What the email scam suffered by the Vitoria City Council (89,991 euros) teaches us about how to avoid being a victim of a


Online scams are a constant threat when we use technology, and many scammers spend vast amounts of time and ingenuity crafting increasingly complex and difficult to detect scams. But the truth is, when proper preventive measures are not taken and/or we believe the first thing that comes to us through networks or by email, even the simplest scams can end up making us lose tens of thousands of euros.

Something like this has happened to the City Council of Vitoria, which has reported to its Local Police a fraud linked to the payment of several invoices “when the identity theft of a supplier company occurred”. Said identity theft there was no advanced social engineering strategy behind it, nor phishing techniques, nor certificate impersonation


A very simple scam

…simply, the consistory received on March 9 an email that supplanted the personality of the company, and in which it was notified of a “change of the reference bank account”after which “fraudulent bank certificates” were also sent to him, to reference future bill payments.

With this information and other messages supposedly issued by the company, the Department of Social Policies of the Vitoria City Council proceeded to carry out various payments between March and June for a combined value of 89,991 euros.

This is how a phishing victim managed to receive from his bank the 12,000 euros that had been stolen in an SMS scam

Obviously, this technique had an expiration date: the fraud was revealed as soon as the administrative services of the supplanted company contacted the City Council —on June 13— to “resolve billing doubts”:

“Since then, different queries have been made with the bank used, with the Municipal Administration department (which has investigated the email spoofing) and with the affected company. […] The City Council is working on the possibility of recovering part of the defrauded amount.

How to prevent it from happening again

At least the institution has taken note for the future, announcing that now prepares “an improvement in the mechanisms for modifying and registering bank accounts with third parties” to strengthen security in situations like this.

In these cases, expert advice to prevent—or at least make it more difficult—for an organization to fall victim to invoice fraud typically includes measures such as the following:

  • Create effective communication channels to be able to verify payment requests: It is not the same, for example, that any data change depends on a municipal platform that requires prior registration as any apparently legitimate e-mail can serve to induce a change in bank data.

  • Provide the workforce with training in risk prevention and cyber attacks: That an official knows what phishing, spoofing or social engineering is can be a good system to avoid ending up being a victim of this kind of attack.

  • Resort to common sense: A notification of a change of account or bank entity is not something we receive every day, and it should always put us on alert, encouraging us to check some obvious aspects:

  • ¿Does this company usually contact us by email?

  • And if so, is this the email address of the company that has written to us other times?
  • Does it even belong to the same domain?


Please enter your comment!
Please enter your name here