history of received calls, the suspicious web link, and the bank transactions showing the unauthorized charges.
  3. File a report with the police: Go physically to a station of the Policía Nacional (National Police), Guardia Civil (Civil Guard), or the corresponding regional police. Detail with pinpoint accuracy how the deception occurred and provide the gathered evidence. Demand a stamped copy of the denuncia (police report), which must state the exact amounts defrauded.
  4. Submit a formal written claim to your bank's Customer Service Department: Attach the copy of the police report and a written request demanding the return of the money based on Article 45 of Real Decreto-ley 19/2018. The bank has a maximum period of 15 business days to respond to claims regarding payment services.
  5. Escalate the claim to the Banco de España if necessary: If the bank rejects your claim or does not respond within 15 business days, you can submit a complaint to the Claims Service of the Banco de España (Bank of Spain). Although their resolutions are non-binding, a favorable report from the Bank of Spain usually puts successful pressure on entities to return the money.
  6. Take legal action: If the amicable route fails, you will need to file a civil lawsuit against the bank. If the amount claimed is less than 2,000 euros, you will not need a lawyer (abogado) or court procurator (procurador), which significantly reduces the cost of the process. For higher amounts, having a lawyer specialized in banking law is fundamental to guarantee success.

Deadlines, Amounts, and Key Figures You Must Know

In the field of consumer and banking law, deadlines and figures are strict. Memorize these essential details:

Mistakes to Avoid After Falling Victim to Phishing

Committing certain errors in the hours following the fraud can weaken your legal position and give the bank arguments to deny the refund. Avoid the following:

Frequently Asked Questions (FAQ)

What if the bank says I authorized the transaction with an SMS code sent to my mobile?

This is the classic defense used by banks. However, Spanish courts have ruled that the fact that an SMS code was entered does not exempt the bank from its liability. Cybercriminals use techniques such as SIM swapping (duplicating the SIM card) or redirecting SMS messages via malware on the user's phone. It is up to the bank to prove that the authentication system used was completely secure, which is technically impossible to prove 100%.

Can I claim if the scam occurred on a credit card and not on my current account?

Yes, of course. The Payment Services Law protects funds deposited in current accounts, savings accounts, and transactions made via credit or debit cards equally. In fact, with credit cards, it is common that the money has not even left your actual pocket yet, but rather the granted credit limit, which makes it easier for the bank to freeze the charge.

What happens if I am a foreign resident in Spain and do not speak Spanish well?

Spanish consumer legislation protects any user of financial services operating with entities authorized by the Banco de España, regardless of their nationality. If you have language difficulties, you can request to be assisted in English or submit your claim in writing with the help of a legal advisor or translators. The police report can also be filed with the free assistance of an official interpreter.

How long does a court case against the bank for phishing usually take?

If you have to go to court, the resolution time will depend on how busy the local Juzgado de Primera Instancia (Court of First Instance) is. Generally, a verbal trial for amounts under 2,000 euros usually takes between 6 and 12 months to resolve. If the amount is higher and requires an ordinary trial (juicio ordinario), the timeframe can extend from 12 to 18 months. In the vast majority of cases that go to trial, the bank ends up paying the legal costs of the process as well.

Summary

General legal information, not personalised legal advice. For your specific situation, ask your question for free at AbogadoAI — answers grounded in Spanish law (BOE), in English.

Have a specific legal question?

Ask AbogadoAI and get an answer based on Spanish law (BOE), with sources — in English.

Ask for free

This is general information, not legal advice. Verify on the BOE or consult a lawyer for your specific case.