Bank responsibility in phishing fraud cases. Legal advice. Spanish Expert lawyers in banking law.

Bank liability for phishing. Banking law in spain.

Digital transformation has changed the way we interact with banks. The advantages of digitalisation are undeniable (electronic payment, being able to make arrangements from our cell phone, avoiding queues at the office…) But this has also led to a significant rise in online crimes, also known as Phishing.  On this article, we analyse the bank liability for phishing and offer some keys to better understand how to act if we are victims of this type of cybercrime. 

What is phishing?

Phishing is a practice where a cybercriminal impersonates the identity of a bank entity that the victim has a relationship with. By deception, the scammer obtains the client’s confidential information (credit card details, digital signature, access codes, etc) and operates with the client’s funds without his consent.

Although there are different modalities, the pattern is very similar in most cases. The victim receives an email or SMS with a link that leads to a fake website. Under false pretexts such as: “Your passwords must be changed for security reasons” or “Your credit card has been blocked as a precaution.” Then, the user is invited to access a fake website that imitates the one of the bank’s. Once the victim does, the cybercriminal hijacks his information.

What does the law say in spain?

Royal Decree-Law 19/2018 is clear about banking liability in case of phishing, imposing a series of rights and responsibilities on both banks and users.

For instance, banking entities are required to implement a reinforced authentication system. Payment orders must be validated by a personal password and additionally by a second random code generated for each transaction. In addition, the bank must have mechanisms in place to detect when the passwords or the authentication process has been compromised. At the same time, the user must protect his data and notify without delay any loss, theft or unauthorised use of his accounts or cards.

What to do when we are victims of phishing?

First of all, we should notify the bank as soon as possible. This will ensure new security codes are issued, the compromised payment method is blocked immediately, etc…

The next step is to file a complaint with the Police, providing all the means of proof available: emails, SMS, etc…

Once the above steps have been taken, you should file a complaint against the bank, requesting that the funds wrongfully withdrawn in an unauthorised transaction are reimbursed.

Is the bank compelled to return the money to us?

The legislation and the criteria of the Spanish courts are conclusive with regards to the bank responsibility in cases of Phishing. The bank, as the legal depository of the money, is bound to return the stolen amounts. Unless they are able to prove fraud behaviour or gross negligence in the client’s actions, the bank must be held responsible for the damage caused.

If you have been a victim of bank phishing, if you want further advice about bank liability for phishing, at White & Baos we will study your case. We will be able to assist you and offer you expert legal advice. Contact us.

The information provided in this article is not intended to be legal advice, it simply conveys information related to legal issues.

Carlos Baos (Lawyer)

White & Baos.

Tel: +34 966 426 185


White & Baos 2022 – All Rights Reserved.

You may be interested in the following articles / services:

 Revolving cards. Claim against your bank. Expert solicitors. Time limitation, nullity, lack of transparency and usury. Court precedents.
 Claims against banks. The mortgage swap or the interest financial swap. New legal success against banks. Spanish banking law.

You can claim against the bank: floor clause, expenses, multi-currency, etc. even if the mortgage was paid or you gave the property in lieu of payment to the bank.

Leave a Reply

Your email address will not be published. Required fields are marked *