Phishing emails, SMS smishing, fake "bank operator" calls, website impersonation, unauthorised transfers... European payment-services law obliges the bank to refund the money unless it proves your gross negligence. The burden of proof is on the bank — and the case law is strict.
Tras la directiva europea PSD2 y el Real Decreto-ley 19/2018 de servicios de pago, the rules are clear: in the case of an unauthorised operation, the bank must restituir íntegramente el importe en el siguiente día hábil after notification, unless it proves two things — (1) the operation was authenticated and (2) you acted with fraud or gross negligence.
La burden of proof falls on the bank, not on the victim. And the case law is very strict: clicking on a link received by SMS apparently from the bank is not gross negligence if the bank's security protocols were not enough to prevent the attack. Si el banco no detectó la operación anómala, no aplicó autenticación reforzada, o el cliente fue víctima de una técnica sofisticada (suplantación, ingeniería social), el banco debe responder.
El the deadline to claim is 13 months from the unauthorised charge. But it is best to act immediately: the sooner you notify the bank and the police, the greater the chances of blocking the money before it moves out of the system.
Each type has different evidentiary nuances. The legal strategy varies depending on the technique used by the fraudsters and the security protocols applied by your bank.
You receive an email apparently from the bank with a link to a website identical to the official one where you enter credentials. The bank is liable if it did not apply strong authentication or did not detect anomalies.
An SMS that appears in the same thread as legitimate bank messages (number spoofing). A more sophisticated technique — case law presumes the customer's diligence when the SMS appears next to genuine bank messages.
They call you pretending to be from the bank's anti-fraud department. They warn you of a "suspicious operation" and ask for codes to "stop it". The bank is liable if it did not detect the impersonation of its line or did not warn of the risk.
Unauthorised access to your online banking and transfers to mule accounts. If the bank did not apply strong customer authentication (SCA) under PSD2, it must be fully liable.
Unauthorised Bizum, instant payments to accounts the bank should have flagged as suspicious. Particular attention to the bank's duty to monitor atypical operations.
Where the bank refuses to refund and you have suffered documented damage (anxiety, lost time, financial hardship), additional moral damages can be claimed on top of the principal.
Ask us for a free case review and we will get back to you in less than 24 hours.
Enter the basics of the fraud. We assess the viability of the claim under settled case law and PSD2 criteria.
Time is critical in digital fraud — the sooner we act, the greater the chance of blocking the money. Leave us your details and a lawyer from the firm will urgently review your case. In less than 24 hours you will have a report with the strategy.
The European and Spanish framework on digital fraud has tightened in recent years — always in favour of the consumer. These are the three key references.
Every electronic payment operation must apply strong customer authentication (SCA) — two independent factors. If the bank did not apply it correctly, it is fully liable for the fraud.
The bank must refund the amount on the next business day after notification unless it proves fraud or gross negligence by the customer. The burden of proof falls on the bank, not the victim.
The Provincial Courts have consolidated the test: clicking on a received link is not in itself gross negligence. If the attack was sophisticated and the bank's protocols insufficient, the bank is liable.