Cybercriminals are looking for new ways to keep what belongs to others. The Bank of Spain has warned this week of what is known as corporate email fraud or Business E-mail Compromise (BEC), which affects companies that pay invoices through bank transfers.

As explained on the entity’s banking client portal, the deception consists of impersonating a provider that sends invoices to a company via email. Posing as it and supplanting the IBAN of the payment, they manage to divert money to criminal accounts.

To do this, you need to know which suppliers the company deals with. “The offender had to previously access the victim’s email, possibly cracking the password,” he warns. The other possibility is that they have intervened the provider’s email and send emails from your account.

From one of the two scenarios “they modify said invoices by changing the IBAN of the account to which the money transfer must be made. This is how they manage to deceive their victims”. Without realizing it, the company ends up depositing money in the criminals’ account.

What can be done if I have paid? The Bank of Spain recommends contacting the entity “as soon as possible”. And there is the problem that the payment mandates in the transfers are irrevocable, which implies that “the entities are not empowered to order the return without the consent of the holder who has benefited”. In this case, he would be a scammer, so it can be assumed that he will not agree to the refund.

There is an exit, but: “In accordance with good financial practices and uses, the entity is required to make reasonable efforts to try to recover the amount transferred, by contacting the receiving bank”, it is specified.

From the National Institute of Cybersecurity (Incibe) it is also recommended to report the fraud so that the origin of the crime is investigated.