Three new courts in Spain have sided with phishing victims, confirming that the responsibility for stolen funds lies with the bank — as long as the client did not act with gross negligence.
📌 These rulings by first-instance courts support the position previously stated by the Supreme Court, which emphasized that under EU regulations, a user is only liable in cases of intentional misconduct or gross negligence. Being deceived by professional cybercriminals does not fall into these categories.
📉 Judges noted that the fraudulent schemes were so sophisticated and convincing that an average user could not have identified the deception — doing so would have required expert-level knowledge.
📌 These rulings by first-instance courts support the position previously stated by the Supreme Court, which emphasized that under EU regulations, a user is only liable in cases of intentional misconduct or gross negligence. Being deceived by professional cybercriminals does not fall into these categories.
📉 Judges noted that the fraudulent schemes were so sophisticated and convincing that an average user could not have identified the deception — doing so would have required expert-level knowledge.
Comment from the Asufin association:
“Courts are increasingly siding with the consumer. It is the bank’s responsibility to prove the client acted with gross negligence, not to shift the blame for the breach onto them. Being deceived is not a crime.”
