Liability of Banks in Cases of Phishing and Online Fraud

Phishing and Banking Liability. Supreme Court Judgment 571/2025, April 9.

About three years ago, I encountered my first phishing case. The bank refused to refund any amount. Someone had gained access to my client’s online banking credentials, taken out credit cards, and ordered bank transfers. Her account was emptied. The bank neither blocked any operations nor reversed the funds once the fraud was reported. It was the first of many cases. Friends and acquaintances followed. The type of scam changes, but the outcome is always the same emptied accounts, confusion and guilt on the part of the victim, and the bank’s persistent refusal to return the money: “It’s your fault, you were the one who got tricked.”

Three years ago, there were hardly any judgments on this issue, but I was fortunate to find a wonderful ruling written in Galician by the Court of Pontevedra, April 7, 2021 (Id Cendoj: 36057370062021100128), which set me on the right path. The recently enacted Royal Decree-Law 19/2018 of November 23, on payment services and other urgent financial measures, had yet to generate case law and was eager to be heard in the courts. As a lawyer, I took the time to read it  and to me, it was quite clear: the bank must assume responsibility for losses resulting from fraud unless it can prove fraud or gross negligence by the client. I put that reasoning into a 50-page lawsuit  as any civil lawyer would and, a few months ago, I received a remarkable judgment from Court of First Instance No. 31 of Barcelona, issued by Judge Judit Peries, stating the following:

“It should be emphasized and acknowledged that anyone  any of us  can be a victim of this type of cybercrime or fraud, and it cannot be presumed, as the bank seems to suggest, that simply being a victim implies imprudent or negligent conduct that would exempt the bank from civil liability. The law expressly provides protection for users in such cases, where third parties execute unauthorized banking operations through identity theft. The bank must prove either gross negligence or fraudulent behavior by the user. Merely being deceived cannot be considered negligence in itself. Nor can it be presumed from being a victim that the user failed to safeguard their credentials or payment devices properly. The bank has not demonstrated either of these legal grounds for exemption from civil liability.”

Of course, I liked that judgment  it supported my position (!!). But beyond that, it boldly reaffirmed the duty to protect citizens when they fall victim to fraud, holding the financial institution managing payment systems responsible for any losses. Being a victim of fraud does not make you responsible for your financial loss.

Finally, just two days ago, the Supreme Court ruled on the matter for the first time in Judgment 571/2025, dated April 9 (Id Cendoj: 28079110012025100563). This ruling cites EU directives and regulations underlying the protective legal framework and establishes the liability of the bank, not only for security failures in failing to detect fraudulent operations (multiple transfers in a short period, at odd hours, clearly unusual activity), but also for failing to take corrective action after the client reported the fraud, and, most importantly, for failing to prove the existence of fraud or willful or grossly negligent conduct by the user:

“The fact that the disclosure or knowledge of the credentials by a third party cannot be attributed to the bank does not relieve it of its obligation to respond, nor does it transfer to the user the duty to bear the losses. The payment service provider, in addition to demonstrating that the service was properly executed  which it was not  must prove the existence of fraud or willful or grossly negligent conduct by the user. In this regard, both the trial and appellate courts agree that no fraud or willful or grossly negligent breach of the user’s obligations has been proven  particularly those concerning the reasonable protection of their personalized security credentials and prompt notification to the payment service provider of any unauthorized use, which the user did, reporting access attempts three weeks in advance. Note that, contrary to the appellant’s argument, the mere fact that a third party could access the client’s digital banking credentials does not in itself imply negligence, as there could be multiple explanations, many of which cannot reasonably be attributed to negligence — let alone gross negligence.”

Unfortunately, banking scams are becoming more frequent, and there is a lack of information. The criminal is a professional who continually invents new forms of digital deception. They purchase data and steal identities. They can call from the bank’s official phone number or replicate its website perfectly. They invest heavily in this type of crime because it allows them to operate remotely, avoid criminal liability, and obtain money easily.

This issue concerns me deeply, and I want people to stay alert  so I talk about it constantly, to everyone. Any excuse works. “Which floor are you going to?” “The ninth by the way, did you hear about the new scam where…?” I go to the Mossos d’Esquadra station for a case and mention it. I notice a tray behind the counter labeled “Banking fraud.” It’s overflowing with papers. The officer tells me it never stops that very morning, a woman had come in; the day before, a man they’re overwhelmed. The same story at the Civil Guard and the National Police. They all agree most cases end up being closed due to lack of investigative resources.

So yes, I fully support strong consumer protection, especially for those for whom such theft means losing all their savings and who lack (we lack) the capacity to fully defend themselves against such professionalized attacks. Victims feel vulnerable, foolish, and fearful after being deceived. It is the responsibility of banks, which profit from online banking, to adopt all necessary and sufficient measures to prevent fraud, and, above all, to act swiftly once notified of the theft. I have seen too many cases where, after being notified of the fraud, the bank takes no action to stop the transactions  merely instructing the client to file a police report. They do not initiate reversal of transfers or contact recipient banks to block the funds.

Nothing. And yet, prompt action could have been decisive in preventing the loss. That said, there are banks  and then there are banks  and some certainly stand out more than others.