Phishing Fraud in Spain: Is the Bank Liable for Stolen Money?
Imagine opening your banking app only to discover, to your horror, that your current account has been cleared out or that transfers of thousands of euros have been made without your authorization. This nightmare is becoming increasingly common in Spain due to banking phishing—a social engineering technique where cybercriminals impersonate a financial institution to steal clients' access credentials. In this situation, the initial panic is usually accompanied by a crucial legal question: does the bank have to return the stolen money, or is it lost forever? In this article, we will analyze in depth the Spanish legal framework, the case law of the Tribunal Supremo (Supreme Court), and the exact steps you must take to recover every single cent of your savings.
The Legal Framework in Spain: Who Carries the Cost?
The short and definitive answer is yes, the bank is liable for the stolen money in the vast majority of cases. However, to understand where this obligation comes from, we must look at the Spanish regulatory framework.
The key legislation regulating this matter is Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago (Royal Decree-Law 19/2018 on Payment Services, which transposes the European PSD2 directive). This regulation establishes a principle of quasi-strict liability for financial institutions.
The General Rule: Liability of the Payment Service Provider
According to Article 45 of the aforementioned Payment Services Law, in the event that an unauthorized payment transaction is executed, the payment service provider (the bank) must return the amount of the unauthorized transaction to the user immediately. The law starts from a clear premise: the bank is the custodian of the money, and if its security systems have been breached or bypassed, the liability falls on them.
Furthermore, Article 46 of the same law limits the liability of the payment service user. The client would only have to bear a maximum loss of 50 euros for unauthorized transactions resulting from the loss, theft, or misappropriation of a payment instrument, unless they have acted with gross negligence.
The Exception: "Gross Negligence" by the User
The only scenario in which the bank can legally refuse to return the money is if it proves that the user acted fraudulently or deliberately failed to comply—or did so through negligence grave (gross negligence)—with one or more of their obligations (such as protecting their security credentials).
This is where the real legal battle is fought. What is considered "gross negligence"? The case law of the Audiencias Provinciales (Provincial Courts) and the Tribunal Supremo in Spain is highly protective of the consumer. The courts understand that:
- A simple oversight or falling victim to a highly sophisticated deception (such as an SMS that integrates into the same thread as real messages from the bank, known as SMS spoofing) does not constitute gross negligence.
- For gross negligence to exist, the user must have acted with an absolute, almost reckless lack of diligence (for example, writing the PIN code directly on the credit card or handing over all digital signature codes without making any verification in response to a crude request full of spelling mistakes).
- The burden of proof rests exclusively on the bank. It is the financial institution that must prove before a judge that the client acted in a grossly negligent manner; it is not enough for the bank to state that "the correct security codes were entered."
The General Law for the Defence of Consumers and Users
Additionally, Real Decreto Legislativo 1/2007 (Royal Legislative Decree 1/2007), which approves the recast text of the General Law for the Defence of Consumers and Users, establishes in its Article 147 that service providers will be liable for damages caused to consumers unless they prove that they have complied with the requirements and demands established by regulation. By offering an online banking service, the bank is obliged to guarantee that this environment is 100% secure.
Concrete Examples of Phishing Claims
To understand how these laws apply in practice, let us analyze two common situations with real figures.
Example 1: The SMS Impersonating Carlos's Bank
Carlos receives an SMS on his mobile phone that appears in the exact same message thread as his usual bank. The text reads: "We have detected suspicious access to your account. Verify your identity here: [web link]". Worried, Carlos clicks on the link, which takes him to a website identical to his bank's. He enters his username and password. Minutes later, the scammers make an unauthorized transfer of 4,500 euros to a foreign account.
- Resolution: Carlos files a claim. The bank initially refuses, claiming that Carlos provided the codes voluntarily. However, as this was a highly sophisticated spoofing technique that would deceive an average user, there is no gross negligence. The bank is ordered to return the full 4,500 euros to Carlos, plus legal interest.
Example 2: Sofia's Fraudulent Online Purchase
Sofia has her credit card physically stolen from her bag while traveling on the Madrid metro. Before she notices and can block it, the thieves make three online purchases for amounts of 120 euros, 85 euros, and 90 euros (a total of 295 euros), using contactless technology and web purchases without two-factor authentication.
- Resolution: In this case of physical loss of the payment instrument, Sofia notifies the bank as soon as she notices the theft. According to Article 46 of the Payment Services Law, Sofia is only liable for the first 50 euros of loss prior to the blocking notification. The bank must mandatory refund her 245 euros of the 295 euros stolen.
Practical Steps: Step-by-Step to Recover Your Money
If you have been a victim of a phishing attack or banking fraud, you must act quickly. Time is a critical factor. Follow these steps in order:
- Block your accounts and cards immediately: Call your bank's customer service (available 24 hours) or use the mobile app to freeze your cards and change your online banking access passwords.
- Gather all possible evidence: Take screenshots of the fraudulent SMS, the phishing email, the history of received calls, the suspicious web link, and the bank transactions showing the unauthorized charges.
- File a report with the police: Go physically to a station of the Policía Nacional (National Police), Guardia Civil (Civil Guard), or the corresponding regional police. Detail with pinpoint accuracy how the deception occurred and provide the gathered evidence. Demand a stamped copy of the denuncia (police report), which must state the exact amounts defrauded.
- Submit a formal written claim to your bank's Customer Service Department: Attach the copy of the police report and a written request demanding the return of the money based on Article 45 of Real Decreto-ley 19/2018. The bank has a maximum period of 15 business days to respond to claims regarding payment services.
- Escalate the claim to the Banco de España if necessary: If the bank rejects your claim or does not respond within 15 business days, you can submit a complaint to the Claims Service of the Banco de España (Bank of Spain). Although their resolutions are non-binding, a favorable report from the Bank of Spain usually puts successful pressure on entities to return the money.
- Take legal action: If the amicable route fails, you will need to file a civil lawsuit against the bank. If the amount claimed is less than 2,000 euros, you will not need a lawyer (abogado) or court procurator (procurador), which significantly reduces the cost of the process. For higher amounts, having a lawyer specialized in banking law is fundamental to guarantee success.
Deadlines, Amounts, and Key Figures You Must Know
In the field of consumer and banking law, deadlines and figures are strict. Memorize these essential details:
- 13 months: This is the maximum legal period you have to communicate an unauthorized or incorrectly executed payment transaction to your bank, counting from the debit date (according to Article 43 of the Payment Services Law). If you claim after this period, you lose the right to demand a refund.
- 15 business days: The maximum period that your bank's Servicio de Atención al Cliente (SAC / Customer Service Department) has to resolve and reply to your formal written claim regarding payment service fraud.
- 50 euros: The maximum amount the client must bear for losses resulting from unauthorized transactions before notifying the theft or loss of a physical card, except in cases of gross negligence or fraud.
- 2,000 euros: The economic limit for verbal trial (juicio verbal) lawsuits. If your claim is for 1,999 euros or less, you can file the lawsuit yourself without spending money on a lawyer or court procurator.
- 24 hours: The recommended timeframe to file the police report and notify the bank from the moment you detect the fraud. Speed demonstrates your diligence as a consumer ahead of any future court case.
Mistakes to Avoid After Falling Victim to Phishing
Committing certain errors in the hours following the fraud can weaken your legal position and give the bank arguments to deny the refund. Avoid the following:
- Not reporting it to the police out of embarrassment or laziness: Many users decide not to file a report if the stolen amount is small (for example, 150 euros). Without a police report, the bank will automatically reject any claim, and you will have no legal basis to go to court.
- Deleting the evidence of the scam: In a fit of anger or panic, it is common to delete the malicious SMS, the phishing email, or the call history. These elements are your legal lifeline to prove that you were the victim of an elaborate deception and that you did not act with gross negligence.
- Accepting the bank's first refusal as final: Banks' claims departments often send "template" rejection letters claiming that the client provided their security codes. Do not give up. This is a common strategy to discourage clients. The case law is on your side.
- Delaying the communication of the incident: If you let weeks pass from the moment you see the suspicious charge until you notify the bank, the financial institution will argue that you breached your obligation to notify the event without undue delay, which could be classified as negligence.
Frequently Asked Questions (FAQ)
What if the bank says I authorized the transaction with an SMS code sent to my mobile?
This is the classic defense used by banks. However, Spanish courts have ruled that the fact that an SMS code was entered does not exempt the bank from its liability. Cybercriminals use techniques such as SIM swapping (duplicating the SIM card) or redirecting SMS messages via malware on the user's phone. It is up to the bank to prove that the authentication system used was completely secure, which is technically impossible to prove 100%.
Can I claim if the scam occurred on a credit card and not on my current account?
Yes, of course. The Payment Services Law protects funds deposited in current accounts, savings accounts, and transactions made via credit or debit cards equally. In fact, with credit cards, it is common that the money has not even left your actual pocket yet, but rather the granted credit limit, which makes it easier for the bank to freeze the charge.
What happens if I am a foreign resident in Spain and do not speak Spanish well?
Spanish consumer legislation protects any user of financial services operating with entities authorized by the Banco de España, regardless of their nationality. If you have language difficulties, you can request to be assisted in English or submit your claim in writing with the help of a legal advisor or translators. The police report can also be filed with the free assistance of an official interpreter.
How long does a court case against the bank for phishing usually take?
If you have to go to court, the resolution time will depend on how busy the local Juzgado de Primera Instancia (Court of First Instance) is. Generally, a verbal trial for amounts under 2,000 euros usually takes between 6 and 12 months to resolve. If the amount is higher and requires an ordinary trial (juicio ordinario), the timeframe can extend from 12 to 18 months. In the vast majority of cases that go to trial, the bank ends up paying the legal costs of the process as well.
Summary
- The bank is primarily liable: By law, financial institutions must immediately refund money stolen through unauthorized payment transactions.
- Gross negligence is the exception: The bank will only escape liability if it proves you acted with extreme and reckless lack of care, which is very difficult for them to prove in cases of sophisticated phishing.
- Report and claim quickly: You have a maximum period of 13 months to claim, but you should do so immediately. Block your accounts, report it to the police, and submit the written claim to your bank's SAC.
- Keep all evidence: Do not delete SMS messages, emails, or screenshots; they are the proof that you were deceived through complex techniques.
- The judicial route is highly effective: If the bank rejects your claim amicably, Spanish courts rule in favor of the consumer in more than 90% of phishing cases.
General legal information, not personalised legal advice. For your specific situation, ask your question for free at AbogadoAI — answers grounded in Spanish law (BOE), in English.
Have a specific legal question?
Ask AbogadoAI and get an answer based on Spanish law (BOE), with sources — in English.
Ask for freeThis is general information, not legal advice. Verify on the BOE or consult a lawyer for your specific case.