Spain busts voice phishing ring for defrauding 10,000 bank customers
The Spanish police, working with colleagues in Peru, conducted a simultaneous crackdown on a large-scale voice phishing (vishing) scam ring in the two countries, arresting 83 individuals.
Thirty-five of the arrested people were located across Spain, including in Madrid, Barcelona, Mallorca, Salamanca, and Vigo, and another 48 were arrested in Peru.
The leader of the ring was also apprehended in Spain during the 29 simultaneous raids conducted by the cooperating police forces, which also seized cash, mobile phones, computers, and documents.
Impersonating banks
According to the announcement from the Spanish police (Policia Nacional), the scammers operated a large call operation that employed 50 people in three distinct call centers, defrauding at least 10,000 people and making €3,000,000 ($3.15M) in proceeds.
The calling agents used stolen databases, pre-written social engineering, and scripts to trick the call recipients into giving away their sensitive banking information.
To make the calls appear legitimate, the agents used caller spoofing technology, making their number and caller name match those of the official bank they impersonated, adding credibility to the process.
The bait was an alert about unauthorized ATM withdrawals, directing victims to go through a process of fake account verification and give away their one-time passcodes.
"After convincing victims they had fraudulent charges and blocked accounts, they guided them through steps on their banking apps, using manuals provided by the organization leaders," reads a press release by the Policia Nacional.
"Victims were tricked into sharing verification codes sent to their phones. These codes were immediately relayed to operatives in Spain, who stood ready near bank branches to withdraw cash."
Once the cash was withdrawn, about 20% and 30% were kept by the operators, and the rest was sent to the organization in Peru.
The police highlight some obfuscation methods used by the criminals, such as using color codes to identify banking organizations when communicating and spreading their operatives across different cities to make tracking them down harder.
To protect against these scams, the police recommend only providing personal or banking details after verifying that you are speaking to an actual bank agent.
Also, it's important to remember that banks never ask users to give away their card details, ID details, usernames, account passwords, and one-time passwords.
Cleo patches critical zero-day exploited in data theft attacks
US offers $5 million for info on North Korean IT worker farms
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumInteger Overflow Error
InformationalUser Agent Fuzzer
HighOut of Band XSS
InformationalImage Exposes Location or Privacy Data
LowCSP: Notices
MediumWeb Cache Deception
InformationalRetrieved from Cache
Free online web security scanner
