The Spanish National Police has announced the arrest of 13 people who live in A Coruña, Córdoba, Huelva, Madrid, Málaga, Murcia, Palma de Mallorca and Terrassa (Barcelona) for steal money through phishing techniques. There are another 7 investigated but not detained.

Those investigated supplanted the identity of a “well-known banking entity” (as explained by the Police, who have not specified which one exactly) and they obtained the credentials of their victims through phishing. After knowing this information, they made online purchases, transfers or requested unauthorized personal loans.

how was the scam

The way in which they managed to steal was consistent with many cases of email phishing that we often know. Those investigated used the corporate image of a banking entity and massively sent false emails in their name. People who received this email found a notice about a supposed “security alert” that affected their cards and bank accounts. The email had a link or link where the victim could enter their online banking credentials to solve it.

But as a good phishing does, the emails had not been sent by the bank and the links redirected to fake web pages controlled by members of the organization. Also, the “bait” emails were modified and updated to appear more realistic. These types of practices are common. It is not uncommon for us to receive emails or SMS on behalf of well-known entities such as Banco Santander, Caixabank, ING or BBVA.

The profits they made were then disseminated through “money mule” bank accounts. These “mules” were captured through pages of sentimental contacts. These people, deceived by an alleged sentimental partner, sent money through money-transfer companies to the Ivory Coast, which made it possible to circumvent controls established by law.

Later, with the credentials obtained, the detainees accessed the victims’ online banking and changed the mobile number registered by the legitimate client for another number controlled by them. So they could complete purchases or transfers, with two-step authentication, but using their mobiles.

With all this, they could also access the bank details of the victims, and receive the Keys for Secure Electronic Commerce (CES) necessary to complete operations. They made the fraudulent purchases through electronic stores located in foreign countries (especially France) and using VPN to mislead about their location.

The investigation





It is known that in total there are 146 people who have been scammed. The amount defrauded amounts to 443,600 euros. The police investigation began at the end of 2018 when the agents detected numerous complaints throughout the national territory (made both by individuals and by a bank) of fraudulent operations through purchases in electronic stores, as well as bank transfers and unauthorized personal credit requests. It has ended with the arrest of 13 people.

The complexity of the investigation lies in that it is a cross-border crime: the victims whose bank details have been compromised, as well as the affected banking entities, are from one country (in this case Spain), the online store that suffers the fraud is a different one, and the product or service purchased is consumed or delivered to a third party country.