Online Fraud and Phishing in Hungary: Legal Protection and Remedies

Introduction

Online fraud and phishing attacks have become pervasive threats across the European Union, and Hungary is no exception. Hungarian authorities have observed a sharp increase in phishing schemes targeting individuals and businesses alike—ranging from fraudulent emails impersonating banks to sophisticated social-engineering attacks exploiting trust in public institutions. Victims often face significant financial losses and complex legal questions about recovery and liability.

This article examines the legal framework governing online fraud and phishing in Hungary, covering the relevant provisions of the Hungarian Criminal Code (Act C of 2012, Büntető Törvénykönyv, “Btk.”), civil liability rules under the Civil Code (Act V of 2013, Ptk.), payment services regulation implementing the EU Payment Services Directive (PSD2, Directive (EU) 2015/2366), and the practical steps victims should take to protect their rights.

Criminal Law Provisions

Computer Fraud (Számítástechnikai Csalás)

Section 375 of the Btk. criminalises computer fraud (számítástechnikai csalás). A person commits computer fraud if they cause financial damage by:

• Entering, altering, deleting, or making inaccessible data in an information system;
• Interfering with the operation of an information system;

with the intent of obtaining an unlawful financial benefit. The penalty depends on the amount of damage caused:

Damage Amount (HUF)	Classification	Maximum Penalty
Up to 50,000	Misdemeanour (vétség)	Up to 1 year imprisonment
50,001 – 500,000	Felony (bűntett)	Up to 2 years
500,001 – 5,000,000	Felony	Up to 3 years
5,000,001 – 50,000,000	Felony	Up to 5 years
Above 50,000,000	Felony	Up to 8 years

A qualifying circumstance applies if the offence is committed against a vulnerable person (e.g., an elderly individual) or as part of a criminal organisation, leading to enhanced penalties.

Fraud (Csalás)

Section 373 of the Btk. covers traditional fraud (csalás), which is also frequently relevant in online scenarios. A person commits fraud if they deceive another person, or maintain someone else’s mistake, in order to cause financial damage. Phishing attacks—where the perpetrator impersonates a trusted entity to obtain login credentials or payment card information—often satisfy the elements of both fraud and computer fraud. In such cases, prosecutors may charge the more specific offence (computer fraud) or bring concurrent charges.

Misuse of Personal Data (Személyes Adattal Visszaélés)

Section 219 of the Btk. criminalises the misuse of personal data. A person who unlawfully processes, obtains, or discloses another person’s personal data—including through phishing—commits an offence punishable by up to one year of imprisonment. If the offence causes substantial harm or is committed by a person acting in an official capacity, the penalty is more severe.

Breach of Information Systems (Információs Rendszer Felhasználásával Elkövetett Csalás)

Additional provisions in the Btk. address offences related to the unauthorised access to information systems (Section 423) and interference with information systems (Section 424). These provisions are relevant when phishing attacks involve malware, keyloggers, or other technical means of compromising a victim’s device or network.

Liability of Payment Service Providers Under PSD2

The EU Payment Services Directive

Directive (EU) 2015/2366 (PSD2), transposed into Hungarian law by Act LXXXV of 2009 on the Pursuit of the Business of Payment Services (Pft.) and the related government decrees, establishes important rules on the liability of payment service providers (banks, electronic money institutions, etc.) for unauthorised payment transactions.

When Is the Bank Liable?

Under Section 58 of the Pft. (implementing Article 73 of PSD2), if a payment transaction is executed without the payer’s authorisation, the payment service provider must immediately refund the full amount of the unauthorised transaction and restore the account to the state it would have been in had the transaction not occurred. This obligation arises unless the provider can demonstrate that the payer acted with fraud or gross negligence.

Key principles:

1. Notification obligation: The payer must notify the bank without undue delay upon becoming aware of the unauthorised transaction, and in any event within 13 months from the debit date. Failure to notify within this period may result in the loss of the right to a refund.

2. Gross negligence standard: The burden of proof rests on the bank to show that the payer was grossly negligent. According to the case law of Hungarian courts and the guidance of the National Bank of Hungary (Magyar Nemzeti Bank, “MNB”), a payer is generally considered to have been grossly negligent if they:

   • Voluntarily disclosed their PIN, password, or one-time authentication code to a third party;
   • Failed to safeguard their payment instrument despite clear security warnings;
   • Ignored obvious signs that a communication was fraudulent.

3. Strong Customer Authentication (SCA): Under PSD2, banks must implement strong customer authentication (two-factor authentication) for electronic payments. If the bank fails to require SCA and an unauthorised transaction occurs, the bank bears full liability regardless of the payer’s conduct.

Maximum Liability of the Consumer

If the consumer is not found to have been grossly negligent, their liability for unauthorised transactions before notifying the bank is limited to a maximum of EUR 50 (approximately HUF 19,000). In cases where the bank failed to provide the means to notify it promptly (e.g., a 24-hour fraud hotline), the consumer bears no liability at all.

Civil Remedies: Compensation Claims

Claims Against the Perpetrator

Under the Ptk., a victim of online fraud may bring a civil claim for damages (kártérítés) against the perpetrator. The claim may be brought as part of the criminal proceedings (as a polgári jogi igény, or civil claim joined to the criminal case) or in a separate civil action. The victim may claim:

• Actual financial loss (tényleges kár) — the amount taken or lost;
• Lost profits (elmaradt haszon) — income that the victim would have earned but for the fraud;
• Non-pecuniary damages (nem vagyoni kártérítés / sérelemdíj) — compensation for emotional distress, anxiety, or reputational harm, where applicable.

In practice, recovery from the perpetrator can be difficult if the perpetrator is unidentified, located abroad, or insolvent.

Claims Against the Bank

If the bank refuses to refund an unauthorised transaction, the consumer may bring a civil claim against the bank for breach of the payment services contract and violation of the Pft. The consumer may also file a complaint with the MNB or initiate proceedings before the Financial Arbitration Board (Pénzügyi Békéltető Testület), which can issue binding decisions in disputes involving financial institutions.

How to Report Online Fraud in Hungary

Step 1: Notify Your Bank Immediately

Time is critical. Contact your bank’s fraud department and request the blocking of the affected account or payment card. Request a confirmation in writing.

Step 2: File a Police Report

Report the fraud to the police (rendőrség). A criminal complaint (feljelentés) may be filed at any police station or online through the electronic reporting system operated by the National Police Headquarters (ORFK). Provide all available evidence:

• Screenshots of phishing emails, text messages, or websites;
• Transaction records and bank statements;
• Communication logs with the perpetrator;
• Any information about the source of the attack.

Step 3: Report to NAIH If Personal Data Was Compromised

If your personal data was obtained through the phishing attack, consider reporting the incident to the National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, “NAIH”). NAIH can investigate whether the entity whose systems were exploited complied with its data-protection obligations.

Step 4: Contact the Financial Arbitration Board

If your bank refuses to refund the unauthorised transaction, you may initiate proceedings before the Financial Arbitration Board. The proceedings are free of charge for consumers and typically result in a binding decision within 90 days.

Step 5: Seek Legal Advice

Online fraud cases often involve complex questions of jurisdiction (particularly when the perpetrator is abroad), overlapping criminal and civil proceedings, and technical evidence. A qualified attorney can help navigate these issues and maximise the chances of recovery.

Prevention: Legal Obligations of Service Providers

Hungarian and EU law impose specific obligations on service providers to prevent fraud:

• Under PSD2 and the Pft., banks must implement strong customer authentication, monitor transactions for suspicious activity, and provide mechanisms for customers to report and block compromised payment instruments;
• Under the GDPR and Act CXII of 2011 (Infotv.), organisations that process personal data must implement appropriate technical and organisational measures to protect against data breaches, including phishing-related breaches;
• Under Act L of 2013 on the Electronic Security of State and Local Government Bodies (Ibtv.), public-sector entities must maintain information-security frameworks that include protection against social-engineering attacks.

Failure to comply with these obligations may give rise to regulatory sanctions and civil liability towards affected individuals.

Conclusion

Online fraud and phishing in Hungary are treated seriously under both criminal and civil law. Victims have multiple avenues for redress—from criminal prosecution and bank refund claims to civil compensation and alternative dispute resolution. However, the effectiveness of these remedies depends critically on prompt action: notifying the bank, preserving evidence, and filing reports without delay.

If you have been a victim of online fraud or phishing, or if you are a business seeking to strengthen your cyber-security legal compliance, Dr. Ildikó Nagy’s law office offers expert legal assistance tailored to your situation.