Spain busts voice phishing ring for defrauding 10,000 bank customers

The Spanish police, working with colleagues in Peru, conducted a simultaneous crackdown on a large-scale voice phishing (vishing) scam ring in the two countries, arresting 83 individuals.

Thirty-five of the arrested people were located across Spain, including in Madrid, Barcelona, Mallorca, Salamanca, and Vigo, and another 48 were arrested in Peru.

The leader of the ring was also apprehended in Spain during the 29 simultaneous raids conducted by the cooperating police forces, which also seized cash, mobile phones, computers, and documents.

Impersonating banks

According to the announcement from the Spanish police (Policia Nacional), the scammers operated a large call operation that employed 50 people in three distinct call centers, defrauding at least 10,000 people and making €3,000,000 ($3.15M) in proceeds.

The calling agents used stolen databases, pre-written social engineering, and scripts to trick the call recipients into giving away their sensitive banking information.

To make the calls appear legitimate, the agents used caller spoofing technology, making their number and caller name match those of the official bank they impersonated, adding credibility to the process.

The bait was an alert about unauthorized ATM withdrawals, directing victims to go through a process of fake account verification and give away their one-time passcodes.

"After convincing victims they had fraudulent charges and blocked accounts, they guided them through steps on their banking apps, using manuals provided by the organization leaders," reads a press release by the Policia Nacional.

"Victims were tricked into sharing verification codes sent to their phones. These codes were immediately relayed to operatives in Spain, who stood ready near bank branches to withdraw cash."

Once the cash was withdrawn, about 20% and 30% were kept by the operators, and the rest was sent to the organization in Peru.

The police highlight some obfuscation methods used by the criminals, such as using color codes to identify banking organizations when communicating and spreading their operatives across different cities to make tracking them down harder.

To protect against these scams, the police recommend only providing personal or banking details after verifying that you are speaking to an actual bank agent.

Also, it's important to remember that banks never ask users to give away their card details, ID details, usernames, account passwords, and one-time passwords.