- Banking phishing scams are on the rise and seriously impact users and organizations.
- Numerous recent rulings require banks to improve customer protection and return defrauded funds.
- Jurisprudence rejects the idea that the victim always acts negligently, even if they fall for sophisticated deceptions.
- Entities must adopt advanced security measures and react proactively to suspicious activity.
The unstoppable advance of digitalization in banking has brought with it an unprecedented growth in phishing scams., a type of fraud in which cybercriminals impersonate financial institutions to steal customer data and funds. In Spain and Latin America, the number of cases ending up in court has multiplied, with results that put the spotlight on the responsibility of banks for unauthorized operations., the reaction of the entities and the importance of cybersecurity as a fundamental pillar of the financial system.
The numbers speak for themselves. In 2024, more than 21.500 banking phishing incidents were reported. In our country, and more than 835.000 attacks on mobile devices in Mexico linked to financial fraud. Many of these incidents have a common pattern: the victim receives an alarming text message or email, accesses a website almost identical to their bank's, enters their credentials, and, shortly after, discovers large transfers unrelated to their usual operations. All this in a context where banks are increasingly reducing face-to-face service and increasingly moving transactions to the online environment..
Trend-setting rulings: banks forced to respond
Several recent court rulings have established doctrine on banks' obligations in the face of phishing scams.In one of the most striking cases, the Civil Appeals Court of Montevideo ordered an entity to return $9.000 to a client whose account was drained through transfers made by third parties. The court emphasizes that, even if If the user provided data by mistake, the bank must demonstrate that it acted with due diligence to prevent this type of fraud., it is not enough to claim negligence on the part of the client.
In Spain, the trend is similar. Court rulings in Valencia, Oviedo, and Vigo have forced banks to reimburse amounts defrauded. Through smishing (phishing via SMS) and vishing (phone fraud), because alert systems failed to identify suspicious transfers, the transactions didn't match the customer's habits, or repeated transactions were allowed to be validated in a very short period of time. In all these cases, the court emphasizes that the obligation to protect funds and monitor unusual transactions falls on the institution, not the consumer, unless there is proof of gross negligence.
Cybercriminal techniques and their impact on digital banking
The rise of phishing and its variants (smishing, vishing) is due to the sophistication of the techniques used.Cybercriminals send messages that perfectly mimic official bank communications, sometimes even embedded in legitimate SMS threads. They simulate emergency situations so that the user acts hastily. and, through fake websites, obtain passwords and one-time codes that allow immediate transfers. Some attacks leverage mobile technology, distributing Trojans like Grandoreiro in Mexico or using fake login pages to obtain full access to digital accounts.
The recent case of the so-called "reverse Bizum scam" shows how even platforms designed to make everyday life easier can become targets for fraud. Reinforced authentication systems – which in theory guarantee two-factor security – are also not infallible.: Through social engineering, criminals obtain the necessary elements to validate high-value transactions.
In this environment, the pressure on customers is maximum., as they often receive an initial refusal from the entity to take responsibility for the fraud, arguing that the transaction was "negligence" or that it was not properly authenticated. Recent case law is clear: Sophisticated deception, rapidity of operations and simulation of pages and communications cannot, in themselves, be considered serious fault of the user..
What the regulations require and how banks and users should act
Spanish and European laws establish strict obligations for entities: must have advanced systems to detect unusual operations, report risks and adopt all technical and contractual measures to protect the user. Real Decreto-ley 19/2018 and PSD2 Directive They include these duties and make it clear that the refund of the money must be immediate if the client has not incurred serious negligence.
Entities must:
- Continuously monitor transactions and block or alert against atypical movements.
- Strengthen authentication (two-factor authentication, biometrics, etc.), especially for third-party payments.
- Offer agile complaint and customer service channels to respond quickly to fraud.
- If reimbursement is denied, they must justify the existence of gross negligence, which is interpreted very restrictively by case law.
The user, for his part, must inform the bank and the police as soon as possible if he detects fraud., preserve all communications and evidence, and don't be embarrassed or pressured to resolve the issue on your own. You should not provide sensitive data outside of official apps or websites or respond to pressure to act urgently..
Real-life cases and recommendations for dealing with banking phishing
The rise in fraud translates into thousands of claims and judgments each year. Cases in Valencia, Oviedo, Gijón, Vigo, and Montevideo demonstrate that It is possible to recover lost money if you act quickly, report it and make a formal claim to the bank.As the courts and the Bank of Spain have made clear, banks cannot rely exclusively on customer liability when attacks exploit sophisticated tricks or vulnerabilities in internal controls.
Experts Recommend:
- Immediately report the incident to the police or Civil Guard.
- Contact your bank to block your account or card and request a refund.
- File a complaint in writing with Customer Service and, where appropriate, with the Bank of Spain or the courts.
- Save all evidence: messages, extracts, screenshots, communications.
- Do not accept transfers to "recover money," as this could be a second scam.
Education and awareness are essential, but they cannot replace the technical and legal systems that entities must implement.The most advanced jurisprudence has left behind the idea that any fall for a digital scam is the sole fault of the user. It is the banks' obligation to adapt to new risks and strengthen the protection of their customers in the context of accelerated digitalization..
The reality of recent years shows that justice and regulations are increasingly protecting consumers against bank phishing scams, forcing banks to improve their monitoring and reimbursement of stolen funds, except in cases of extreme customer negligence. The key, for both entities and users, is active prevention, rapid action and accountability in an environment where digital risks are only going to increase..
