Malaga's Plaza Mayor shopping and leisure centre has been defrauded of 120,000 euros that were due to be paid to a firm for works on the new outlet village.
The centre was the victim of what is known as the CEO fraud, where cybercriminals infect the computer of a top executive with spying tools to obtain information. In the case of Plaza Mayor, the criminals hacked an employee's computer and learned that the firm was about to transfer a certain amount of money.
They then created a new email address, very similar to the employee's, and contacted a colleague instructing them to make the transfer. This colleague was expecting to be told to pay that same sum so did not suspect foul play. The bank account that received the transfer, however, was the one provided by the criminals.
Plaza Mayor representatives reported the case to the National Police and the cybercrime unit opened an investigation. Four members of the gang, the owner of the bank account that received the transfers from the centre and three accomplices, were identified and arrested in Valencia. They are now under investigation for fraud, money laundering and belonging to a criminal organisation.
A parallel investigation to identify the perpetrators of the online fraud itself has reached the same dead end detectives often find in cybercrime cases. The IP addresses placed the criminals in Nigeria and the United Arab Emirates, although criminals normally use VPN-type mechanisms to disguise their real locations.
The accomplices transferred the funds to other accounts and withdrew cash; then the money was sent to the cybercriminals via firms such as MoneyGram or Western Union, but the identity of the recipient is difficult to ascertain.
While most firms that fall victim to this type of crime don't publicise the fact, two other local companies have said they have lost 38,000 euros through the same fraud.
One of them, NRSUR, which operates Burger King franchises, transferred 26,000 euros to an account that they thought belonged to a supplier.
Marbella-based Sol Sport, which organises training camps for sports clubs across Europe, was a victim in a different way.
The criminals sent an email in the name of an employee to one of the firm's clients requesting a transfer. A sum of 12,000 euros ended up in the wrong hands.