Skip to main content
Try Lexiel for freeTry now →
Cybercrime in Spain: Phishing, Online Fraud, and How to Report with Digital Evidence
Practical Guides13 minEquipo Lexiel

Cybercrime in Spain: Phishing, Online Fraud, and How to Report with Digital Evidence

Guide on cybercrime in Spain: phishing, computer fraud (Arts. 248-249 CP), identity theft, how to file a report, preserve digital evidence, and key case law.

cybercrimephishingcomputer fraudcriminal codedigital evidencereportidentity theft

Cybercrime in Spain: A Growing Phenomenon

Cybercrime has experienced exponential growth in Spain. According to data from the Ministry of Interior, computer crimes now represent over 16% of all recorded criminal offenses, with more than 375,000 proceedings in 2024. This guide analyzes the main criminal categories, their criminal regulation, reporting mechanisms, and the crucial issue of digital evidence preservation.

Computer Fraud: Arts. 248 and 249 of the Criminal Code

Computer fraud is the most common cybercrime in Spain. Art. 248 CP defines fraud as obtaining an unlawful financial benefit through sufficient deception, and its paragraph 2 extends criminal liability to computer manipulations.

#### Art. 248.2 CP: Computer Fraud in the Strict Sense

Art. 248.2 CP criminalizes the conduct of those who, with the intent to profit and using any computer manipulation or similar artifice, achieve the non-consensual transfer of any financial asset to the detriment of a third party.

Elements of the offense:

  • Computer manipulation: Any intervention in the electronic data processing system (phishing, pharming, skimming, banking malware).
  • Intent to profit: Intention to obtain financial benefit.
  • Financial transfer: Movement of funds or assets without the holder's consent.
  • Third-party damage: Actual financial harm.

#### Applicable Penalties (Art. 249 CP)

Fraud is punishable by imprisonment from six months to three years, graded according to the amount defrauded, the means used, and the relationship between victim and perpetrator. If the amount does not exceed EUR 400, it qualifies as a minor offense (Art. 249.2 CP) with a fine of one to three months.

Aggravating circumstances (Art. 250 CP):

  • Amount exceeding EUR 50,000 or affecting a large number of people.
  • Abuse of existing personal relationships between victim and defrauder.
  • Use of means that hinder identification of the perpetrator.
  • Fraud involving essential goods, housing, or other goods of recognized social utility.

Phishing: The Most Common Digital Fraud

Phishing involves impersonating a trusted entity (bank, public administration, service company) to obtain access credentials, banking data, or personal information from the victim.

#### Phishing Methods

  • Classic email phishing: Emails replicating the appearance of banks or administrations, with links to fraudulent websites.
  • Smishing: Phishing via SMS. Very common with fake notices from postal services, tax authorities, or banks.
  • Vishing: Phishing by phone call, where the scammer impersonates a bank operator or authority.
  • Spear phishing: Targeted attacks on specific individuals with personalized information, particularly dangerous in corporate settings.
  • Pharming: Redirecting legitimate web traffic to fraudulent pages through DNS manipulation or hosts file modification.

#### Bank Liability

Spanish case law has established that banks have a quasi-objective obligation to guarantee the security of electronic payment methods. Royal Decree-Law 19/2018 (transposing the PSD2 Directive) requires the payment service provider to refund the amount of unauthorized transactions unless it proves the user's gross negligence (Art. 44).

STS 317/2023 (Civil Chamber) confirmed that the bank is liable for transfers made through phishing when it has not implemented the Strong Customer Authentication (SCA) required by PSD2, shifting the burden of proof to the bank to demonstrate that the user acted with gross negligence.

Digital Identity Theft

Identity theft in the digital environment can be classified under different criminal types:

#### Usurpation of Civil Status (Art. 401 CP)

Anyone who usurps another person's civil status faces imprisonment from six months to three years. This offense applies when someone fully assumes another person's identity (name, ID, signature) in the digital environment.

#### Discovery and Disclosure of Secrets (Art. 197 CP)

Unauthorized access to email accounts, social media, or cloud services constitutes a crime against privacy under Art. 197 CP, punishable by imprisonment from one to four years. If the obtained data is disseminated, the penalty increases to imprisonment from two to five years (Art. 197.3 CP).

#### Document Forgery (Arts. 390-400 CP)

Creating false digital documents (certificates, contracts, invoices) or altering authentic documents constitutes documentary falsification, with penalties of imprisonment from six months to three years (falsification of private documents, Art. 395 CP) or three to six years (falsification of public documents, Art. 390 CP).

Other Relevant Cybercrimes

#### Unauthorized Access to Computer Systems (Art. 197 bis CP)

Unauthorized access to a computer system or part thereof, breaching established security measures, is punishable by imprisonment from six months to two years. If especially protected data is accessed (trade secrets, sensitive personal data), the penalty is increased.

#### Computer Damage (Art. 264 CP)

Destruction, alteration, or rendering unusable of third-party data, computer programs, or electronic documents is punishable by imprisonment from six months to three years. If the attack affects critical infrastructure, the penalty is three to eight years (Art. 264 bis CP).

#### Online Investment Fraud

Attracting investors through fraudulent trading platforms, cryptocurrencies, or pyramid schemes is classified as aggravated fraud under Art. 250 CP, especially when affecting a large number of victims.

How to Report a Cybercrime

#### Where to Report

  • National Police: Central Technological Investigation Brigade (BCIT). Online reporting available through the National Police Corps website.

  • Civil Guard: Telematic Crimes Group (GDT). Accepts in-person reports and collaborates on international investigations.
  • Investigating Court: Through a criminal complaint (querella) with legal counsel. Recommended for high-value fraud.
  • INCIBE (National Cybersecurity Institute): Citizen assistance at phone 017 and through its website. Not a criminal reporting body but provides advice and referrals.

#### Required Documentation

For the report to be effective, it should include as much evidence as possible:

  • Screenshots of fraudulent emails, messages, or websites.

  • Bank statements showing unauthorized transactions.
  • Call records (if vishing applies).
  • Complete URLs of fraudulent pages.
  • Complete email headers (to trace the originating IP).
  • Any communication with the scammer.

Digital Evidence Preservation

Digital evidence is frágile and easily alterable. Its proper preservation is decisive for the success of criminal proceedings.

#### Notarial Certificate of Web Content

A notary can issue a presence certificate of the content of a web page, email, or digital conversation at a specific time. This mechanism provides public faith to the content, granting it full evidentiary value.

#### Hash and Chain of Custody

Digital files must be preserved with their cryptographic hash (SHA-256 or similar) to ensure they have not been altered. The digital chain of custody must document who has had access to the file, when, and under what conditions.

#### Forensic Device Imaging

In complex cases, a computer forensic expert can perform a forensic image of the device (phone, computer) using tools such as EnCase or FTK, preserving a bit-by-bit image of the medium with its corresponding hash.

Lexiel and Cybercrime

Lexiel AI enables criminal lawyers to search updated case law on cybercrime in CENDOJ, filter by crime type (phishing, ransomware, investment fraud), amount defrauded, or aggravating circumstances. Its semantic search engine facilitates finding relevant judgments on digital evidence admissibility, bank liability, and strong authentication -- issues that evolve rapidly and require efficient access to the latest doctrine.

Frequently Asked Questions

How long do I have to report computer fraud?

Basic fraud prescribes in five years (Art. 131.1 CP) and aggravated fraud under Art. 250 CP in ten years. Minor fraud offenses (amount under EUR 400) prescribe in one year. The period runs from the commission of the offense or from when knowledge of it is acquired.

¿Can the bank refund my money if I am a phishing victim?

Yes. RD-Law 19/2018 requires the bank to refund the amount of unauthorized transactions unless it proves the user's gross negligence. Recent case law (STS 317/2023) reinforces this obligation, especially if the bank did not implement Strong Customer Authentication (SCA).

Are screenshots valid as evidence in court?

Yes, but their evidentiary value is limited if not corroborated by other means. A notarial certificate of web content or a computer forensic report provides greater evidentiary strength.

What should I do if my identity is stolen on social media?

Report to the National Police or Civil Guard with screenshots of the fake profile. Simultaneously, report the profile to the platform (Instagram, Facebook, X) for removal. If your data is used to commit crimes, the report should include a specific criminal complaint.

¿Is ethical hacking or penetration testing a crime?

Unauthorized access to computer systems is a crime (Art. 197 bis CP) regardless of intent. Penetration testing is only legal when performed with the express authorization of the system owner (pentesting contract). "Ethical hacking" without authorization does not exempt from criminal liability.

Can I claim compensation from the company that suffered the data breach?

Yes, under the GDPR and LOPDGDD, you can file a civil liability action against the data controller who failed to implement adequate security measures. The amount depends on the damage suffered (financial and moral).

Try Lexiel free · 28 days

Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.

LEX-BLOG
Get started free

Weekly legal updates

Legislative changes, relevant case law, and Lexiel news. No spam. Unsubscribe anytime.

GDPR compliant. We never share your email with third parties.