Computer Fraud in Spain (Art. 249.1.a CP): What It Is and How to Defend It

Computer fraud is now one of the most common forms of fraud and, at the same time, one of the easiest to pin on someone who is not the real perpetrator. As criminal lawyers specialising in computer fraud, we examine exactly what the offence requires, which conduct it covers and what the lines of defence are when a charge of this kind arises. It is worth starting with an important technical point: computer fraud is now governed by Article 249.1.a) CP, not by the former 248.2, which has been superseded by the renumbering of the Criminal Code.

What Computer Fraud Is

Unlike classic fraud, which is built on deceiving a person, computer fraud punishes a fraud carried out against a machine or a system. Article 249.1.a) CP penalises anyone who, with intent to profit and by means of a computer manipulation or a similar trick, obtains a non-consented transfer of any asset to another person's detriment.

The reason for this self-standing offence is practical: when the fraud is executed by manipulating a system — rather than by deceiving a bank employee — there is no natural person who suffers the error that characterises ordinary fraud. The legislator therefore treats the manipulation of the machine as equivalent to traditional deception, protecting property in the same way.

Elements of the Offence (Art. 249.1.a CP)

For the offence to exist, the following elements must all be present:

• Intent to profit: the aim of obtaining a financial benefit, whether for oneself or for a third party.
• Computer manipulation or a similar trick: obstructing the operation of a computer system, or inputting, altering, deleting or suppressing data. This covers both technical intrusion and the use of credentials obtained by deception.
• Non-consented transfer of an asset: a movement of money, crypto-assets or other value that the holder has not authorised.
• Detriment to another: the actual financial harm caused to the victim.

The absence of any of these elements — in particular, the intent to profit or the lack of the holder's consent — prevents a conviction for this offence and calls for other characterisations, or a finding that the conduct is not punishable at all.

The Most Common Forms

A very wide range of technological fraud falls under Article 249.1.a) CP. The most frequent are:

• Phishing: emails or messages impersonating an institution so the victim hands over their online banking credentials.
• Pharming: redirecting the user to a fraudulent website that mimics the legitimate one, even when the correct address is typed.
• Banking malware: malicious programs that capture credentials or manipulate transactions from the victim's own device.
• SIM swapping: fraudulent duplication of the SIM card to intercept verification codes sent by SMS and empty accounts.
• CEO fraud: impersonating a senior executive to order an employee to make an urgent transfer to an account controlled by the perpetrators.
• Online banking manipulation: altering payment orders or the beneficiary's details once access to the system has been gained.

Sentences and Aggravating Factors (Art. 250 CP)

The basic offence of computer fraud is punishable by 6 months to 3 years in prison. The actual sentence depends on the amount defrauded and the circumstances of the case.

Where one of the aggravated subtypes in Article 250 CP applies — among others, that the fraud exceeds certain financial thresholds, that it affects a large number of people or that it concerns essential goods — the sentencing range rises markedly. That is why determining the amount and identifying the number of victims are central issues both at the investigation stage and in the defence.

Differences From Other Offences

The correct characterisation is decisive, because closely related conduct attracts different offences and sentences:

• Versus disclosure of secrets (Art. 197 CP): this protects privacy and data, not property. Accessing a system without authorisation may fall under Article 197 CP; there is only computer fraud if, in addition, a non-consented transfer of assets is obtained with intent to profit.
• Versus fraudulent use of cards (Art. 249.1.b CP): the non-consented use of cards or their data for financial transactions has its own provision, which must be distinguished from the computer manipulation in subsection (a).
• Versus ordinary fraud (Art. 248 CP): if the fraud is based on deceiving a person — and not on manipulating a system — the characterisation returns to the general fraud offence.

The 'Money Mule' and Money Laundering

One of the most sensitive scenarios involves people who, sometimes without full awareness, let their account be used to receive and forward the defrauded money: so-called money mules. Even if they took no part in the computer manipulation, they may be liable for money laundering under Article 301 CP, which even covers the reckless form where a person acts with a serious breach of the duty of care.

In these cases the defence is aimed at establishing the absence of any knowledge of the unlawful origin of the funds and the lack of any prior agreement with the perpetrators of the fraud. The way the person was recruited — fake job offers, simulated romantic relationships — is often decisive in assessing what they could and should genuinely have known.

Digital Evidence and How to Challenge It

The evidence in these proceedings is almost always technological, and that is where much of the room for defence lies. A transfer executed from a particular IP address or account does not, in itself, prove that its holder ordered it. Aspects to examine closely include:

• The chain of custody of the electronic evidence and how properly it was brought into the proceedings.
• The connection and geolocation logs, and their real capacity to identify the author.
• The traceability of the funds across the various intermediate accounts.
• The possibility of identity spoofing or of the device or credentials being used by a third party.

The Supreme Court requires authorship to rest on sufficient evidence and not on mere conjecture; the defence can challenge both the attribution of the act and the presence of criminal intent.

Lines of Defence

Against a computer fraud charge, the most common strategies are:

• Denial of authorship: where there is no solid evidence linking the person to the manipulation or the transfer.
• Lack of intent: particularly relevant for the intermediary or money mule, in order to distinguish them from the author of the fraud.
• Challenging the IT expert evidence: methodological errors, gaps in the chain of custody or inconclusive findings.
• Alternative characterisation: recasting the facts as a less serious offence or, where appropriate, arguing that they are not punishable.
• Reparation of the harm: restitution or deposit of the defrauded sum may operate as a mitigating factor.

Early involvement of a lawyer makes it possible to set out the account of the facts, secure favourable evidence and prepare the first statement, which often shapes the rest of the proceedings.

Concurrent Offences: When Several Crimes Overlap

A single technological fraud rarely fits within just one offence. Alongside computer fraud, other offences often arise that the court must assess together:

• Document forgery: if documents are created or altered to carry out the fraud — contracts, receipts, simulated identities — there may be concurrence with forgery offences.
• Disclosure of secrets: where, beyond the transfer, the victim's protected personal data is accessed, Article 197 CP may be added.
• Money laundering: the destination and subsequent concealment of the defrauded funds may fall under Article 301 CP, particularly as regards intermediaries.
• Membership of a criminal organisation or group: where the fraud is carried out in a structured way by several people with a division of roles.

Whether the situation is characterised as concurrent offences or as a conflict of rules has a direct impact on the final sentence, so defining precisely what conduct is charged, and against whom, is a central task for the defence.

What to Do If You Are Charged

Being summoned as a suspect in a computer fraud case understandably causes anxiety, especially where the person does not see themselves as the author of any fraud. Some basic guidance:

• Do not make a statement without legal assistance and prior preparation. The first statement sets out an account that is hard to correct later; it is best to know the content of the file beforehand.
• Keep all available information: messages, emails, job adverts, conversations or any data that explains how the situation came about, especially for the intermediary.
• Do not contact other suspects or alter devices or accounts, which could be read as obstruction.
• Gather the banking documentation that allows the path of the money to be reconstructed and, where relevant, the absence of any personal gain to be shown.

From there, the lawyer studies the police report and the expert evidence, identifies the weak points of the prosecution and decides, together with the client, on the most suitable strategy: from a reasoned denial of authorship to, where appropriate, reparation of the harm as a route to mitigation.

Computer Fraud Defence With Alonso Sala

At Alonso Sala, a criminal defence firm based in Madrid (C/ Velázquez 27) with coverage throughout Spain, we take on the defence of people investigated or charged with computer fraud and related offences, as well as the representation of those who have suffered this type of fraud. We analyse the characterisation, the digital evidence and the specific position of each party involved — from the alleged author to the intermediary — in order to build a strategy tailored to the facts. If you are facing a situation of this kind, our team of computer fraud defence lawyers can assess your case.