I was a victim of phishing – what should I do?

Regarding cybercrime, phishing was the most reported type of crime in the first half of 2023, according to the Cybercrime Information Note recently released by the Public Prosecutor's Office.
Articles 20/12/2023

What is phishing, and how does it occur?

This phenomenon involves sending fraudulent messages from a supposedly credible source to collect personal information.

Contact with the user was initially made via email and SMS on the cell phone, and more recently, the frequent use of platforms such as WhatsApp for this purpose has been detected.

Once in possession of the victim’s data, particularly credit card details, the agent sells the data or carries out improper transactions.

Applicable legislation

Directive (EU) 2019/713 on combating fraud and counterfeiting of non-cash means of payment was transposed into Portuguese law by Law 79/21 of November 24.

One of the changes introduced by this law was broadening the scope of Article 225 of the Penal Code, changing the criminal type to “abuse of a guarantee card or payment card, device or data”. This article now covers phishing.

Article 225, paragraph 5 of the Penal Code defines the penalty for this type of crime. If the damage to the victim is of a high value, the perpetrator is punished with a prison sentence of up to 5 years or a fine of up to 600 days. If the value is considerably high, the perpetrator could face a sentence of 2 to 8 years.

What can I do to prevent or react?

Suppose you detect suspicious and unrelated movements in your bank account. In that case, you may have been phished, and in addition to the possibility of reporting it to the authorities, there are ways to recover the money you have lost.

Electronic payments are regulated by the Payment Services and Electronic Currency Regime, contained in Decree-Law no. 91/2018.

As users of payment services, there are specific duties imposed by Article 110 of the regime above, such as using the payment instrument according to the rules governing its issue and use, which implies preserving all personalized security credentials (home banking account username, password, card code), i.e. not disclosing this data to non-user third parties.

To this rule must be added the obligation to notify the payment service provider as soon as possible and without undue delay of any unauthorized use of the payment instrument, its loss, theft or robbery, and in no case later than 13 months after the debit occurs, in compliance with Article 112(1) of the law above.

Having complied with all the obligations relating to security and communication, the user may still not be able to obtain rectification of the unauthorized payment transaction if the cost is a maximum of €50 and if there is gross negligence on the part of the user, a higher cost.

However, payment service providers still bear the burden of proving that the transaction was authenticated without any technical malfunction or deficiency in the service provided, as well as the duty to demand strong authentication from the payer, without which the latter should not bear any losses, by article 113, paragraph 1 and 115, paragraph 5 respectively.

With the emergence of more complex and compelling fraudulent schemes, prevention and security measures are needed first and foremost by users and banking entities to curb the increase in occurrences such as phishing.

The content of this information does not constitute any specific legal advice; the latter can only be given when faced with a specific case. Please contact us for any further clarification or information deemed necessary in what concerns the application of the law.


Practice Areas

  • Civil Litigation
  • Litigation