“I am not going to say much, I will not embellish it, that I have a bad virgin with this, that if I know who it is, I will strike it down with a beating,” a victim of internet fraud says by phone. He does not want to reveal his identity, beyond the fact that he is the owner of a small business in Huesca. One day he received by email a real invoice of 14,500 euros from a supplier of his. He transferred the money to the indicated account number. The next day the supplier had not received anything. What had happened? The account that I put in the email was not that of the provider. He had deposited 14,500 euros in the account of a stranger.
The businessman ran to the police and his bank. The complaint served to block the destination account, but there was only just over 3,000 euros left. The money was gone. This happened in June 2020. Shortly after, Carlos Solano, an economist who collaborates with the local firm Sáez-Benito & Calvo, took charge of the case. “At first [my client] wanted to break the legs of the person who had received the money. Luckily I told him that it was most likely that his identity had been supplanted, ”says Solano in conversation with EL PAÍS in Huesca.
The money from Huesca flew into an account opened under the name of a young man from Tarragona, who apparently lived in Coslada (Madrid), where the bank sent a credit card. With that card, money was withdrawn in Vienna (Austria) and the rest was transferred to another account, presumably from a young woman from Castellón. Almost all traces of money and criminals are lost there.
Solano has pulled all the strings to slowly extract information from the police and banks. With your help, this newspaper has reconstructed the case step by step to understand the tremendous complexity of
online
fraud and why it is a terrible scourge for thousands of Spanish citizens. The loss of the DNI, sharing it by deceit with a stranger on the Internet or falling into a trap and giving the company email password to a third party can be the beginning of an ordeal that is much worse than that of a traditional theft.
In 2016 there were 70,178 known cases of computer fraud in Spain, according to a report by the Ministry of the Interior.
In 2020, that figure multiplied almost fourfold and reached 257,907 cases.
Fraud accounts for 90% of cybercrimes in Spain, totaling almost 288,000.
Of these, only in 11,280 is there a person investigated or detained.
“I am sorry that it is an organized gang.
If I hear any names, I'll find them and you'll pay dearly.
I don't trust justice”, says the victim of the fraud.
As the numbers of resolved cases prove, it is extremely unlikely to happen.
It all started on a Friday in the summer of 2020. He received a real email with an invoice of 14,500 euros but with changed current account figures. How can someone have such direct access to an inbox? It is not uncommon, they say at Incibe, the Spanish cybercrime institute that deals with SMEs. “It is a case of BEC fraud [compromise of the company's mail, in its acronym in English],” says Jesús García, a cybersecurity technician at Incibe. The criminal obtains the passwords with social engineering: the typical false email of “someone has entered your email, change the passwords”. With that access, they watch the emails that come in. When one is an invoice, they erase the original, copy and paste everything identical except for the checking account number and send it again copying even the name of the issuer.
It's not trivial, but you don't have to be a
hacker
to do this.
“You have to know some Spanish and you have to do an analysis of the emails, it takes work,” says García.
They tried to scam the victim in this case in another email, but the criminals left the name of the current account holder, which did not match the provider.
It is proof of their lack of sophistication.
From Huesca to Tarragona
While this was happening in Huesca, another victim fell into the networks of this gang.
A young 25-year-old pizza delivery boy in Tarragona responded to an ad on the Jobandtalent page.
The offer was sweet: 2,000-2,500 euros per month, loaned car, hours worked on weekends paid double.
Apart from such an extraordinary offer, there were other elements that could arouse suspicion: the email was of the type name.surname2015(@)gmail.com, the name of the company did not appear and the city where the delivery was made did not appear either.
But it was a post-lockdown world and offers were scarce.
When the young man gave his ID on both sides and his current account number, the "company" stopped responding to his messages. His identity had just been stolen. With these data, the criminals spoofed his identity and created online accounts in three banks. The money from the Huesca company passed through one of them.
After a few months, the next thing the young man from Tarragona knew about that offer was a call from the Civil Guard. He had to go to the headquarters and be detained. Only his lawyers managed to get him out of there. In the almost year and a half that has passed, according to his lawyers Héctor Calero and Alejandro Caballero, this young man has had two trials in Madrid and one in Gandesa, Huesca, Pamplona and Guadalajara. Except for the case of Huesca, all of them were for fake vacation rental scams, where the victims pay an amount in advance as a reservation. The amount from Huesca was the highest, by far.
“Whoever has to face procedures throughout Spain having a salary of 800 euros as a pizza delivery man with a motorcycle, does not like it at all,” says Calero. Not to mention that the Huesca victim was looking for someone to break his legs and the only candidate there was was his name, until it became clear that his identity had been supplanted.
Solano asked for the phone number with which the bank confirmed the account where his client's money ended up. They gave him a number. The police confirmed that there were eight others on the mobile from which it had been used. The police found that they were citizens using Romanian documents, but the Romanian police said that they were false numbers. Solano entered the phone numbers in his WhatsApp. Three numbers were still active, some with the WhatsApp status in Spanish. When Solano wrote to one of them, they blocked him. The judge said that the police had said it was impossible to find them. That's where another thread died.
The feeling of the economist Solano and the lawyer Calvo from Huesca and Calero y Caballero from Tarragona is that these cases do not stop growing.
The courts know them well, but due to the difficulty of clarifying the facts and the amounts, achieving something is complicated.
Solano, together with Javier Calvo, the lawyer with whom he is handling the case in Huesca. Carlos Gil-Roig
However, there is something that squeaks everyone: How can it be so easy to open an online account in a large bank? Solano took the test in February 2021. He needed a DNI, a telephone and an account in another bank in his name. Nothing more. It was a strainer. In the case of the young man from Tarragona, with his account number and ID, which he was asked for in the false job offer, the criminals already had everything they needed. With that information they could supplant the identity in other banks. The lawyers of the young man from Tarragona have asked the Bank of Spain to tell them if there are more accounts in the name of their client that they have not located. They have not received a response so far.
Solano has calculated the commissions received by a bank and the credit institution in one of the impersonated accounts: “They took 18,500 euros in cash. There were charges for 19,300. The difference is 4.5% of commissions: 832 euros generated in commissions for the bank for withdrawals to be distributed between both companies. In an account with nothing domiciled, just putting money in and out. With that alone, 832 euros of banking business”, he explains.
In the summer of 2021, the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) warned about fraud in these online accounts. BBVA, consulted by this newspaper, eliminated the option of opening an account online just for having another in another bank. Now he demands a
selfie
or a video call. The OpenBank, also consulted, still allows opening an account in its entity from one account in another, but requires that access to it be demonstrated: the bank sends a code in the concept of a transfer to check if the user can enter and see him. It is similar to the ING system, which sends a transfer of cents and the client must say how much it is.
These are necessary measures to reduce a scourge that mainly affects citizens who for some reason have inadvertently clicked on a link or have given unnecessary documents after being deceived. Both the administration and the banks demand more awareness and controls from citizens, but the bad guys are usually a few steps ahead: their job is to look for holes in the system. "The banks say that the fault lies with their clients, which is what the director of my client's entity told me, that it was not their fault that they had been defrauded," explains Solano. "And I told him, true, but that they have used their negligent banking infrastructure regarding identity verification is not my client's fault, but yours," he adds.
Your client, however, has time for few stories.
"There are so many cases that don't pay the attention they should, the banks pass, there is justice in your hand," he says.
The Huesca case is still in criminal proceedings.
Then it will reach the civil court, where they hope to win and recover the money for bank negligence.
You can follow EL PAÍS TECNOLOGÍA on
and
or sign up here to receive our
weekly newsletter
.
