Criminal Lawyers in Cyber Fraud & Phishing Defense

Technical defense in computer fraud crimes. Phishing, Smishing, and CEO fraud

Last updated: 11 June 2026

Cyber Fraud & Phishing: Modalities, Victim and Defense (Art. 249 CP)

Computer fraud under Art. 249 CP is the criminal type specifically designed by the legislator to sanction defraudations committed through technological manipulation or digital social engineering. It punishes whoever, with intent to profit and using some computer manipulation or similar artifice, obtains a non-consensual transfer of any patrimonial asset to another's detriment. The protected legal interest is the patrimony, but the specificity of the means of commission (phishing, smishing, vishing, spoofing techniques, banking malware, BEC) has required developing specific case-law on the suitability of deceit in digital environments. Supreme Court case-law has consolidated that computer manipulation includes both technical alteration of systems and ICT-mediated social engineering techniques, since the victim is deceived through digital channels exploiting standardised cognitive vulnerabilities. This page focuses on cyber-scam modalities and the victim's response; for the analysis of the criminal type (Art. 249.1.a) and the defendant's defense strategy, see computer fraud.

The methods of commission in cyber-fraud have diversified extraordinarily in recent years. Phishing and its variants (SMS smishing, voice vishing) consist of mass or targeted sending of communications impersonating trusted entities (banks, tax agency, payment platforms) to induce the victim to deliver credentials or authorise movements. Spear phishing is the targeted, personalised version, fundamental in CEO fraud or BEC (Business Email Compromise), where attackers impersonate the chief executive or a regular supplier through cloned emails to order urgent transfers to fraudulent accounts. SIM swapping consists of fraudulent SIM card duplication to intercept SMS two-factor authentication and empty bank accounts. Fraudulent use of Bizum through payment requests disguised as payments, marketplace fraud (Wallapop, Vinted, second-hand) and child-in-distress scams via WhatsApp complete the picture of the most frequent modalities.

The penalties are those of fraud: 6 months to 3 years' prison in the basic offence, 1 to 6 years' prison and 6 to 12 months' fine when the aggravator of Art. 250 CP concurs (amount over €50,000, abuse of business credibility, multiple victims in mass crime), and 4 to 8 years' prison in the hyper-aggravated type of Art. 250.2 when the amount exceeds €250,000. The necessary cooperation of whoever acts as money mule —receiving and forwarding defrauded funds— is punished with the same penalties and usually concurs with money laundering under Art. 301 CP (6 months to 6 years' prison). Legal entities holding payment services may respond for negligence in their diligence duties under Payment Services Act 4/2020, opening the civil claim against the bank for defrauded amounts when robust security measures are not proven or required anti-fraud alerts are omitted.

The technical defense in computer fraud rests on four consolidated axes. First, for the defence of the money mule or accused cooperator: proof of prior deception and absence of intent; intellectual authors usually recruit mules through fake job offers ("financial agent", "payment processor"), allowing the conduct to be downgraded from direct intent to negligence or, where appropriate, articulating atypicity by error on the illicit origin of funds. Second, for the defence of the executive in BEC cases: employee due diligence and technical sophistication of the deceit; proof of internal protocols followed and reasonable verification measures exonerates from unfair-administration liability. Third, for the victim against the bank: civil claim under Payment Services Act 4/2020, which reverses the burden of proof and imposes on the bank to demonstrate gross user negligence; case-law has consolidated that mere delivery of credentials under sophisticated deceit does not constitute gross negligence. Fourth, the identification of the material author through computer forensic expertise, IP address tracing, email header analysis and exchange flow tracking.

In current forensic practice, computer fraud is the patrimonial offence with the highest statistical increase in Spain, according to annual reports of the Public Prosecutor and INCIBE. Organic Law 1/2025 on Justice Service Efficiency, Act 4/2020 on Payment Services transposing PSD2, NIS2 on cybersecurity and consolidated Supreme Court and Provincial Court case-law have strengthened both prosecution mechanisms and victim guarantees. At Alonso Sala, with 15+ years' experience in economic offences and a multidisciplinary team of criminal lawyers and forensic cybersecurity experts, we undertake the three main lines of action: technical defence of money mules and employees accused in BEC cases, articulation of private prosecution to identify the fraudster, seize funds and request international judicial cooperation, and civil claim against the bank for negligence in its diligence duties under current regulations.

account_balance

Bank Phishing: Who Pays the Bill?

If your account has been emptied via Phishing or Smishing, the bank will almost always try to blame you, claiming you gave out your keys ("Gross Negligence"). However, the Payment Services Law (LSP) is very protective of the user.

For the bank to avoid refunding the money, it must prove that your negligence was "gross". Courts consider that if the deception was very credible (SMS in the same thread as legitimate bank ones, perfect cloned web), there is NO gross fault of the user and the bank MUST refund the funds.

Money Mules

Many people (especially young ones) are recruited with fake job offers ("payment processor", "financial agent") to receive money in their account and forward it in exchange for a commission. Unknowingly, they are laundering money from scams.

Defense Strategy

The Prosecution usually charges fraud (necessary cooperator) and money laundering. Our defense is based on proving <strong>prior deception</strong> and lack of "intent". We fight to demonstrate that the client was used and did not know the illicit origin of the money, downgrading the conduct to negligence which, in the worst case, drastically reduces the penalty.

security

Why Alonso Sala for Cyber Fraud?

In cyber fraud, response speed is critical. We work with forensic IT experts to trace funds and demonstrate technical sophistication of deception.

verifiedFast response for transfer blocking and bank claims.
verifiedNetwork of forensic experts in cybersecurity and blockchain traceability.
verifiedExperience defending innocent 'money mules'.
verifiedSpecialized litigation against banks for security negligence.

Guide to Property Crimes in Spain: Defense Strategies

Property crimes (Crimes Against Assets) are regulated in Title XIII of the Spanish Criminal Code (Art. 234-304). These offenses range from petty theft to complex economic fraud, with penalties varying greatly depending on the amount involved, the method used, and any aggravating circumstances.

Key Distinctions: Theft, Robbery, and Fraud

Offense	Article	Key Element	Basic Penalty
Minor Theft (Hurto leve)	Art. 234.2	<400€, no force	Fine 1-3 months
Theft (Hurto)	Art. 234.1	>400€, no force	6 months – 18 months
Aggravated Theft (Art. 235)	Art. 235	Special items/multi-recidivist	1 – 3 years
Robbery with Force	Art. 240	Breaking in/tools	1 – 3 years
Robbery with Violence	Art. 242	Direct threat/intimidation	2 – 5 years
Fraud (Estafa)	Art. 249	Deception + financial harm	6 months – 3 years

Main Defense Strategies in Property Crimes

Challenge the Animus Lucrandi

Demonstrate that the accused had no intent to profit — a valid defense in alleged theft cases.

Contest Valuation

Dispute how the value of the stolen item was assessed. Below €400 = minor offense with much lower penalties.

Prior Consent or Ownership Claim

In disputes between acquaintances, prove the accused believed they had a right to the item.

Recidivism Analysis

Many aggravated theft charges rely on prior criminal record. Challenge the computation of prior offenses.

Chain of Custody (Receiving Stolen Goods)

Challenge the prosecution's evidence that the accused knew the items were stolen.

Error of Type Defense (Fraud)

In commercial fraud cases, demonstrate that the accused genuinely believed their representations were true.

Critical: Time Limits for Evidence

In property crimes, digital evidence (CCTV footage, mobile location data) is often deleted within 30 days. Contacting a specialist lawyer immediately after arrest or charge is essential to preserve exculpatory evidence.

quiz

FAQs

What is 'CEO fraud' or BEC?expand_more

It's a scam where criminals impersonate a company's CEO's email to order the finance department to make an urgent and confidential transfer to a fraudulent account. We defend the employee who makes it, proving they were a victim of a sophisticated deception.

I've been a victim of phishing, will the bank refund my money?expand_more

It depends. If the bank didn't have robust security measures (two-factor authentication) or if they didn't act quickly after you reported it, a refund can be demanded. If the mistake was yours for giving out your keys, liability is more debatable, but it can still be fought.

Are purchases on Wallapop or Vinted safe?expand_more

They are safe platforms if you use their integrated payment and shipping systems. The risk arises when the seller asks you to leave the platform and pay by Bizum or transfer. If you do and they don't send the product, it's a scam, but harder to claim.

I was scammed with a cryptocurrency investment, can I do anything?expand_more

It's very complicated. The money usually ends up in anonymous 'wallets' abroad. We can file a complaint for the police to try to trace the funds on the blockchain, but recovery is rare. Prevention is key: be wary of guaranteed returns.

How do I protect myself from cyber scams?expand_more

Be wary of urgency and bargains. Never give out your keys via email or SMS. Always use two-factor authentication. Verify important transfers by phone. Use secure payment systems on platforms.

If I'm a victim, what's the first thing I should do?expand_more

1. Contact your bank IMMEDIATELY to try to cancel the transfer. 2. Report it to the National Police or Civil Guard, providing all evidence (emails, screenshots, etc.). 3. Contact a lawyer to assess the viability of a criminal complaint and a claim against the bank.

Can Bizum scams be prosecuted?expand_more

Yes. Scams using Bizum (payment requests disguised as incoming payments, fake sales) are computer fraud under Art. 249.1.a) CP. Bizum's traceability makes it easier to identify the scammer.

What should I do if I have been scammed buying online?expand_more

1) Report it to the police with all the documentation. 2) Ask your bank for a refund (chargeback). 3) Preserve all communications with the seller. 4) Consult a lawyer.

Are marketplace platforms liable for scams?expand_more

Platforms, as mere intermediaries, are not usually criminally liable, but they do have a duty to cooperate with the police by identifying fraudulent sellers and providing access data.

Is intentionally selling a defective product fraud?expand_more

If the seller deliberately conceals known defects that make the product unfit for its purpose, it can constitute fraud by deceptive omission, especially in vehicle and electronics sales.

Is it a crime to buy on a fake website if they send me nothing?expand_more

Yes, it is basic fraud. The problem is usually locating the perpetrator if the website is abroad. We recommend always reporting so the police can request the domain block and trace the money's destination account.

What is 'Child in Distress' (WhatsApp)?expand_more

It is a massive scam where they write to you from an unknown number pretending to be your child ('my phone broke, this is my new number') and asking for urgent money. Banks sometimes deny the refund claiming you made the transfer voluntarily. We litigate those cases alleging vice in consent due to emotional manipulation and lack of bank security measures (if anti-fraud alerts did not trigger).

Looking for a Cyber Fraud & Phishing Defense Lawyer in Spain?

As a national law firm, we offer specialized criminal defense in courts across Madrid and the rest of Spain. We handle each Cyber Fraud & Phishing Defense case with the urgency and technical rigor it requires from day one.

We also serve

Madrid Alicante Marbella Seville Málaga Bilbao Zaragoza

View all locations →

listTable of Contents

shieldClaves de la Defensa: Cyber Fraud & Phishing Defense

Social Engineering

Prove technical sophistication of deception (spoofing, cloning).

Bank Negligence

Hold bank liable for lack of security measures or anti-fraud alerts.

Lack of Intent

Prove accused was victim and unaware of illicit origin.

gavelElementos del Delito

check_circleSophisticated Deception:Phishing, smishing, vishing, email/web spoofing.
check_circleTransfer:Asset disposition in favor of scammer.
check_circleDamage:Economic loss of victim (not recoverable without intervention).

gavelConsecuencias Penales

Prison 6m-3 years

Basic fraud, suspendable if first time.

Prison 1-6 years

If exceeds €50,000 (aggravated fraud).

Money Laundering

If acting as 'mule', also laundering (6m-6 years).

call

Phishing Victim?

Act within first 24h. We can block transfer and claim against bank. Time is critical.

Urgent Contactarrow_forward

linkDelitos Relacionados

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

Contact Alonso Sala

Call: +34 91 078 65 74