Spanish police have arrested three men in connection with a €10m Business Email Compromise (BEC) ring that targeted corporate victims around the world.
The Guardia Civil revealed on Tuesday that the group allegedly targeted 12 companies in Belgium, Venezuela, Bulgaria, Norway, the United States, Germany, Luxembourg, Portugal, Chile and the UK.
Attackers phished the accounts of senior managers at the victim organizations, using access to their accounts to request wire transfers of funds to bank accounts under their control. To make their efforts appear more legitimate, they attached invoices to these emails featuring the letterhead of the company.
They are said to have run a complex network of 83 fake companies and 185 bank accounts designed to launder the funds. Money was moved frequently between these to put investigators off the scent. So far, Spanish police have only been able to recover €1.3m of the total €10.7m stolen.
The group has also ploughed some of the money into real estate, it said.
Operation Lavanco, as it is known, was carried out with help from Europol, Interpol, the FBI and other national agencies like the German BKA.
Those arrested under charges including belonging to a criminal organization and money laundering, are between 34 and 67 years of age and residents of Seville, Cuenca, Tarragona and Albacete. A fourth is currently under investigation, the Guardia Civil said.
The news comes just a month after a major global bust saw the arrest of 281 BEC suspects and the seizure of nearly $3.7m.
Operation reWired saw most arrests in Nigeria (167), with 74 in the US, 18 in Turkey and 15 in Ghana. Arrests were also made in France, Italy, Japan, Kenya, Malaysia and the UK.
The FBI estimates that $1.3bn was lost to BEC scams last year.