Prolific business email scam takedown leads to arrests in Spain

High-value business employees were impersonated to dupe businesses into handing over millions of euros.
Written by Charlie Osborne, Contributing Writer

A successful Business Email Compromise (BEC) scam operation in which management was impersonated has been tackled by law enforcement through a series of arrests in Spain. 

BEC scams involve crafted phishing messages, often tailored through social engineering techniques and email address spoofing, to impersonate high-value targets. Fraudsters may also compromise business accounts through malicious links or attachments to directly send messages from trusted email addresses. 

Commonly, chief executives, members of the board, and officers may be impersonated in messages sent to financial controllers and invoice departments in order to dupe them into paying fake invoices or sending money to accounts controlled by fraudsters. 

See also: European police arrest Dark Web counterfeit currency traders

This practice, unfortunately, has proven to be lucrative for cybercriminals. According to insurance firm AIG, BEC incidents have surpassed ransomware and data breaches as a need to file cyberinsurance claims in the EMEA region.

On Tuesday, the Spanish Civil Guard said that over ten million euros have been stolen in the latest major BEC scam to be uncovered, and at least 12 companies in 10 countries have fallen prey to the group responsible. 

This particular scam involved cyberattackers masquerading as managers from victim companies after they had managed to compromise their accounts. To make the fraudulent messages appear legitimate, fake money requests were made through Pro-forma invoice attachments making use of company letterheads and branding. 

CNET: DoorDash data breach didn't put a big dent in food delivery service's business

To remain undetected, the scammers created a complex web containing 83 fake companies and 185 bank accounts for laundering proceeds. The money would constantly flow between these accounts and some of the funds were directly invested into real estate. 

So far, 1,290,000 euros have been recovered. 

Victims have been traced back to the UK, US, Germany, Bulgaria, and Luxembourg, among other countries. 

Three arrests have been made in Spain on the basis of computer fraud under the "Lavanco operation." A fourth individual is currently under investigation. Law enforcement says that the suspects are between 34 and 67 years of age. 

TechRepublic: Shattering myths and misperceptions about biometric debit and credit cards

Each suspect faces charges relating to "belonging to a criminal organization, scam[ming], money laundering, discovery and disclosure of secrets, documentary falsehood and usurpation of marital status," according to the Civil Guard.

The Lavanco operation began in 2016 and involved the participation of Europol, Interpol, and law enforcement agencies including the FBI. 

Last month, law enforcement agencies revealed the arrest of 281 individuals suspected of being part of a BEC scam responsible for the theft of millions of dollars. Under Operation reWired, investigators were also able to seize close to $3.7 million and recover roughly $118 million in fraudulent wire transfers. 

Europol’s top hacking ring takedowns

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards