Criminal Lawyers in Phishing & Fraud

Technical defense in phishing, identity-theft and computer-fraud offences (Arts. 248 to 251 CP).

Last updated: 12 June 2026

Specialist Defense in Phishing and Fraud Crimes

The offences of phishing and computer fraud, regulated in Arts. 248 to 251 bis of the Spanish Criminal Code, are one of the most expanding criminal modalities in the cyber field. Art. 249.1.a) CP specifically classifies computer fraud: the computer manipulation or similar artifice achieving the non-consensual transfer of a patrimonial asset to a third party's detriment. Together with classic phishing (Brand Spoofing and Smishing), vishing (telephone phishing, now amplified by AI voice cloning), pharming (DNS redirection), targeted spear phishing and Business Email Compromise (BEC) or CEO Fraud are prosecuted. Consolidated Supreme Court case-law has precisified the contours of the type and, fundamentally, the criteria of imputation of "bank money mules" recruited with fake job offers. As criminal lawyers specialising in computer fraud, we intervene from the first procedural step to articulate the defence or, where appropriate, the private prosecution.

The typical modalities are diverse and constantly sophisticate. Classic phishing: mass emails impersonating banking institutions, fiscal bodies (AEAT, DGT, Correos) or popular services (Amazon, Netflix), redirecting to fake websites to capture credentials. Smishing: SMS with fraudulent links. Vishing: calls impersonating banking employees, Microsoft technicians or tax agents, now hyper-sophisticated with AI voice cloning. Spear phishing: targeted attacks against executives, professionals or selected victims through prior social-media engineering. CEO Fraud / BEC: impersonation of the CEO or CFO through email spoofing and request for urgent transfers to controlled accounts. CEO fraud with cloned voice: BEC variant enhanced by audio deepfake. Romance scam: sentimental fraud with derivation to crypto investment scam. And the operation with mules: recruitment of people with fake job offers to receive and forward defrauded funds.

The penalties are severe due to the usual real concurrence. Computer fraud (Art. 249.1.a CP) in its basic type sanctions with prison from 6 months to 3 years; when the aggravated amount concurs (Art. 250 CP: amount exceeding EUR 50,000, basic-need goods, special gravity, a large number of victims, abuse of personal or professional relationships) penalties rise to 1-6 years' prison and fine of 6 to 12 months. If the amount defrauded exceeds EUR 250,000 or the qualified combinations of Art. 250.2 CP concur, the penalty reaches 4 to 8 years' prison. Money laundering derived from the collection and forwarding of defrauded funds (Art. 301 CP) adds prison from 6 months to 6 years. For bank money mules acting with gross negligence, the conviction usually ranges between 1-3 years' prison, frequently suspendable if there is no record. The reparative civil liability is joint and several and covers the reimbursement of the defrauded amount.

The technical defence articulates several complementary lines. When defending the investigated as a mule, we articulate the mistake of fact under Art. 14 CP: the client was recruited through an apparently legitimate job offer (collection manager, financial intermediary, commercial agent), never knew the illicit origin of the money received and acted under reasonable belief of lawfulness. We provide as evidence the job offer, the simulated contracts, the emails with the alleged employer and the absence of records or criminal profile. We also discuss the gradation between gross negligence (criminal) and minor negligence (atypical) in laundering cases (Art. 301.3 CP). When representing the phishing victim, we direct a civil claim against the banking institution for breach of the duty of vigilance and security (payment-services legislation and the case-law of the Civil Chamber of the Supreme Court on unauthorised payment transactions), demanding the full refund of the transferred amounts when the bank did not implement strong customer authentication in accordance with PSD2 (Directive EU 2015/2366).

In current forensic practice we observe exponential growth in phishing and computer-fraud proceedings, especially linked to BEC frauds against companies with AI-cloned voice, mass consumer frauds through banking smishing, romance scams with derivation to crypto-asset investment, and elderly frauds through technical vishing. Directive PSD2 (EU 2015/2366) on payment services, Directive NIS2 (EU 2022/2555) on cybersecurity, Regulation DORA EU 2022/2554 on digital operational resilience, Regulation eIDAS2 (EU 2024/1183) on digital identity, Organic Law 1/2025 on Justice Service Efficiency and recent Supreme Court case-law on banking liability for phishing have transformed the regulatory framework. At Alonso Sala, we tackle each file with a multidisciplinary criminal-civil-banking team: we conduct forensic audit of the fraud, articulate technical expertise to challenge attribution when defending, exercise banking claims for civil liability when representing the victim.

Phishing and Fraud Defense Services

Our phishing and fraud offense specialists develop strategies based on the absence of intent and type error, proving how our clients were instrumentalized without their knowledge.

Defense: Absence of Intent

Our strategy focuses on proving <strong>Error of Type</strong> (Art. 14 CP). If we demonstrate that the client acted under deception and was unaware of the illicit origin of the money, there is no intent (criminal intention). We provide emails of the fake job offer, simulated contracts, and analyze the client's profile to prove their good faith.

CEO Fraud (BEC)

In the corporate sphere, we defend financial and administrative executives who, deceived by an email impersonating the CEO or a regular supplier, made transfers to scammers' accounts. We prove they were victims of a sophisticated attack that bypassed standard security filters, eliminating criminal liability for unfair administration.

What to Do If You Are a Phishing Victim: Step-by-Step Guide

If you have just discovered charges or transfers you did not authorise, the first steps condition both the criminal investigation and the claim against your bank. This is the sequence we recommend, in this order:

Contact your bank immediately. Ask for your cards and online banking to be blocked, formally report the unauthorised payment transactions and ask the bank to attempt to recall the transfers. Spanish payment-services legislation (Royal Decree-Law 19/2018, implementing the PSD2 Directive) requires the user to report the unauthorised transaction without undue delay upon becoming aware of it: always leave a written record and keep proof of that communication.
Preserve all the evidence. Delete nothing: the SMS or email received (with full headers if possible), the address of the fake website, screenshots, transaction receipts, the phone numbers that called you and your bank statements. If your device may have been compromised — you installed an app or entered your credentials after clicking a link — do not factory-reset it before considering a forensic IT examination.
Report the facts to the National Police, the Civil Guard or the duty court, attaching all the above documentation. The criminal complaint opens proceedings against the perpetrators and against the holders of the destination accounts and, in practice, it also underpins the banking claim and, where applicable, any insurance claim.
Claim the refund from the bank in writing. Under payment-services legislation, the bank must refund the amount of the unauthorised transaction unless it proves that the user acted fraudulently or breached, with gross negligence, the duty to safeguard the credentials. If the claim is rejected, the customer-service route, a complaint before the banking supervisor and, ultimately, a civil lawsuit remain available.
Consider joining the proceedings as a private prosecutor. If the investigation identifies the receiving accounts and their holders, appearing in the case allows you to request asset freezes and other precautionary measures and to claim civil damages within the criminal proceedings themselves.

Let us be clear: none of these steps, on its own, ensures recovery of the money. The outcome depends on how fast you react, on the route the funds take (domestic or foreign accounts, conversion into crypto-assets) and on how the credentials were safeguarded. What is in your hands is preserving the evidence and activating the three routes — banking, criminal and civil — in time; that is what we work on from the first call.

Phishing Penalties According to the Amount Defrauded

Computer fraud under Art. 249.1.a) CP punishes those who, for profit, by means of any computer manipulation or similar artifice, achieve a non-consensual transfer of any patrimonial asset to another's detriment. The penalty depends, above all, on the amount defrauded and on the circumstances of Art. 250 CP:

Amount or circumstance	Classification	Penalty
Up to EUR 400	Minor fraud (Art. 248 CP, third paragraph)	Fine of 1 to 3 months
Up to EUR 400 with three or more prior final convictions of the same nature	Repeat-offending regime (Art. 248 CP, as amended by LO 1/2026)	Prison of 6 months to 3 years
Over EUR 400	Basic offence (Art. 249.1.a CP)	Prison of 6 months to 3 years
Over EUR 50,000 or a large number of victims	Aggravated fraud (Art. 250.1.5 CP)	Prison of 1 to 6 years and fine of 6 to 12 months
Over EUR 250,000 or qualified combinations	Hyper-aggravated fraud (Art. 250.2 CP)	Prison of 4 to 8 years and fine of 12 to 24 months

Two points matter in mass campaigns. First: even if each individual charge is small, where the fraud affects a large number of people Art. 250.1.5 CP applies, and the continuing-offence rules also allow the amounts to be added together. Second: in CEO fraud it is common to argue abuse of business or professional credibility (Art. 250.1.6 CP). On top of this, money laundering under Art. 301 CP for the subsequent movement of the funds and, depending on the case, forgery or unlawful access to computer systems may apply concurrently.

Money Mules: Fraud, Receiving or Money Laundering?

The "bank money mule" is the person who receives the phishing proceeds in their own account and forwards them — to other accounts, abroad or converted into crypto-assets — usually after being recruited through a fake remote-job offer. Their legal classification is one of the classic debates in this field, and the difference in penalty depending on the charge is enormous:

Cooperation in the fraud (Arts. 248 and 249.1.a CP). If it is proven that they knew of the fraudulent scheme and provided their account as an essential link to complete the transfer, they are liable as a necessary cooperator in the fraud: prison of 6 months to 3 years, or the higher penalties of Art. 250 CP if an aggravating circumstance applies.
Receiving (receptación, Art. 298 CP). If, without having taken part in the fraud as perpetrator or accomplice, they helped the offenders for profit to benefit from its proceeds while aware of the prior property offence: prison of 6 months to 2 years, subject to the limit that the custodial sentence can never exceed that of the concealed offence (Art. 298.3 CP).
Money laundering (Art. 301 CP). Acquiring, possessing, using or transferring assets knowing they derive from criminal activity is punished with prison of 6 months to 6 years and a fine of one to three times their value. Crucially in practice, laundering by gross negligence (Art. 301.3 CP) — prison of 6 months to 2 years plus a fine — is the route by which many mules are convicted when knowledge of the illicit origin cannot be proven, but the circumstances made suspicion unavoidable.

Consolidated Supreme Court case-law has moved between these three classifications depending on the degree of knowledge proven in each case. For the defence, this opens two main lines: the mistake of fact under Art. 14 CP, where the client was recruited through an apparently legitimate job offer and believed they were doing lawful work, and the boundary between gross and minor negligence in laundering, because minor negligence is not criminal and leads to acquittal.

Key Time Limits: Limitation Periods and the Length of the Investigation

In phishing proceedings, three different clocks need watching:

Limitation period of the offence (Art. 131 CP). Basic computer fraud becomes time-barred after 5 years, since its maximum penalty is 3 years' imprisonment; aggravated fraud under Art. 250 CP, after 10 years; minor fraud, after one year. Intentional money laundering is time-barred after 10 years, and negligent laundering, like basic receiving, after 5. For connected or concurrent offences, the period of the most serious offence applies (Art. 131.4 CP).
Investigation time limit (Art. 324 LECrim). The judicial investigation has a maximum length of 12 months from the opening of the case, extendable by reasoned court order for successive periods of 6 months or less. Measures ordered within the time limit remain valid even if their results arrive later; those ordered after expiry without an extension do not. In phishing cases involving foreign accounts or crypto-asset tracing, extensions are common, and both the defence and the private prosecution must monitor the timetable: the victim, to request the measures they need in time; the suspect, to detect out-of-time measures.
Notification to the bank. The unauthorised payment transaction must be reported without undue delay once discovered; prolonged inaction weakens the refund claim against the bank.

phishing

Why Alonso Sala for Phishing?

Specialized defense for deceived mules and CEO Fraud victims. Error of type and bank liability

verified_userError of type strategy: fake offer + non-criminal profile = no fraud intent.
verified_userMinor (not gross) negligence defense in laundering due to deception circumstances.
verified_userClaims vs. banks: duty of vigilance for anomalous transfers (civil liability).
verified_userCEO Fraud/BEC experience: victim of sophisticated attack ≠ unfair administration.

Guide to Property Crimes in Spain: Defense Strategies

Property crimes (Crimes Against Assets) are regulated in Title XIII of the Spanish Criminal Code (Art. 234-304). These offenses range from petty theft to complex economic fraud, with penalties varying greatly depending on the amount involved, the method used, and any aggravating circumstances.

Key Distinctions: Theft, Robbery, and Fraud

Offense	Article	Key Element	Basic Penalty
Minor Theft (Hurto leve)	Art. 234.2	<400€, no force	Fine 1-3 months
Theft (Hurto)	Art. 234.1	>400€, no force	6 months – 18 months
Aggravated Theft (Art. 235)	Art. 235	Special items/multi-recidivist	1 – 3 years
Robbery with Force	Art. 240	Breaking in/tools	1 – 3 years
Robbery with Violence	Art. 242	Direct threat/intimidation	2 – 5 years
Fraud (Estafa)	Art. 249	Deception + financial harm	6 months – 3 years

Main Defense Strategies in Property Crimes

Challenge the Animus Lucrandi

Demonstrate that the accused had no intent to profit — a valid defense in alleged theft cases.

Contest Valuation

Dispute how the value of the stolen item was assessed. Below €400 = minor offense with much lower penalties.

Prior Consent or Ownership Claim

In disputes between acquaintances, prove the accused believed they had a right to the item.

Recidivism Analysis

Many aggravated theft charges rely on prior criminal record. Challenge the computation of prior offenses.

Chain of Custody (Receiving Stolen Goods)

Challenge the prosecution's evidence that the accused knew the items were stolen.

Error of Type Defense (Fraud)

In commercial fraud cases, demonstrate that the accused genuinely believed their representations were true.

Critical: Time Limits for Evidence

In property crimes, digital evidence (CCTV footage, mobile location data) is often deleted within 30 days. Contacting a specialist lawyer immediately after arrest or charge is essential to preserve exculpatory evidence.

quiz

FAQs

Am I guilty if I was tricked with a job offer?expand_more

You shouldn't be. If you can prove you were recruited with a fake offer and believed you were doing a legitimate job (collections agent, financial intermediary), there is no criminal intent. It's an 'error of type' that excludes liability for fraud.

And for money laundering?expand_more

Laundering also punishes commission by gross negligence. The prosecution will argue you 'should have known' the money was illicit. Our defense is to prove your negligence was minor, not gross, given the circumstances of the deception.

If I'm a victim of phishing, can I get my money back?expand_more

It's difficult. If the bank did not implement adequate security measures (two-factor authentication), you can claim a refund for civil liability. If the mistake was yours (you gave out your keys), recovery is almost impossible, but we can sue the 'mule' to try to seize their assets.

Is the bank responsible?expand_more

Banks have a duty of vigilance. If the transfer was anomalous (very high, to a strange country, in the middle of the night) and they didn't block it, they may be liable. It's a line of claim we explore.

What is the penalty for being a 'money mule'?expand_more

The penalties are severe because fraud and money laundering are combined. They can easily range from 2 to 6 years in prison, depending on the amount. That's why a good defense from the start is vital.

How do I defend myself if I'm accused of being a mule?expand_more

By providing the fake job offer, emails with your 'boss', the simulated contract, and showing you had no prior record and your profile is not that of a criminal. You must convince the judge you were a deceived instrument, not an accomplice.

Is the 'money mule' who lends their account jointly liable?expand_more

Yes. Anyone who allows their account to be used to receive funds obtained through phishing can be held liable as a necessary cooperator in fraud and/or as a perpetrator of money laundering.

Are cryptocurrencies obtained through phishing traceable?expand_more

Yes, through forensic blockchain analysis. Cryptocurrency transfers are permanently recorded on the blockchain, which makes it possible to follow the trail to regulated exchanges.

Is creating a fake website that imitates a bank a crime?expand_more

Yes. Creating phishing websites that imitate banking institutions is a preparatory act of fraud. If victims are induced to enter their credentials and funds are transferred, the computer fraud under Art. 249.1.a) CP is consummated.

Can minors who carry out phishing be prosecuted?expand_more

Minors under 14 cannot be held criminally liable. Between 14 and 18, the juvenile criminal liability act (LORPM) applies, with educational measures. Computer crimes committed by minors are investigated by the Juvenile Prosecutor's Office.

How long do I have to report an unauthorised transaction to my bank?expand_more

Spanish payment-services legislation requires the user to notify the bank without undue delay upon becoming aware of the unauthorised transaction. In practice: call the same day to block the account, put the notification in writing and keep proof of it. A late notification can seriously weaken the refund claim.

How long can the judicial investigation of a phishing case take?expand_more

Art. 324 of the Spanish Criminal Procedure Act (LECrim) sets a maximum of 12 months from the opening of the case, extendable by reasoned court order for successive periods of 6 months or less. Cases involving foreign accounts or crypto-asset tracing usually require several extensions; the timetable matters, because measures ordered after the deadline without an extension are invalid.

When does the offence of phishing become time-barred?expand_more

Basic computer fraud (Art. 249.1.a CP) becomes time-barred after 5 years, as its maximum penalty is 3 years' imprisonment. If an aggravating circumstance of Art. 250 CP applies (over EUR 50,000 defrauded, a large number of victims), the period rises to 10 years. Minor fraud of up to EUR 400 is time-barred after one year, and for connected offences the period of the most serious offence applies (Art. 131.4 CP).

Looking for a Phishing & Fraud Defense Lawyer in Spain?

As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Phishing & Fraud Defense case with the urgency and technical rigor it requires from day one.

We also serve

Madrid Alicante Marbella Seville Málaga Bilbao Zaragoza

View all locations →

listTable of Contents

shieldClaves de la Defensa: Phishing & Fraud

Error of Type

Deceived mule: fake offer + belief in legitimate work = no intent.

Minor vs. Gross Negligence

Laundering: prove minor negligence (not gross) given circumstances.

Non-Criminal Profile

No record + fake emails = instrument, not accomplice.

gavelElementos del Delito

check_circleFraud (cooperator):Mule receives money from phishing victim and forwards it.
check_circleLaundering:Move money of known/suspected criminal origin.
check_circleCEO Fraud (BEC):Email impersonation CEO/CFO for fraudulent transfer.

gavelConsecuencias Penales

Prison 2-6 years

Fraud + laundering accumulated (mule).

Bank Liability

Civil if didn't block anomalous transfer (duty of vigilance).

Account Rental

Serious laundering: presumption of suspicious illicit activity.

call

Accused as Money Mule?

Error of type defense for deceived mules. Non-criminal profile + fake offer = no intent.

Mule Defensearrow_forward

linkDelitos Relacionados

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

Contact Alonso Sala

Call: +34 91 078 65 74