Spanish and Portuguese police have arrested 54 individuals suspected of participating in a massive vishing fraud scheme that has already cost victims €2.5m ($2.7m) in losses.
Revealed yesterday by Europol, the action day on June 4 involved a coordinated operation between the Spanish National Police (Policía Nacional), the Mossos d’Esquadra and the Portuguese Judicial Police (Policía Judiciária).
Nineteen properties were searched, with one individual apparently apprehended while sitting in front of his computer with the bank details of a victim on the screen.
Police seized computers, laptops, mobile phones, SIM cards, cannabis and cocaine from the property.
The gang targeted Spanish senior citizens with a combination of vishing and face-to-face social engineering tactics.
Read more on vishing: Vishing Makes Phishing Campaigns Three-Times More Successful
First, they would call victims pretending to be a bank employee, telling them there was something wrong with their account. This enabled them to extract enough information to share with other members of the gang, who would then turn up unannounced at the victim’s residence, according to Europol.
They would then pressure the victims into handing over their cards, bank details and PINs, before using them to withdraw cash or make expensive purchases. Bank details were used to hijack and drain accounts.
In some cases, the gang members forced their way into victims’ properties to steal cash and valuables, Europol revealed.
Stolen funds were deposited in Spanish and Portuguese bank accounts and laundered via a network of money mules.
Police were apparently able to monitor the conversations of the criminal network and heard members planning to use “severe violence” if necessary to rob their victims. That intelligence accelerated the operation to swoop on the suspected gang members.
Vishing is gaining popularity among cybercriminals as victims grow more wary of text-based attempts to scam them.
Particularly prevalent are telephone-oriented attack delivery (TOAD) techniques, where victims are sent a phishing message with a ‘customer service’ phone number attached. If the victim calls, they could be socially engineered into handing over personal details or enabling remote access to their computer.
Last year, police in Ukraine and Czechia disrupted a major vishing operation said to have cost Czech victims alone around €8m ($8.6m).