Cybercriminals also target the Catalan government: in ten years they have attempted to steal 1.7 million euros

BarcelonaCybercrime is a growing phenomenon with the rise of new technologies, so not only are citizens victims, but public administrations have also become a target. In fact, they handle a large volume of resources and data on individuals and legal entities, making them attractive to criminals. Proof of this is that the Generalitat (the Catalan government), as ARA has been able to confirm through a transparency request, has also been a victim of financial fraud. Specifically, a total of €1,711,068 has been "compromised," meaning the government has recorded an attempt to steal this amount of resources through fraud. Of this amount, however, the Generalitat has been able to retain the majority of the money: €1,661,948. "The difference of €49,120 corresponds to the amount that the cybercriminals have actually managed to defraud," the government admits. The Presidency highlights that they have managed to preserve 94% of the resources.

In what areas did these frauds occur? Both cases are from 2024: the Presidency department was the victim of an attempted cyber theft of €573,941, which they detected immediately and the money was safeguarded, while the Catalan Health Institute was defrauded of €232,252, which has also reportedly been recovered.

In fact, the healthcare sector, due to the volume of resources it manages and the numerous dealings with suppliers, appears to be a target for cybercrime. The fraud with a 100% success rate occurred in 2023 at the Catalan Health Service: €22,222 were defrauded and have not been recovered. The Department of Social Rights and the Ministry of Culture also had little success in recovering lost funds in 2020, when a cyberattack managed to steal €31,043, of which only €16,676 were recovered. The first instances of cyber fraud recorded by the Generalitat, despite being significantly larger, were successfully neutralized. These amounted to €561,719 at the Catalan Health Institute in 2016 and €289,888 at the Department of the Interior in 2017. According to the Government's response, in all cases the victims of these attacks were the financial management units of the departments, which are typically staffed by civil servants within the departments' respective services.

And how has the Catalan government recovered the money? "The actions consist primarily of requesting financial institutions to block the fraudulent account and freeze its funds," in addition to filing the corresponding complaint with the Mossos d'Esquadra (Catalan police) and "executing the return of the funds to the Generalitat's (Catalan government's) bank accounts as quickly as possible."

The Mossos explain that they have been working for some time to prevent these types of fraud. In a conversation with ARA, Sergeant Xavier Quesada, head of the central fraud and payment methods unit of the Mossos' Criminal Investigation Division (DIC), clarifies that criminals attempt to obtain public funds through identity theft. Taking advantage of publicly available data on tenders and suppliers, the modus operandi The scam typically works like this: they send an email to the administration, impersonating a company that works for the Generalitat (the regional government of Catalonia), and claim they are changing their bank account number to try and receive payment for outstanding invoices. To prevent fraud, Quesada advises always calling the company to verify the information. They have confirmed that many of the criminal organizations involved in this type of crime are based in Romania. Cybersecurity expert José Nicolás Castellano asserts that "dilience" is key to preventing fraud: first, caution with these types of emails, and second, the speed with which banks must block the accounts, which is easier to do if they are located within Spain. In fact, Quesada says that since 2016, banks have also stepped up their efforts on this issue: alarms are triggered if they detect a newly created account that suddenly receives a large sum of money from the administration. Meanwhile, sources at the President's office explain that, given that human error is one of the risk factors, they are working with the Cybersecurity Agency to "strengthen awareness and sensitivity among public employees regarding security."

The Government did not want to provide the data

The Valencian government initially refused to provide details about the frauds it had suffered, although this has been the subject of accounting irregularities in other cases. The clearest example is the Valencia City Council, which was the victim of several frauds. for a value of 5 million eurosThe Court of Auditors found the former director of the Municipal Transport Company (EMT) responsible for the financial losses due to improper procedures and ruled that she herself had to pay 4.2 million euros, the amount of the cyber fraud. Despite this precedent, the Catalan government and the Cybersecurity Agency denied this newspaper access to the requested information regarding the financial frauds suffered by the Generalitat (Catalan government). It wasn't until the intervention of the Commission for Guaranteeing the Right of Access to Public Information (GAIP) that the request was granted. This process has dragged on for a year, as this newspaper's initial request for this information was made on December 30, 2024.

"Making the requested information public could compromise security and reveal vulnerabilities in security systems, facilitating future attacks," argued the Catalan government to deny the request. The Cybersecurity Agency itself presented similar arguments to the GAIP (Galician Authority for Access to Public Information) to prevent the information from being released: "Revealing this information could create unnecessary public alarm." It was also reluctant to identify the responsible administrative units. However, the GAIP considered that revealing the amounts of the financial fraud perpetrated against the Generalitat (Catalan government) did not constitute "substantial, real, and manifest harm to public security that would prevent making the requested information public." Furthermore, the Commission reaffirmed that the information requested by this newspaper provided "transparency on public matters" and was "useful" for society in order to "monitor how the Generalitat administration manages this problem and how public resources are preserved." After all, these are public funds and, therefore, belong to the citizens.