The businessman Iñaki Barreiro was waiting for the payment of an invoice of 52,000 euros for some glazing.
His client had promised that he would pay her as soon as he received the money from a promoter.
Barreiro sent a reminder with the invoice at the end of November 2021. The payment was made on December 9.
Everything seemed perfect, but there was a problem: on the days that the invoice had been waiting for payment, someone had changed the number of the account where to pay.
"It was the ideal end of the year," Barreiro recalls sarcastically in a telephone conversation with EL PAÍS.
It is still not explained how a bank could accept a transfer that was going to his name but to another account number.
Barreiro himself wanted to do a test between two of his accounts in two different banks.
He filled in the account number, the amount and the concept.
He first left the account holder blank.
The application did not allow him to do the operation.
Then he wrote "Brad Pitt" and the money was transferred without a problem.
The receiving account belonged to Iñaki Barreiro, not Brad Pitt, but the money arrived just the same.
EL PAÍS has spoken with three Gipuzkoan companies that between December and January have seen how more than 100,000 euros that they sent or should have received ended up in the accounts of fraudsters, who immediately moved it, took it out and evaporated.
“Since it has happened to me, I only hear cases of people who have had the same thing happen to them,” says Barreiro.
These types of crimes are very frequent and their solution is complex for three reasons: access to the victims' email accounts requires less skill than it seems, the capture of the criminals is complex and the hypothetical recovery of the money ends up involving laborious legal battles against banks.
Meanwhile, the authorities continue to ask people to be more careful.
But it is not easy.
This is how each of these fronts stands today.
How do they get to my email?
Neither Kristina nor Silvia, two employees of Gipuzkoa companies affected by a scam like Barreiro's, know how they accessed the email account or computer.
Both have asked this newspaper not to appear with their full name so as not to further harm their companies.
They sought the opinion of experts and, without a specific and lengthy investigation, the answers they have received have been vague and incomplete: “I called the Basque Institute of Cybersecurity, they answered me, they gave me a file number and told me it was an attack” Sylvia says.
When he wanted to know if they had accessed his email, that of the supplier company, if they were on his computer or still looking at his emails, the answer was just as unspecific: “It's a 'man in the middle' attack and in a 99% of options the attack occurs when the mail has been sent, when it circulates is when they steal, "they explained, according to Silvia.
Kristina was told something similar when she called her private email provider: "They told me that when you send a message, let's say that message falls apart and takes a lot of paths and a path is where they get," she says in a meeting with EL PAÍS in San Sebastián.
They are unsatisfactory explanations, which further complicate the understanding of citizens.
These attacks can be launched in many ways.
A simple method is the massive sending of infected attachments, be it Word, Excel or pdf.
These companies probably do not stop opening attachments of this type without paying much attention, because it is a daily part of their work.
One of these may be false and includes a malicious program that is automatically installed on the computer and intercepts all outgoing emails: the criminal can easily filter emails where “invoice” or “payment” appears.
(If these companies, for example, had used Basque to exchange messages, perhaps they would have been saved.)
Thus, when the user clicks “send”, the program sends it to the scammer, who changes the current account number and whatever else he wants and returns it to the program so that it can be sent from the original account.
This is just one way to do it.
Another option is to steal the password via a link to a fake remote email access page controlled by the attackers.
If so, criminals have access to the inbox and send or delete emails without problem.
There are more ways.
For an attacker, especially if he is not physically close to the victims, it is easier to do any of these things than to intercept network traffic.
How to catch criminals
"We go with the police vehicle and the criminal goes in the millennium falcon," says Police Chief Inspector Diego Alejandro.
"We have to be aware of that, but there is always a thread to pull and we hold on," he adds.
There are scammers who live in Spain, but a lot of it is done from abroad or the money ends up in bank accounts in other countries.
This means, according to Alejandro, that if there is success it will be "in the medium or long term".
The police must identify the origin of the attacks through the location and identification of the source IP address.
“When we determine that an IP is associated with a team, you have to look at who is behind it,” says Alejandro.
“It's not that easy.
It could be that it is in a call center or a business center or a house where it is the neighbor who takes the Wi-Fi network of a common family, ”he adds.
This criminal procedure, due to its slowness or impractical end, is usually of little comfort to the victims who have lost thousands of euros.
How to get the money back
For money, there is the bank route.
There is apparently no foolproof plan.
Different lawyers look for legal weaknesses depending on the case.
Lawyer Isaac F. Pérez, specialized in digital law at the Sirvent y Granados office in Tenerife, has had 15 cases of this type since 2017. He has won three that, after appeals from banking entities, are in the Supreme Court to see if he finally confirms lower court rulings.
But he will take years yet.
“Our success has been to sue the banks in civil proceedings for accepting a transfer addressed to another person,” says Pérez.
Banking sources have replied to this newspaper that they adhere to the common banking protocol, SEPA (acronym for "single euro payments area"): the only valid identifier that is verified when making transfers is the IBAN or number of account.
Although Pérez resorts, above all, to a royal decree of 2018 on payment services.
In one of its articles, it establishes that the bank must make the funds available to the beneficiary when that person does not have an account with that entity.
What if that person has an account with the same entity?
"This is one of the keys," says Pérez.
“What the law says is that you have to give the money to the beneficiary, not to an account number.
The number identifies a bank account, but that account belongs to one person.
You have to give the money to the beneficiary and in case there is a dissonance between the number and the person, either you make it available to the beneficiary or you return it because there is a problem, ”he adds.
At the moment, the legal authorities have agreed with the firm in national cases, because the decree prevails over the SEPA protocol: "The decree is a norm, while the SEPA protocol is the operation of payments in the European Union, but not it is a norm.
Although it is not the only thing that the judge values, we present other legal arguments”, adds Pérez.
If the Supreme Court agrees, the bank should assume the money defrauded by the fraudsters.
It is an important battle.
Only Pérez's office handles cases of several hundred thousand euros.
You can follow
EL PAÍS TECNOLOGÍA
on
and
or sign up here to receive our
weekly newsletter
.