Phishing and Man-in-the-Middle (MitM) attacks are among the most damaging forms of cybercrime affecting European businesses and financial institutions. They also raise a sensitive legal question: who bears liability when a criminal successfully diverts a payment? The bank? The payer? Both?
Cybercrime and MitM Fraud: How Far Does Bank Liability Extend?
Under Spanish and EU law, payment service providers (PSPs) are subject to heightened liability rules designed to protect users from unauthorised transactions.
However, this protection has limits: banks cannot be held liable for a customer’s own negligent behaviour or for failures attributable to other parties involved in the payment chain.
In practice, both the financial institution and the defrauded payer must demonstrate precisely what went wrong, where, and why.
The Most Common Pattern: the Mule Account
In MitM fraud, the criminal intercepts genuine corporate communications—typically emails regarding invoicing—and impersonates one party, redirecting payment to a different bank account, a mule account opened in advance.
By the time the victim notices the deception, the funds have usually been withdrawn or transferred. Since identifying the perpetrator is often impossible, the injured company typically sues the bank that executed the transfer and/or the receiving bank, alleging:
- Inadequate KYC/AML controls
- Failure to detect mismatches between the beneficiary name and IBAN
- Delay in recalling or freezing the funds
However, courts frequently find that the payer’s own negligence breaks the causal link, significantly reducing—or entirely excluding—the bank’s liability.
Defence Strategy for Financial Institutions
A strong defence usually relies on four essential pillars:
Regulatory compliance in executing the transaction
The core reference is KYC/AML legislation. But service providers are not obliged to verify if the beneficiary name matches the IBAN of the mule account.
It has been expressly confirmed by:
- The Court of Justice of the EU (CJEU, 21 March 2019, Case C-245/18)
- The Spanish Supreme Court (Judgment 507/2025, 27 March)
Gross negligence by the payer
Subtle variations in email domains, sudden changes in bank account numbers to jurisdictions unrelated to the transaction, or the absence of verification through alternative channels (telephone, Teams or WhatsApp) have been deemed by Spanish courts as a lack of due diligence incompatible with the standard expected of any professional operator.
Security breach in the payer’s system
The receiving bank is not liable for deficiencies in the client’s IT environment and is not required to verify if the payer’s email system has been compromised.
Absence of a causal link
Banks do not participate in intercepting communications, issuing fraudulent orders, or delaying detection of the fraud. Their role is limited to processing payments based on the provided data and to cooperating with authorities once fraud has been discovered.
Conclusion: Towards a Balanced System of Liability
Combating phishing and MitM fraud requires strong prevention measures and legal certainty.
A fair system does not turn banks into universal guarantors against a client’s serious mistakes.
Digital-transaction security rests on two pillars:
- Effective banking controls, and
- Corporate users with robust verification and cyber-prevention practices.
Only through balanced liability can confidence in the digital financial system be maintained.
Frequently Asked Questions
Phishing involves impersonation techniques to obtain data or divert payments. In a corporate environment, it often appears as a MitM attack that manipulates legitimate communications.
It depends. EU rules impose enhanced liability on PSPs, but this can be reduced or excluded if the payer acted with gross negligence—such as ignoring verification steps or accepting suspicious instructions.
No. Both the CJEU and the Spanish Supreme Court have confirmed that banks may execute the transfer solely based on the IBAN provided.
Possibly, depending on how quickly action is taken, whether the funds can be traced, and whether negligence is involved. Often, funds are withdrawn or rerouted from the mule account before recovery is possible.
Dual-channel verification, domain checks, validation of account changes, IT security policies, and regular staff training. Prevention requires combined efforts from companies and banks.
Facing a phishing or MitM dispute? Our cyber-fraud litigation team can defend your company with precision and urgency.
