Computer Fraud Lawyer

Computer Fraud: Legal Framework

Computer fraud is the form of fraud committed without deceiving a person directly, by manipulating a computer system to obtain a non-consented asset transfer. It is governed by Article 249.1.a of the Spanish Criminal Code, which punishes the use of "some computer manipulation or similar artifice" that produces the displacement of an asset to another's detriment (Art. 249.1.b also punishes the fraudulent use of cards and other payment instruments).

It should not be confused with internet fraud (Art. 248 CP): there the offender deceives a person through digital media (fake stores, marketplaces, fictitious rentals); in computer fraud nobody is deceived, the system is manipulated. As criminal lawyers, we defend both people under investigation and victims seeking to recover what was defrauded. The boundary with technical cybercrime (illegal access or computer damage) matters: computer fraud protects property, not the integrity of systems. For the catalogue of modalities (phishing, smishing, vishing, CEO fraud, money mules) and the victim's response, see cyber fraud and phishing.

Forms

• Phishing and smishing: fraudulent capture of banking credentials by impersonating the bank, followed by unauthorized transfers.
• Online banking manipulation: execution of payment orders or transfers by accessing the victim's account.
• Unauthorized use of card data: purchases or charges using unlawfully obtained card numbers (physical use of forged cards overlaps with Art. 399 bis).
• CEO fraud (BEC): false transfer orders impersonating an executive or a supplier.

Penalties & Aggravations

The basic offence carries 6 months to 3 years' imprisonment, set according to the amount defrauded and the means used. Where the amount does not exceed 400€, the conduct may be a minor offence punished with a fine. The aggravated subtypes of Article 250 —1 to 6 years and a fine— apply when the amount exceeds 50,000€, the conduct affects a plurality of people or a third party's identity is used.

Defense Strategy

1. Challenging authorship: an IP, a device or a destination account do not by themselves prove who carried out the operation; we demand conclusive technical evidence.
2. The "money mule" position: someone who merely lends an account may be unaware of the unlawful origin of the funds; we analyze intent and possible atypicality.
3. Amount and unit of action: we discuss the aggregation of amounts and classification as a minor or continued offence.
4. Bank liability: when defending the victim, we claim against the bank for its duties of diligence and strong authentication.

Criminal Proceedings and Territorial Jurisdiction

Computer fraud under Article 249.1.a of the Spanish Criminal Code is prosecuted ex officio and usually begins with a complaint filed by the bank or by the injured party. The investigation is led by the Investigating Court, which directs the inquiry, orders the necessary measures and defines the scope of the proceedings. Territorial jurisdiction is a recurring issue in this offence: because the patrimonial transfer is carried out remotely, the place of commission does not always coincide with the suspect's residence. As a general rule, jurisdiction is placed where the patrimonial displacement occurs or where the loss is realised, a point worth settling early to avoid delays and challenges to competence.

Depending on the abstract penalty, the case proceeds through the abbreviated procedure where the sentence does not exceed nine years, which covers both computer fraud under Article 249.1.a and its aggravated forms under Article 250.1. The process runs through the investigation phase, the intermediate phase —where the opening of the oral trial or a dismissal is decided— and the trial itself, heard by the Criminal Court or the Provincial Court. Technical involvement from the very first statement makes it possible to contest the evidence, challenge the attribution of authorship and shape the strategy before the prosecution's provisional conclusions become entrenched.

Digital Forensic Evidence and the Chain of Custody

In computer fraud, digital evidence is almost always the heart of the case: connection logs, IP addresses, transfer traces, metadata, seized devices or messaging extractions. This evidence is inherently fragile and easily altered, so its probative value depends on having been obtained and preserved with full guarantees. The defence scrutinises the chain of custody in detail: how the device was seized, who accessed it, whether a forensic image with its corresponding hash value was generated, and whether any handling was documented. An unjustified break in that chain can compromise the reliability of the source of evidence.

The forensic review also addresses the obtaining of traffic data and the possible interference with fundamental rights, in particular the secrecy of communications and data protection, whose intrusion requires a reasoned and proportionate judicial authorisation. Linking an IP address does not, in itself, amount to identifying the actual perpetrator, since a connection can be shared or spoofed. It is therefore essential to test the prosecution's expert report against a defence expert opinion that assesses the strength of the attribution, rules out false positives and sets out the alternative hypotheses consistent with the suspect's innocence.

Distinguishing It from Ordinary Fraud and Disclosure of Secrets

It is important to draw a precise line between computer fraud under Article 249.1.a CC and ordinary fraud. Classic fraud requires a sufficient deceit that induces an error in a person, who then carries out an act of patrimonial disposition. In the computer modality there is no deceived person as such, but rather a computer manipulation or similar artifice that achieves an unauthorised transfer of a patrimonial asset. The boundary matters because, where the trick aims to obtain the victim's credentials or to lead the victim to order the payment, ordinary fraud may apply; where the displacement is achieved by altering the system or the automated process, it fits the computer modality.

The distinction from the disclosure and revelation of secrets under Article 197 CC is equally decisive. Unlawful access to a system or the capture of confidential data, without a patrimonial displacement through manipulation, belongs to the sphere of Article 197 and related offences, not to fraud. Where both behaviours coincide —for instance, an improper access followed by a fraudulent transfer— it must be assessed whether we are facing a concurrence of offences or a concurrence of norms, which directly affects the penalty. Correct classification from the outset prevents charges under provisions that do not apply and makes it possible to challenge any double punishment.

Limitation Periods for the Offence

Limitation is a line of defence that should always be checked, because the passage of time extinguishes criminal liability. Following the reform introduced by Organic Law 5/2010, the former three-year bracket no longer exists; the periods in Article 131 CC are calculated according to the maximum penalty assigned to the offence. Computer fraud under Article 249.1.a, punishable by six months to three years' imprisonment, is a less serious offence and becomes time-barred after five years. Minor fraud under Article 248.3, where the amount does not exceed 400 euros and is punishable by a fine, is a minor offence and becomes time-barred after one year.

In the aggravated forms the limitation period is longer because the maximum penalty is higher. Aggravated fraud under Article 250.1, with imprisonment of one to six years, exceeds the five-year maximum-penalty threshold and becomes time-barred after ten years. The hyper-aggravated form under Article 250.2, punishable by four to eight years' imprisonment, likewise becomes time-barred after ten years. As a general rule, the count begins from the consummation of the offence and is interrupted when the proceedings are effectively directed against the person under investigation. A careful defence analyses these dates in detail, since an erroneous calculation of the starting point or of the interrupting acts can be decisive.

Associated Money Laundering and Corporate Liability

Computer fraud is often accompanied by manoeuvres to move and conceal the defrauded money, which opens the door to an additional charge of money laundering. The figure of the intermediary deserves particular attention: the person who, in exchange for a commission, receives the funds in their account and forwards them on. Someone acting in that position may be investigated for laundering where it is found that they knew or should have known the unlawful origin of the money. The defence must work carefully on the subjective element, distinguishing between conscious complicity and a person recruited through deceit who was unaware of the criminal nature of the operation, a point that wholly conditions their liability.

Where the offence is committed within or for the benefit of a company, the criminal liability of the legal person under Article 31 bis CC may be triggered. The company is liable for acts committed by its representatives or by persons under its control where there has been a failure of organisation and supervision. Against such a charge, crime-prevention models —so-called compliance programmes— acquire decisive value: when properly implemented and effective, they can exempt or mitigate the entity's liability. Defending the natural person and the legal entity in parallel requires coordinating both strategies so that they do not undermine one another.