- Phishing and identity theft recovery is possible through civil litigation, bank recalls, and criminal proceedings in European courts.
- Asian individuals and businesses are primary targets language-specific phishing campaigns and digital credential theft exploit distance from European institutions.
- Claims are available against fraudsters and, in documented cases, against banks and platforms that failed to prevent or respond to reported identity theft.
- The EAPO freezes a fraudster’s accounts across all EU member states simultaneously financial losses from identity theft are moved within hours of the credential breach.
- Limitation periods run from the date of discovery but bank recall windows and platform dispute mechanisms close within days, requiring immediate parallel action.
Phishing and identity theft recovery is achievable through civil litigation, bank recalls, regulatory complaints, and criminal proceedings in European courts. Where a fraudster obtained financial credentials, personal identity documents, or account access through phishing, social engineering, or identity impersonation and used those credentials to extract funds, open fraudulent accounts, or execute transactions in the victim’s name claims for fraudulent misrepresentation, unjust enrichment, and breach of statutory payment obligations are available in all major EU jurisdictions. Where banks or payment institutions failed to apply adequate fraud detection controls or ignored timely notifications of unauthorised access, banking liability claims are available. The European Account Preservation Order (EAPO) can freeze the fraudster’s accounts across all EU member states simultaneously. Recovery outcomes depend on the nature of the credential theft, the payment method used, the speed of notification to banks and authorities, and the identifiability of the fraudster.
What Is Phishing and Identity Theft?
Phishing is the use of deceptive digital communications emails, SMS messages, websites, or voice calls to trick a victim into disclosing financial credentials, authentication codes, passwords, or personal identity information. Identity theft is the fraudulent use of another person’s identity obtained through phishing or other means to access their accounts, open new financial accounts, execute transactions, or commit fraud in their name.
Together, phishing and identity theft form a two-stage fraud: the credential acquisition phase, where the fraudster obtains the victim’s personal or financial information, and the exploitation phase, where those credentials are used to cause financial loss. The legal basis for recovery covers both stages the fraudster who executed the phishing attack and the financial institutions that failed to prevent or detect the subsequent exploitation.
Phishing and identity theft are not limited to email scams. Documented cases targeting Asian victims in Europe include cloned banking websites, fraudulent SMS messages impersonating customs authorities, fake cryptocurrency exchange login pages, and voice phishing (vishing) calls impersonating European financial regulators.
Interesting fact
The FluBot malware spread across Europe via SMS, disguised as package delivery notifications. Infections were detected in Spain, Germany, Finland, the Netherlands, and other countries. In May 2022, Europol reported the destruction of the network infrastructure. The virus infected millions of devices, with damages estimated at tens of millions of euros, including over €20 million in Spain.
Types of Phishing and Identity Theft Fraud
Email Phishing
A fraudster sends an email impersonating a legitimate institution a European bank, tax authority, customs agency, investment platform, or trusted service provider directing the recipient to a cloned website and requesting login credentials, card details, authentication codes, or personal identification information. The cloned website is visually identical to the legitimate institution’s. Credentials entered on the fake site are captured by the fraudster and used immediately to access and drain legitimate accounts.
Smishing – SMS Phishing
Fraudulent SMS messages impersonating delivery services, customs authorities, tax agencies, or banks direct recipients to enter payment details or credentials on fraudulent websites. Smishing campaigns targeting Asian recipients in Europe have impersonated DHL, FedEx, European customs authorities, and local tax agencies directing victims to pay fictitious import duties, tax arrears, or delivery fees through credential-harvesting payment pages.
Vishing – Voice Phishing
A fraudster calls the victim impersonating a bank fraud department, financial regulator, or law enforcement officer creating urgency by claiming the victim’s account has been compromised or that they are under investigation. The victim is directed to transfer funds to a “safe account” controlled by the fraudster, or to provide authentication codes that enable account access. Vishing attacks targeting Asian victims have impersonated Europol officers, BaFin representatives, and senior executives of European financial institutions.
Spear Phishing
Targeted phishing attacks using personalised information about the victim their name, employer, recent transactions, or business relationships to create highly credible fraudulent communications. Spear phishing targeting Asian businesses in Europe has impersonated known counterparties, law firms managing ongoing transactions, and regulatory bodies conducting apparent compliance reviews. The personalisation of spear phishing makes it significantly harder to identify as fraudulent before credentials are disclosed.
SIM Swapping
A fraudster convinces a mobile network operator to transfer the victim’s phone number to a SIM card the fraudster controls typically through social engineering of the operator’s customer service team using stolen personal information. With control of the victim’s phone number, the fraudster intercepts SMS authentication codes and uses them to access financial accounts, authorise transactions, and bypass two-factor authentication. Losses from SIM swapping typically occur within minutes of the number transfer.
Identity Document Fraud and Account Takeover
Stolen or fabricated identity documents passports, national identity cards, residence permits are used to open new bank accounts, credit facilities, or financial products in the victim’s name. The accounts are used to receive fraud proceeds or to access credit that is never repaid. The victim discovers the identity theft through credit bureau notifications, debt collection demands, or regulatory correspondence addressed to accounts they did not open.
Legal Framework: How Phishing and Identity Theft Is Actionable
Claims Against the Fraudster
A fraudster who used phishing or impersonation to obtain credentials and extract funds has committed fraudulent misrepresentation by conduct the phishing communication itself is the false representation that induced the victim to disclose credentials or make payment. Claims for fraudulent misrepresentation and unjust enrichment are available in all EU jurisdictions against the identified fraudster for the full amount extracted plus consequential damages.
Banking Liability Under PSD2
The EU Payment Services Directive 2 (PSD2 Directive 2015/2366/EU) imposes specific obligations on payment service providers in relation to unauthorised transactions. Under Article 73 of PSD2, where a payment transaction was not authorised by the account holder, the payment service provider must refund the transaction amount immediately unless it can demonstrate that the account holder acted with gross negligence or fraud. A victim who was deceived by a sophisticated phishing attack into disclosing credentials has not acted with gross negligence where the attack was not identifiable as fraudulent through reasonable care.
PSD2 liability claims against European banks and payment institutions are available where the institution processed unauthorised transactions, failed to apply strong customer authentication requirements, or failed to detect transaction patterns inconsistent with the account holder’s established behaviour. These claims target a regulated, solvent defendant independently of the fraudster’s identifiability or asset position.
Mobile Network Operator Liability for SIM Swapping
Where a mobile network operator transferred a victim’s phone number to a fraudster-controlled SIM through inadequate identity verification, civil negligence claims are available against the operator for losses that flowed directly from the number transfer. In documented cases across the UK, Spain, Germany, and France, mobile operators have been found civilly liable for SIM swapping losses where their customer service procedures failed to verify the identity of the person requesting the transfer adequately.
Platform Liability Under the EU Digital Services Act
Where a phishing website was hosted on or promoted through a platform subject to the EU Digital Services Act (DSA Regulation 2022/2065), and the platform failed to act on reported illegal content, regulatory complaints and civil liability claims are available. Very Large Online Platforms designated under the DSA carry enhanced obligations to address illegal content including phishing infrastructure and face greater regulatory exposure for systemic failures to respond to fraud reports.
Criminal Liability
Phishing and identity theft constitute criminal offences under national criminal codes in all EU member states for fraud, computer-related crime, and identity fraud. The Council of Europe Convention on Cybercrime (Budapest Convention) provides a cross-border legal framework for investigation and prosecution. Criminal complaints filed with national cybercrime units unlock platform record production orders, IP address disclosure, SIM transfer records, and cross-border judicial cooperation investigative tools that are the most effective means of identifying phishing operators and tracing extracted funds.
Immediate Steps After Identifying Phishing or Identity Theft
The financial exploitation window following a credential breach is measured in minutes and hours. These steps must be initiated simultaneously and immediately upon discovery:
Step 1 – Secure All Compromised Accounts Immediately
Change passwords and authentication credentials for all accounts where the compromised credentials were used. Enable two-factor authentication on all financial and email accounts if not already active. Contact your bank directly through a number independently sourced, not from any communication in the phishing chain to report the breach and request immediate account restrictions pending investigation.
Step 2 – Initiate Bank Recall and Chargeback Immediately
For bank transfer payments made in response to phishing instructions, request an immediate recall. For card payments, initiate a chargeback claim available within 120 days under standard card scheme rules. For unauthorised transactions executed without the victim’s knowledge, submit an unauthorised transaction claim under PSD2 to the relevant payment institution requiring immediate refund unless the institution can demonstrate gross negligence by the account holder.
Step 3 – Notify the Relevant Authorities
File a criminal complaint with the national cybercrime unit in the EU member state where the phishing attack originated or where the receiving account is held. In parallel, report to Europol’s European Cybercrime Centre (EC3) where cross-border phishing infrastructure is involved. For SIM swapping, notify the mobile network operator and file a complaint with the national telecommunications regulator.
Step 4 – Notify Credit Bureaus and Identity Registers
Where identity documents were stolen or misused, notify the relevant national credit bureaus and identity registers requesting a fraud alert or credit freeze to prevent new accounts being opened in the victim’s name. In the EU, contact the relevant national credit reference agency and the issuing authority for any identity documents that were compromised.
Step 5 – Preserve All Digital Evidence
Save all phishing communications including full email headers, SMS messages, call logs, and website URLs without alteration. Screenshot the fraudulent website before it is taken down. Preserve all transaction records and account access logs. Digital forensic evidence is critical for both criminal investigation and civil proceedings and may be inaccessible if preserved only partially or after delay.
Legal Options for Phishing and Identity Theft Victims
Civil Litigation Against Fraudsters and Institutions
Civil proceedings can be brought simultaneously against the identified fraudster for fraudulent misrepresentation and unjust enrichment and against the relevant bank or payment institution for breach of PSD2 obligations. Civil proceedings achieve full recovery of extracted funds, compensatory damages, EAPO bank account freezes, and disclosure orders compelling platforms, banks, and mobile operators to produce identity, transaction, and account records.
PSD2 Unauthorised Transaction Claims
PSD2 claims against payment institutions are the fastest available recovery mechanism for phishing-related bank transfers the institution is required to refund immediately unless it demonstrates gross negligence. These claims should be initiated as soon as the fraudulent transaction is identified, independently of civil proceedings against the fraudster. Where the institution disputes the refund obligation, regulatory complaints to the national financial regulator and civil proceedings to enforce PSD2 liability are available.
Asset Tracing and the EAPO
Where the fraudster’s receiving account is identified in an EU member state, the EAPO under Regulation (EU) No. 655/2014 freezes accounts across all EU member states simultaneously on an ex parte basis. For phishing fraud, where the exploitation window is narrow and proceeds are moved rapidly, the EAPO application should be initiated as the fraudster’s account details are identified through criminal investigation or banking disclosure.
Regulatory Complaints
Regulatory complaints to national financial regulators BaFin (Germany), AMF (France), CNMV (Spain), Consob (Italy), AFM (Netherlands), ACPR (France) create enforcement records, trigger supervisory investigation of the institution’s PSD2 compliance, and in some jurisdictions contribute to compensation proceedings. Complaints to national telecommunications regulators are available where mobile operators failed to prevent SIM swapping.
Factors That Determine Recovery Outcomes
Speed of Notification to Banks and Authorities
PSD2 refund obligations and bank recall mechanisms are most effective when initiated within hours of the fraudulent transaction. SIM swapping losses which occur within minutes of the number transfer require immediate bank notification and account restriction to minimise the exploitation window. Every hour of delay between discovery and bank notification reduces the probability of recovery through recall and PSD2 mechanisms.
Nature of the Credential Breach and Transaction Type
Unauthorised transactions executed without the victim’s knowledge through stolen credentials attract the strongest PSD2 protections, placing the refund burden on the institution. Authorised push payment fraud where the victim was deceived into initiating the payment themselves has a more complex PSD2 position, though new protections under PSD3 and the EU’s proposed mandatory reimbursement framework are strengthening victim rights in this category.
Identifiability of the Fraudster
Named fraudsters with identifiable assets in EU jurisdictions are the most viable civil defendants. Where the fraudster operated anonymously, criminal investigation accessing platform records, IP logs, SIM transfer records, and payment processor identity data is the primary identification tool. Banking disclosure orders in civil proceedings can compel the production of account holder identity records for identified receiving accounts.
Quality of Digital Evidence
Phishing emails with full headers, fraudulent website URLs, SMS records, call logs, and transaction reference numbers form the evidentiary foundation for both criminal investigation and civil proceedings. Email headers establish the true origin of phishing communications which may differ significantly from the displayed sender address and are critical forensic elements for identifying the fraudster’s infrastructure.
