Organic Law 13/2022: Payment Fraud and Cyber Scams

Organic Law 13/2022, of December 20 (BOE-A-2022-21800), incorporated into Spanish law Directive (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment. Its aim is to modernise the criminal response to a phenomenon that has outgrown the classic concept of fraud: fraud that flows through cards, online banking, payment apps and digital credentials. As criminal defence lawyers, we explain what the reform changed, how it affects arts. 248 to 251 CP and computer fraud under art. 249 CP, and what it means today for anyone who is investigated, accused or a victim.

What the reform changed and why

The core of Organic Law 13/2022 is transposition: Spain was required to align its legislation with Directive (EU) 2019/713, which harmonises across the European Union the prosecution of fraud and counterfeiting of non-cash means of payment. The logic is simple: money no longer moves only in banknotes, but in data. A card, an online banking credential or a digital wallet is today the gateway to a person's assets, and their fraudulent use calls for a commensurate criminal response.

The reform strengthens the framework of fraud offences in arts. 248 to 251 CP in their relationship with computer fraud under art. 249 CP, so that conduct involving the fraud and counterfeiting of electronic means of payment is covered more clearly. This is not about inventing an entirely new offence, but about updating and giving coherence to the criminal treatment of the digital modalities that practice had been struggling to fit within the classic offence types.

What non-cash means of payment are

The protected category is broad. The expression "non-cash means of payment" covers instruments, whether tangible or intangible, that allow money or value to be transferred without resorting to banknotes and coins:

• Cards, credit and debit, physical or virtual.
• Online banking credentials (username, password, signature keys and one-time codes).
• Wallets and mobile payment apps, as well as the data needed to operate them.
• Any protected device, object or record that grants access to an account or allows a payment order to be initiated.

What matters is that protection is not limited to the physical medium: it also extends to the data associated with the payment instrument. Stealing, counterfeiting, possessing or fraudulently using such data to dispose of another person's assets is precisely what the reform seeks to combat more clearly.

Arts. 248 to 251 CP and their practical scope

The fraud offences are regulated in arts. 248 to 251 CP. The reform bears on this block and on its link with computer fraud:

• Art. 248 CP: defines classic fraud as the use of sufficient deception to produce error in another, inducing them to perform an act of disposal of assets to their own or another's detriment, with intent to profit.
• Art. 249 CP: contains computer fraud, which punishes anyone who, with intent to profit and by means of a computer manipulation or similar artifice, achieves an unauthorised transfer of an asset to another's detriment. It is the key figure for digital fraud, because it does not require deceiving a person, but the manipulation of a system.
• Art. 250 CP: sets out the aggravated forms of fraud, which increase the penalty in view of, among other factors, the amount defrauded or certain circumstances of the act.
• Art. 251 CP: criminalises other fraudulent conduct close to fraud in the legal traffic of goods and rights.

The practical scope of the reform is clear: unauthorised dispositions of assets carried out through cards, online banking or payment apps fit more firmly within computer fraud under art. 249 CP, without having to stretch the concept of deceiving a natural person. Anyone searching online about the mechanics of a fraud can consult the Criminal Code to place the conduct within this block of offence types.

Phishing and fraudulent use of payment instruments

The reform expressly addresses the modalities that dominate today's economic cybercrime:

• Phishing: capturing banking credentials through messages, emails or websites that impersonate a legitimate entity, in order to then make unauthorised dispositions. Its variants include smishing (by text message) and vishing (by call or voice).
• Fraudulent use of electronic payment instruments: using cards, card data or unlawfully obtained credentials to buy, transfer or withdraw funds.
• Counterfeiting and trafficking of the data or devices that allow operation as a means of payment.

In most of these cases, where there is a computer manipulation that causes a transfer of assets without the holder's consent, the conduct falls under computer fraud (art. 249 CP). The precise classification, however, depends on the specific conduct and on the available evidence: it is not the same to design the phishing campaign, to use the data to dispose of the money, or to lend one's account to receive it (the so-called "money mule"), whose liability must be analysed carefully according to their actual knowledge of the facts.

What it means today for someone investigated or accused

For anyone facing an investigation for a cyber scam or payment instrument fraud, the reform consolidates a scenario in which the evidence is essentially digital. This has two sides.

On the one hand, the criminal response is more robust and predictable. On the other, the attribution of authorship becomes the real battleground. The fact that an IP address, a device, an account or a terminal appears linked to certain facts does not, by itself, prove that a particular person is the material author of the fraud. IP addresses can be shared, spoofed or masked; accounts can be used without the holder's knowledge; and data can be manipulated if it is not collected with proper safeguards.

For that reason, in this type of proceedings the technical analysis of the digital investigation measures, the traceability of the movements and the rigorous assessment of the computer forensic evidence are decisive.

Lines of defence

A technical defence against these offences usually revolves around three axes that the very digital nature of the fraud brings to the fore:

• Proof of digital authorship: challenging whether the technical indicia (IP, logs, devices, accounts) unequivocally identify a person. The defence can require authorship to be proven beyond the mere association of a piece of data with a device or connection.
• Electronic chain of custody: examining how the digital evidence was obtained, preserved and analysed. If the integrity of the data is not guaranteed (collection without protocol, absence of a hash or of an attesting officer, broken traceability), its evidential value can be challenged.
• Individualisation of intent: in structures with several participants, not everyone acts with the same knowledge or the same intention. It is essential to distinguish those who knew and wanted the fraud from those who were used as instruments or were unaware of the unlawful origin of the funds or the data.

To this are added the general safeguards of criminal procedure: the lawfulness and proportionality of the technological measures, the presumption of innocence, and the limitation period for the offence according to its penalty. Each of these fronts must be assessed in light of the specific measures actually carried out. You can review the context of this and other amendments on our criminal law reforms page.

What it means for the victim

If you are the victim of fraud involving your card, your online banking or a payment app, the reform strengthens the framework for prosecuting these acts. Some immediate steps:

• Block and report the affected means of payment to your entity immediately to stop further dispositions.
• Preserve all the evidence: emails, text messages, screenshots, URLs, phone numbers and the unrecognised transactions. Do not delete anything.
• Report the facts and request that the necessary digital investigation measures be carried out to trace the destination of the funds.
• Claim against the entity under the payment services rules and assess the civil liability arising from the offence.

An early criminal analysis helps to orient the complaint, to request the appropriate measures and, where applicable, to structure the claim for the harm suffered.