If you are reading this, you have probably received a suspicious message from the “bank”, an SMS from Correos about a non-existent package, or a threatening call from someone claiming to be from your financial institution. You are not alone.

During the first quarter of 2025, phishing cases in Spain increased by 40% compared to the same period in 2024, affecting thousands of people every week. Most victims believe they cannot recover their money… but we have good news for you! The law is on your side, and we will tell you everything you need to know.

In this comprehensive guide, you will learn:

• What phishing, smishing, and vishing are,
• How to identify fraud,
• What to do step-by-step,
• How to report it,
• When the bank must return your money,
• What evidence you need,
• And how a specialized firm like IN DIEM Abogados can help you recover it.

What are Phishing, Smishing, and Vishing? Clear Definitions

Phishing: Fraudulent Emails

Phishing is a fraud technique where criminals send emails that appear to come from legitimate entities (banks, companies, public bodies) to steal your personal or banking data.

A real example of this maneuver is: You receive an email seemingly from BBVA stating that your account has been “blocked for security” and that you must “verify your identity” by clicking on a link. Upon doing so, you are redirected to a website identical to the bank’s, where you enter your access credentials. Minutes later, the scammers empty your account.

Smishing: SMS Scams

Smishing uses fraudulent text messages to trick users into clicking malicious links or sharing private data, such as bank account numbers.

Real example: You receive an SMS supposedly from Correos: “Your package is pending delivery. Pay €1.99 at this link to receive it.” The link leads to a fake page where you enter your card details, giving scammers direct access.

Vishing: Fraudulent Phone Calls

Vishing involves fake phone calls that pressure victims into revealing codes, credentials, or saying “yes.” Scammers record your voice saying “yes” to use it in fraudulent transactions.

Real example: Someone calls you claiming to be from your “bank’s security department,” alerting you to “suspicious activity.” They ask you to “confirm” your identity by providing codes sent to you via SMS. These codes are actually authorizations to transfer your money.

Why are these scams increasing in Spain?

1. Use of Artificial Intelligence by Cybercriminals.

94% of Spanish companies have suffered phishing or vishing attacks, many enhanced by deepfake techniques. AI allows for the creation of synthetic voices indistinguishable from real ones and extremely convincing personalized messages.

2. Perfect Impersonation of Banks and Organizations.

Scammers can make the official number of your bank or the National Police appear on your phone. This technique, called “spoofing,” makes calls seem completely legitimate.

3. Main Targets in Spain.

Cybercriminals focus on impersonating entities with a high level of trust:

• Banking entities: BBVA, Santander, CaixaBank, Ibercaja, Bankinter
• Public bodies: Hacienda (Tax Agency), DGT (Traffic Authority), Seguridad Social (Social Security)
• Courier companies: Correos, MRW, SEUR
• Popular platforms: Amazon, Bizum, PayPal

How to Detect a Phishing, Smishing, or Vishing Attempt?

Infallible Warning Signs

• Artificial urgency or threats: “Your account will be blocked in 24 hours“, “Act now or you will lose your package“

• Shortened or strange links: bit.ly, tinyurl.com, or URLs that do not exactly match the official one (e.g., “bbva-seguridad.com” instead of “bbva.es”)

• Request for sensitive data: No bank asks for passwords, PINs, or coordinates via SMS, email, or phone

• Spelling or grammatical errors: Although increasingly less frequent, they still appear in some attempts

• Generic senders: “Dear customer” instead of your name

From IN DIEM, we provide some examples of real messages we have collected this year to help you prevent these types of scams:

Fake BBVA SMS:

BBVA: We have detected unusual activity. Verify your identity here: bit.ly/xxxxx
You have 24h before permanent blocking. 

Fake “bank” call:

“Good morning, we are calling from your bank’s anti-fraud department.
We have detected three suspicious transfers. Do you recognize them?
We need you to confirm the codes we will send you via SMS to block them.”

Fake Tax Agency email:

Subject: Pending tax refund - €873
You have a pending tax refund. Click here to claim it before 12/31/2025. 

What to Do If You Have Already Fallen for the Scam? Step-by-Step Guide

Step 1: Act Immediately

It is important to understand that the first 30 minutes are “CRITICAL TIME”

1. Block your bank account:
   • Immediately call your bank’s customer service number
   • Request urgent blocking of cards and online banking access
   • Do not hang up until you have an incident number
2. Change all your passwords:
   • Online banking
   • Email
   • Any service where you use the same password

Step 2: Gather All Evidence

This step should be done, if possible, within 24 hours

Critical evidence:

• Screenshots of received SMS messages
• Complete emails (do not delete them, forward them to your own email as backup)
• Phone numbers from which you were called
• URLs of fake websites (do not click, just copy the address)
• Bank statements showing fraudulent transactions
• Call records with time and duration
• WhatsApp conversations, if any

Step 3: Report to the Authorities

Ideally, this should be done within the first 48 hours

⌖ Where to report:

1. National Police:
2. Civil Guard:
3. INCIBE (National Cybersecurity Institute):
4. Bank of Spain

Step 4: File a Claim with the Bank

Important: You have up to 13 months to report unauthorized transactions, but the sooner, the better.

When is the Bank Liable? Updated Legal Analysis 2025

The PSD2 Regulation: Your Legal Shield

The European Payment Services Directive (PSD2), transposed into Spanish law through Royal Decree-Law 19/2018, clearly establishes:

Article 45: The payment service provider (the bank) must immediately reimburse the customer the amount stolen, unless it can prove that the user acted with gross negligence or fraud.

Important

It is not you who must prove that you did not authorize the transaction. It is the bank that must prove that:

1. The transaction was correctly authenticated
2. You gave your express consent
3. You acted with fraud or gross negligence

What is “Gross Negligence”?

• Voluntarily sharing your credentials in a public forum
• Ignoring multiple obvious security warnings
• Consciously providing access to unknown persons

It is NOT gross negligence:

• Clicking on an SMS that appears to be from your bank
• Entering your data on a website that perfectly replicates the official one
• Providing codes to someone who identifies themselves as your bank
• Being deceived by voice deepfakes

Key Ruling 2025: Supreme Court 571/2025

The High Court confirmed the conviction of Ibercaja for a phishing case where fifteen unauthorized transfers were made via online banking and Bizum. The bank was ordered to return over €56,000.

➜ The bank must prove gross negligence.

➜ The victim does not have to prove anything.

What to Do If the Bank Refuses Reimbursement?

Do not accept “no” as a final answer. Phishing lawsuits are being won in 95% of cases.

1. Formal complaint to Customer Service (Response time: 1 month)
2. Complaint to the Bank of Spain (if the bank does not respond or rejects without justification)
3. Judicial route with a specialized lawyer (This is where IN DIEM Abogados makes the difference)

Evidence needed to recover the money

• Police report
• Original SMS and emails
• Dated screenshots
• Bank statements
• Communications with the bank
• Digital witnesses (INCIBE)

Real Possibilities of Recovering Money

Factors That Increase the Probability of Recovery

1. Speed of action: Acting quickly recovers more than 40% of losses
2. Immediate police report: Essential for the judicial process
3. Formal claim to the bank: With all attached evidence
4. Having a specialized lawyer: They know banking tactics and how to combat them
5. Complete documentation: The more evidence, the better
6. Persistence: 80% of banks initially reject claims hoping victims will give up

Common Mistakes That Make Recovering Money Difficult

1. Not Reporting in Time
   Many victims feel ashamed or believe it’s “not worth it.” Serious mistake: Without a police report, your claim loses legal force.
2. Not Collecting Evidence
   Deleting fraudulent messages “to forget about it” destroys crucial evidence. Keep everything.
3. Deleting or Modifying Messages
   Any alteration of evidence can be used against you. Do not modify anything.
4. Accepting the Bank’s Refusal Without Claiming
   Banks count on you giving up. 80% initially reject, hoping victims will abandon.
5. Not Seeking Professional Advice
   Facing a bank’s legal department alone is an unequal battle. They have specialized teams in rejecting claims.
6. Delaying Account Blocking
   Every minute that passes without blocking your access allows more fraudulent transfers.
7. Not Formally Notifying the Bank
   A phone call is not enough. You need written communication with acknowledgment of receipt.

Need help? If you have been a victim of phishing, smishing, or vishing, contact a specialized firm. At IN DIEM Abogados, we can advise you, prepare the claim, and represent you before the bank or in court to maximize the chances of recovering your money.

How Can IN DIEM Help You?

The first thing you need to know is that we are specialists in recovering funds lost to Phishing. At IN DIEM Abogados, we understand the devastating impact of being a victim of digital fraud. It’s not just about the money lost, but the feeling of vulnerability, frustration, and helplessness.

Our specialization makes the difference:

✔ Comprehensive Legal Analysis of Your Case. We evaluate in detail:

• Type of fraud suffered
• Bank’s liability according to PSD2
• Feasibility of recovery
• Optimal legal strategy

✔ Specialized Banking Claim. Most banks agree to reimbursement when a specialized lawyer intervenes.

• Preparation of technical documents based on PSD2 regulations
• Argumentation based on Supreme Court jurisprudence
• Deep knowledge of banking rejection tactics
• Effective legal pressure to achieve reimbursement

✔ Strategic Criminal Complaint. A well-prepared criminal complaint strengthens your civil claim.

• Submission of a complete criminal complaint
• Provision of all evidence in legal format
• Monitoring of criminal proceedings
• Coordination with authorities (Police, Civil Guard, INCIBE)

✔ Effective Fund Recovery. We focus on tangible results:

• Direct negotiation with banking entities
• Legal action if necessary
• Claim for legal interest in addition to the principal
• Complete management until your money is recovered

✔ Preparation of Digital Evidence

• Legal certification of digital evidence
• Forensic technical analysis (if applicable)
• Organization of documentation
• Presentation of evidence in judicially admissible format

✔ Comprehensive Support. From the first moment until your money is recovered:

• Direct and transparent communication
• Explanations in clear language, without unnecessary technical jargon
• Constant updates on the status of your case
• Emotional and legal support

---

Frequently Asked Questions (FAQs)

Cryptoveritas 360: Our Technology Partner

Publications on Crypto on Our Blog

Expert Cryptocurrency Lawyers: Málaga, Seville, Madrid, Las Palmas de Gran Canaria, Almería, Huelva, Marbella, Estepona,…

At IN DIEM Abogados and Cryptoveritas 360 we provide our services at all our offices and locations in Spain, offering direct and personalized coverage in Madrid, Seville, Málaga, Marbella, Las Palmas de Gran Canaria, as well as continuous service through our digital channels for clients throughout the country.

Our multidisciplinary team also advises international companies—including Europe, Latin America and Asia—that wish to establish or expand in Spain under the MiCA regulatory framework, whether through obtaining the CASP license from the CNMV or the incorporation of companies and compliance structures adapted to the European market.

Thanks to a hybrid working methodology (in-person and online), we guarantee the same level of quality, confidentiality and efficiency for both local and foreign clients, supporting each project from initial planning to effective regulatory authorization.

We are at your disposal for anything you need. You can reach us via IN DIEM Lawyers Phone (+34) 916 353 892. For urgent cases, you can contact us on IN DIEM 24-Hour Emergency Lawyers Phone: (+34) 610 667 452.

Did you know that IN DIEM Abogados offers an online service and an urgent service?

We offer our clients the option of being assisted via video call or videoconference, as well as by telephone, according to our clients’ preference, so that the assistance is as personal as possible, with absolute immediacy, without the need to travel. This service is complemented by communication via email, which facilitates the analysis and delivery of documentation.

Likewise, we offer urgent and 24-hour services for our companies, handling national and international contracting operations.

For more information on the Online Legal Advisory Service HERE, the 24-hour and Urgent Service, HERE, and some recognitions, we leave you this link.

Anything else about IN DIEM Lawyers? Here’s a short presentation video…

You will find us in Seville, Madrid, Las Palmas de Gran Canaria, Málaga, Huelva, Punta Umbría, Tomares, Coria del Río, Dos Hermanas, Mairena del Alcor, Estepona, Marbella, Mairena del Aljarafe… it will be a pleasure to serve you…!!