Fraudulent transfers and the means of defense.


More than 65% of the victims of banking scams such as phishing, BEC or fraudulent transfers are small and medium-sized companies. The reason is the recurrent use of digital tools for storage and management of resources, information and payments. In addition, there is a lack of resources and knowledge in terms of prevention.


Fraudulent transfers or fraudulent invoices are, together with phishing, the resource most used by cybercriminals. The general trend is the interception of communications, usually email, exchanged between a service provider and a company, manipulating the messages to their liking.

Once one of the parties has provided the service, it sends an invoice for the other party to make the corresponding payment. It is at this moment when, once the email relationship has materialized, the cybercriminal intercepts the email that sends the invoice and, from the supplier’s own email or from a similar one (in which there is a minimal variation of the email address, imperceptible in a daily procedure of the workers), sends the same invoice with a different account number where to make the transfer, warning about the change of the bank account number.

The debtor, without being alerted or suspecting any change in the usual procedure (because there is none), makes the payment into the wrong account indicated to him, leading him to make a mistake. After a few days, it is when the error in the operation is detected, because the supplier indicates to the debtor that he has not received the payment and, carrying out the pertinent verifications, they realize that the money has not been received where it corresponds and has been remitted to another bank account.


Thus, having fallen into error, the first impulse is to take action against the fraudster, which in most cases are unsuccessful as they are phantom companies, unidentifiable and untraceable. Therefore, the liability of the entity that receives and executes the transfer may be raised.

The most complex case would be where the payment service provider of the payee is different from that of the payer. There is no contractual relationship between the payer and the provider. It is for this reason that the nature that could exist between them is extra-contractual. In this case we must know the Directive (EU) 2015/2366 of the European Parliament and of the Council, of 25 November 2015, on payment services in the internal market, which is transposed by the Real Decreto – Ley 19/2018, de 23 de noviembre de  servicios de pago y otras medidas urgentes en materia financiera  -[Royal Decree – Law 19/2018, of 23 November on payment services and other urgent measures in financial matters], ( which exempts payment service providers from liability, for the non-execution or defective execution of a payment order when the unique identifier provided by the payer is incorrect.

The other regulatory aspect, Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds, is categorical and imperative when it requires payment service providers to have payment control and supervision obligations. Specifically and among others, it imposes the obligation to implement effective measures to detect that the transfers have been made with valid characters relating the name of the beneficiary and the account number of the beneficiary, i.e., that the beneficiary to whom the transfer is intended is the same as the account holder.

Assuming the above, the beneficiary’s bank should be requested to stop the transfer, although it is usually late, or the information of the beneficiary account holder, to be informed of the error and urged to refund the amount paid in error. This is more than an illusion of good faith. For this reason, our Courts empathizing with the situation that generates the error have begun to pronounce on this type of stay where the responsibility can be focused on different objectives. Thus, our High Court affirms that; “the liability for behaviors in which the intention to deceive is manifest cannot be shifted to the injured party“.

It is the providers who have to prove that the payer acted fraudulently. In the case of the payment service provider, “it cannot rely on the fact that it was only the plaintiff who provided the data to an unknown third party without any failure in the bank’s security system” and otherwise exempts the injured party from total liability, “Unless there is fraudulent action, deliberate breach or gross negligence of the payer (art. 32), the payment service provider is liable, which means that it bears the burden of proof that the payment order was not affected by a technical failure or any other deficiency (art. 30)”.


Therefore, we must conclude by being aware that the most recent jurisprudence sheds light on these undesirable situations, which can be solved by demanding non-contractual liability from the payment service provider, with the burden of proof falling on the latter and exempting the payer from any liability for the error that caused him not to act with ordinary diligence.


Gonzalo Nuevo López 
Abogado- Attorney

Datos de contacto
 + 34 660 938 836

Reclamaciones bancarias
Responsabilidad civil
Hola! soy tu paralegal :)
¿Qué podemos hacer por ti?