Spain: How Companies Should Act If They Are Victims of a “Cybercrime”

In the last few months, we have detected that cases of cybercrime have increased exponentially, especially following the COVID-19 pandemic and the confinement decreed by many governments.

Although it may seem surprising, these attacks are usually against large companies which already have high levels of security and which, despite numerous firewalls and filters, are victims of simple identity theft of members of their organisations.

A few weeks ago, a Swiss client informed us that two days before, various transfers had been made to two Spanish banks which in total amounted to EUR 170,000, all of this without his due and express authorisation. After conducting an investigation, they realised that a third party had accessed the email account of the CEO in order to, using such email account, email the person responsible for payments to make the two fraudulent transfers. We were dealing with transfers unduly made to Spanish banks and bank accounts open in Spain. For this reason, we immediately contacted the two banks to which, on behalf of our client, we presented detailed description of the illicit events together with the documentational proof. Said communication also included the corresponding official request to immediately freeze the bank account receiving the transfer in order to avoid that the owner of said bank account could access it and make the amount fraudulently transferred his/her own, which would make it more difficult for our client to recover it swiftly. In one of the cases, the banking entity conditioned the freezing of the bank account on having a police report. For this reason, we immediately went to the police station of the Guardia Civil, since these types of crimes may only be reported in person, in order to file the corresponding police report on behalf of our client. After filing the police report and presenting it to the bank, the bank agreed to freeze the account where the amount of EUR 84,000 was located from one of the two fraudulent transfers.

This is a case that ended successfully; first, because one of the two transfers could be taken back directly from its source, that is, by the issuing bank. Second, because although the second transfer for EUR 84,000 could not be taken back as the amount was already transferred to the bank account located in Spain, thanks to the alert to the banking entity and the police report filed, our client did not suffer any economic harm and was able to recover the full amount of the two fraudulent transfers. Without prejudice to this, there is currently a police investigation underway to clear up the events.

Our experience tells us that, despite preventive measures, these types of crimes are now generalised and occur frequently. For this reason, once a fraudulent operation like the one described is detected, it is essential to have legal advice in the country to which the funds have been sent or where the crime was committed. Only an alert to banks and the initiation of police and/or court action by way of presentation of the corresponding police report can avoid harm to the equity of a company, or if this has already taken place, aid in its repair.