Back to Insights
Threats4 min read14 July 2026

Spanish Police Dismantle €140 Million BEC Fraud Ring After Four Arrests Across Three Countries

A laundering network that ran 800 bank accounts and 67 money mules has been shut down, but the business email compromise tactics it used remain a daily threat to finance teams everywhere.

t2s
train2secure NewsdeskSecurity awareness team
Photoreal editorial scene: a plainclothes detective at a desk covered in printed bank transaction records and a laptop s

Spanish police have broken up a criminal network responsible for stealing roughly €140 million (approximately $160 million) from businesses, arresting four people across Spain, Portugal and Panama in a coordinated operation backed by Interpol and Europol.

What the investigators found

This was not a small operation. Raids hit Barcelona, Girona and Tarragona in Spain and the city of Porto in Portugal, with a fourth arrest made in Panama. Officers seized 15 computers and more than 170 phones believed to have been used to execute thousands of fraudulent transfers. Police also froze €3 million that will be returned to victims.

The financial plumbing behind the scheme was deliberately complex. The group maintained more than 800 personal bank accounts and 120 business accounts. Seventy-seven people acted as money mules, receiving stolen funds into their own accounts and forwarding the cash onward for a cut of the proceeds. Once money landed in the first account, it was split rapidly and pushed through long transfer chains, often crossing borders, to make recovery practically impossible.

Investigators traced €94 million moving through the network directly and linked a further €61 million specifically to business email compromise activity carried out during 2024. The investigation began after suspicious transactions surfaced in 19 companies connected to the group.

How the fraud actually worked

The criminals used two well-documented variants of business email compromise, commonly called BEC.

The first is CEO fraud. A finance employee receives an urgent email that appears to come from their chief executive, ordering a wire transfer immediately and asking them to keep the request confidential. The urgency and the implied authority of the sender suppress the instinct to verify.

The second is false-invoice fraud. Attackers pose as an existing, trusted supplier and quietly update the bank account details on a legitimate-looking invoice. The next scheduled payment goes straight to the criminals. The victim company may not notice until the real supplier chases them weeks later.

Neither method requires malware. Neither requires a hacked inbox. Often attackers simply spoof the display name in an email header, or register a lookalike domain with a single character changed, and rely on the recipient not checking the actual sending address. That is the uncomfortable core of BEC: it is primarily a human problem, not a technical one.

The Verizon 2024 Data Breach Investigations Report found that social engineering, the category covering BEC, was the leading action pattern in financially motivated breaches, with a median loss per incident reaching $50,000 across reported cases. The gang dismantled in Spain operated at a scale far beyond that median, which shows what a sophisticated, well-funded BEC operation can achieve over time.

Which controls failed and what defenders should learn

Multi-factor authentication matters enormously for credential-based attacks, but it would not have stopped this fraud. The criminals did not need to log in to anyone's email system. They manufactured trust through social engineering alone. That points directly to a gap in human controls rather than technical ones.

The first failure here is the absence of out-of-band verification for payment changes. Any instruction to wire funds or alter bank details should trigger a mandatory phone callback to a pre-registered number, not a reply to the same email thread. That single procedural rule would defeat the vast majority of CEO fraud attempts before they cost a cent. Finance teams that skip this step because it feels slow are making an expensive trade-off.

The second failure is inadequate email authentication at the domain level. DMARC, the standard defined in RFC 7489 and published by IETF, allows organisations to instruct receiving mail servers to reject or quarantine messages that claim to originate from their domain but fail authentication checks. Many organisations have still not deployed DMARC at an enforcing policy, which means criminals can spoof their domain freely. CISA has published guidance on DMARC deployment as part of its Binding Operational Directive 18-01, and while that directive applies to federal agencies, the technical recommendations are directly applicable to any organisation.

A third gap is payment threshold governance. Payments above a defined value should require a second human authorisation, independent of the original request channel. This is a basic internal control that many smaller finance teams skip for convenience. The criminals targeted exactly that convenience.

Regular, realistic training that teaches staff to recognise urgency-and-authority manipulation is the other side of this coin. Staff who understand why CEO fraud feels so convincing are dramatically less likely to comply with a spoofed instruction under pressure. Security awareness programmes built around real attack scenarios give finance and operations teams the muscle memory to pause, verify and escalate rather than act immediately.

The bigger picture

Spanish police described the operation as a success, and it genuinely is. Taking down four key operators and seizing devices that linked to thousands of transactions is meaningful law enforcement work. The €3 million freeze will return some money to victims.

But BEC fraud globally generates losses in the billions every year. The FBI's Internet Crime Complaint Center recorded more than $2.9 billion in adjusted BEC losses in its 2023 Internet Crime Report, making it the single highest-loss cybercrime category tracked. Four arrests, however welcome, do not change that trajectory.

What changes it is organisations hardening the human layer: call-back verification, dual authorisation, DMARC enforcement, and staff who can spot a social engineering attempt before they act on it. The controls exist. They are not expensive. They are just consistently skipped until an urgent email arrives and the money is already gone.

For organisations wanting to benchmark their current awareness posture against recognised frameworks, the Train2Secure standards page maps training content to NIST and ISO 27001 controls relevant to social engineering defence. Teams still evaluating options can review programme tiers and pricing without committing to anything upfront.

How this could have been prevented

  • Enforce a mandatory out-of-band callback policy for any payment instruction or bank-detail change, using a pre-registered number, never a contact from the same email thread.
  • Deploy DMARC at an enforcing policy on all company domains to stop criminals spoofing your brand against your own staff and suppliers.
  • Run scenario-based social engineering training so finance and operations staff can recognise urgency-and-authority manipulation before they act on a fraudulent request.

Train2Secure's BEC and social engineering modules put real-world attack scenarios in front of your team before criminals do.

Start free, no card required

Frequently asked questions

What is business email compromise and how does it differ from phishing?

Business email compromise targets finance and operations staff with highly specific requests, often impersonating a CEO or supplier, to authorise fraudulent payments. Unlike broad phishing campaigns that try to steal credentials from many people, BEC is tailored, low-volume and focused on triggering a single financial transaction. No malware or malicious link is required.

Would multi-factor authentication have stopped this fraud ring?

Not on its own. The attackers frequently did not need access to a real email account. They spoofed display names or used lookalike domains to impersonate executives and suppliers. MFA protects account logins, but it does not prevent an employee from acting on a convincing fake email they believe is legitimate.

What is DMARC and why does it matter for BEC defence?

DMARC is an email authentication standard, defined in RFC 7489, that lets an organisation tell the world's mail servers to reject messages that falsely claim to come from its domain. Deploying DMARC at an enforcing policy stops criminals from spoofing your domain to target your customers, partners or staff. CISA recommends DMARC enforcement as a baseline email security control.

How can organisations recover money lost to a BEC attack?

Speed is critical. Contacting your bank within hours of a fraudulent transfer and reporting to national law enforcement can sometimes trigger a hold on the receiving account. In the Spain case, only €3 million of roughly €140 million was frozen for return to victims. Once funds move through multiple mule accounts and cross borders, recovery becomes extremely unlikely. Prevention is the only reliable strategy.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress