Online Fraud Spain 2026: How to Report and Recover Money (Art. 248 CP)
Guide to cybercrime fraud (Art. 248.2 CP): key elements, how to file a police report, bank liability for phishing, claim before Banco de España, timelines. Updated with 2024-2025 case law.
What is computer fraud under Spanish law?
Computer fraud is defined in Art. 248.2 of the Spanish Criminal Code as a form of aggravated fraud committed through computer manipulation or similar artifice to transfer assets without the genuine consent of the holder. Common forms include phishing, vishing, SIM swapping, business email compromise and investment scams.
Penalties
Depending on the amount and circumstances: 6 months to 3 years imprisonment for amounts over €400, up to 6 years for over €50,000 or special severity, up to 9 years for organised crime involvement.
Bank liability
Directive (EU) 2015/2366 (PSD2), transposed in Spain by RDL 19/2018, makes banks the default liable party for unauthorised payment transactions unless they prove the customer acted with gross negligence or fraud. Recent Supreme Court and Provincial Court rulings (2023-2025) have raised the bar for what constitutes "gross negligence", frequently requiring banks to refund phishing victims.
First steps
Block the account immediately, preserve all evidence (screenshots, messages, bank records), and file a police report within 24 hours. Then formally claim from the bank. If rejected, escalate to the Banco de España's conduct department.
Lexiel helps criminal lawyers and victims structure computer fraud complaints, analyze bank liability under PSD2 and prepare the Banco de España claim or civil lawsuit.
Try Lexiel free · 28 days
Use code LEX-BLOG for double the standard trial period. Cancel anytime, no commitment.