Hacker News new | past | comments | ask | show | jobs | submit login
More than 100 arrested in Spain in $900k WhatsApp scheme (therecord.media)
94 points by PaulHoule 8 months ago | hide | past | favorite | 53 comments



My mother fell for exactly this scam, thankfully was able to cancel the transaction just in time and gave evidence to the police. Funny to see on HN something that touches one so close.

The most fascinating thing here is the lack of sophistication of the approach. No fake images or audio or anything.

I'm worried about the new wave of impersonation scams that's coming thanks to voice cloning.


I wish there was more promotion of the simple way to protect yourself from most scams - if someone initiates contact with you, contact them back through a channel you found independently in a way you already trust. My bank keeps warning me of scams and has a list of ways to protect yourself, but they're stupid things like check if the message is from a mobile number, and does it sound too good to be true? They don't mention the more robust and simple technique of calling back using the number on the back of your bank card. This will nip voice impersonation scams in the bud too.

I hired a lawyer who did advise that. Telling me not to pay any invoices they send me without first contacting them to confirm.

On the other hand, my doctor sends text messages asking for bills to be paid to an account number in the message itself. Training people to trust scam techniques!


I got a call once where the guy said he was from a bank. He said he wanted to verify who I was, so was going to ask me some personal details. I replied "you're the one calling me, how do I know you're really from the bank?".

He sounded amused by my reply, commented that my stance was quite uncommon, but I had made a fair point. He said I'd get a message via the bank's webapp, with a phone number where I could call him back.

It turned out that it was a legitimate call from the bank. But they clearly aren't training their customers to follow secure practices. The personal information that he was asking for is _exactly_ what a scammer would need to ask me too.


Exactly. They have the capability to push notification to the app to request you call them. They should do that BEFORE. And if they do outbound, immediately state were pushing a notification and you should call us back as we have something important to discuss.


I’ve had a similar experience except that the person was clearly irritated at my response. He cut the call and I was only able to confirm that the call was legitimate because I asked my relationship manager at the bank.


> I'm worried about the new wave of impersonation scams that's coming thanks to voice cloning.

That at least isn’t replicable at mass scale. You’d need to have a training set for each relative you’re pretending to be.

But in general, yes, it’s going to be a mess.


Luckily for the scammers we keep posting videos to Facebook, Instagram and any other social media app you can think of. It's going to be a nightmare.


Latest tools can clone from under 15s etc.


You only need a few seconds. If you can access whatsapp shared filed of the victim this may be enough.


They only got $9000 each? That seems like a very small amount of money for a lot of work, and it's probably not getting divided up equally either. What's their motivation to get into this kind of scam? Spain's GDP per capita is $30,000, and I'd assume they'd been doing it for at least 6 months, so they're not even making an average wage.


From the article:

> The scammers were so convincing that in most cases, they managed to get continuous payments from their victims, according to the police.

They managed to secure continuous income streams of free money by talking to people on their phones. It’s extra money and surely they planned on doing more scams. That’s the motivation.

> Spain's GDP per capita is $30,000, and I'd assume they'd been doing it for at least 6 months, so they're not even making an average wage.

I guarantee they weren’t working on this 8 hours per day, 5 days per week. That’s not how scams like this work. They’re talking to people through WhatsApp. It’s about as demanding as texting their friends, albeit with additional overhead of maintaining the ruse and keeping facts straight. They could have carried on these conversations while working their day jobs.

Some people just get a thrill from committing crimes and extracting money or goods through crime. It doesn’t have to be life changing money, these people just like doing crimes and getting a few thousand extra dollars to do whatever they want with.

Of course, the actual cost is devastating once they’re caught. But they’re not thinking about that.


> They managed to secure continuous income streams of free money by talking to people on their phones. It’s extra money and surely they planned on doing more scams. That’s the motivation.

Doesn’t this pretty much describe a sales job? Except the product they are selling doesn’t exist.


Not having to deliver a product is what lets scams scale much better than sales.


A lot of criminals would make more with a real job. Sometimes it is cultural (having a real job is seen as weak). Sometimes the crime seems like it would make more money than it actually does for the work input.

I asked one 19-year-old defendant who had just been given a 30-year sentence for armed robbery with an AK-47 how much he actually got from the robbery? "$2000. $1000 for me, $1000 for my cousin." Ugh :(


In Brazil this is likely the most common scam nowadays. Almost every month one of the 4 members of my family gets a message in WhatsApp, usually from a cloned profiled, with the same script:

"Hi <brother|sister|dad>! I'm trying to buy something in store X but my card is getting declined, can you make a PIX (Brazil's real time rail payment) for <random person> for YYYYY (4, 5 digits amount) reais for me? I'll pay you tomorrow"

Or the out of fashion "This is X and I have your daughter, pay X so we can release her".

I have never understood how those people can do this for that long with the amount of tracing and spying the government has. Specially using payments from the Real Time Reail (PIX) that is tied to a CPF (equivalent to SIN/SSN).

Even in the current state of streaming, with sports spread between several providers, you can get, in good faith, in YouTube watching a pirated live stream of a major competition where the broadcaster fakes a famous bank or financial institution pretending to make lottery and faking draws on screen. It is so rudimentary you can see the person literally typing random names.

This is probably one of the easiest crimes to automate enforcement against in the age of AI, and yet, it happens for months, every day.

Good for Spain for actually doing something about it. I wish Brazil would start doing the same.


My mother recently got scammed with that first script during a hectic day at her workplace. As stupid and out of character as those messages were, somehow in between her these guys managed to clean out most of her bank accounts in PIX transactions. They're so easy nowadays you can transfer thousands with very few swipes.


Those payments are for a good operation routed through stolen identities and funneled out using the internet (e.g. gift cards, traditionally). It's easy to trace until the money goes out of the country and gets transformed from a gift card back into money in some place the country has a hard time touching.


I thought we were safer (and we probably are) in Spain since scammers disproportionately target Americans, but this was a good wake up call and just warned my family of the steps to follow if I ever contact them out of the blue asking for money.


"The fraudsters also registered nearly 100 phone numbers using false identities."

Is it really a WhatsApp scheme? I thought the purpose of phone numbers now is to tie them to an actual person.


you would think, but apparently anyone can now download an app called "talkatone" that gives you a free phone number to make calls and send texts with


In some countries you can still buy prepaid cards which don't required any registration etc. and can be used across the entire EU anonymously.


It would be nice if we had tracert for phones. So you can see the route through which someone calls and what platforms/orgs.


Intelligence agencies around the world have collectively spent many, many billions on trying to achieve exactly that.

Then again, full mandatory deanonymisation wouldn't be required to just let people unsubscribe from calls from numbers aren't "genuine" in some way. There's a middle ground before "block all unknown numbers" that still lets the doctor's office call me.


Where this is more enforced, it's not uncommon for criminals to get homeless or drug addicts to register phones using their identities.


Indeed, poverty engenders crime.

International financial crime would be international economic justice, if only the stolen funds went to poor individuals and not their slaveowners or corporate masters


Is this the same case where ProtonMail revealed the recovery email of an address to Spanish authorities?

https://news.ycombinator.com/item?id=40280689#40282629


no, read the articles


It’s hard to understand how someone could fall for this scam… if a loved one was having an emergency of some kind I would expect them to call rather than text, and I would respond with a call either way to discuss the details.

I’m also generally leery of people “urgently needing money.” It seems like something a scammer would do, and I couldn’t see any of my family members doing it. Maybe I’m a jerk, but I’d be more likely to offer a lecture on financial responsibility than a quick money transfer.


> It’s hard to understand how someone could fall for this scam… if a loved one was having an emergency of some kind I would expect them to call rather than text, and I would respond with a call either way to discuss the details.

I think elderly are more vulnerable to this, because they get scared and want to help.

My elderly mother fell victim to a "microsoft" and "paypal" technician calling her twice, despite my training her on how not to pick up the phone from these calls and going over how nobody from these companies would ever call her. She got nervous and scared and basically did whatever the scammers told her because she thought something was wrong with her computer.

Now after it's happened twice :she has been reminded not to answer any calls from number she doesn't know. But she still gets nervous she is going to miss something important from health insurance or doctors office so she is still tempted to pick up spam calls.

It's tough, no matter how much I train her she will still want to answer and "help" the scammer. They keep doing this because it works.

I need to just lock her phone down so all callers not in her contact list go to a voicemail I screen. :-/


Part of my family training has been "phone numbers can be easily stolen" so be wary of that (okay we know it's not "easy", but they CAN be stolen by a semi-decent cracker calling the ISP and this sentence has already 2 words that would take days to explain to them).


A friend's mother fell for one of these largely because she'd contacted her ISP earlier that day about a problem and was expecting a call back. Very unfortunate.


There are collaborative filtering apps that come as a replacement for your phone's native phone app. Works well.

Next level approach would be to plug in a LLM with voice synthesis and make the scammers waste time and money.


You need to be her call screener


There are similar versions of the scam aiming at companies, as the CEO needs money wired to him as part of a secret acquisition of some sort. There's training trying to target this vector specifically, as the amounts are huge, but it also means more efforts can be made to be more realistic: Getting plenty of pictures and entire voice interviews from many CEOs is trivial. You can imagine how hard one can go crafting a fake message.

It's not unlike people entering their credentials where they shouldn't. I've worked at a company you know about, where we had an expert in-house phisher. Her best attempt managed to get 50% of credentials... when targeting the security team itself!

So yes, any attack that pulls on the right emotional levers will work on all kinds of people.


We got "attacked" by this. The team was diligent enough to ask questions, but we are a financing company so money transfer requests are extremely common. We had processes in place and obviously made them stricter.

My concern is as AI voice/video generation becomes stronger the social engineering can cause internal processes to be circumvented especially if you have a basic understanding of the inner workings of the org.


Years ago there was a Dutch notary who transferred about a million euros from his escrow account to someone pretending to be the Dutch prime on MSN Messenger. The email address was "ThePrimeMinister@hotmail.com" or something like that. They had a long story about national security and urgent need to access the funds and whatnot.

There were a lot of suspicions that he might be in on the scam, but as near as anyone could determine, he really was just scam victim. He did get disbarred and got a prison sentence of a year or so (IIRC) because while a victim, he also could and should have known better as a notary dealing with an escrow account.


Yeah with real-time deepfake audio this could be done by an attacker as an actual phone call in the voice of the person being impersonated.


It’s hard to understand that there are some people who aren’t as cautious or vigilant or tech-savvy or self-confident as (or far more self-confident than) yourself?


The scam has a similar phone version, with a signature "Hey , it's me" first contact to get the victim to fill in the details on who's calling. A good enough scammer can explain away a lot of the red flags (why it's coming from an unknown number etc.)

And of course it doesn't require a 100% success rate, they'll call number until hitting a jackpot.


I sometimes respond to those in random languages, turkish, finding, farsi, polish, really throws them off the script...


Here's how it works, in scams and high pressure sales:

1. Victim suspects scam

2. Victim recognizes the presence of predator.

3. Victim gets scared.

4. Victim tried to maintain composure, but can't think of a way to escape the situation without the predator pursuing.

5. Victim appeases predator because they fear all the terrible things this predator might do, as the predator has no morality and the victim's civilization has collapsed around them.

These predators are violating the deepest social contract. They are acting like brilliant, vicious animals. They deserve to be treated like such, yet they are cloaked in the protection of civilized society. They are a cancer on humanity.


This also works where police abandoned the victims. They feel they'll have no recourse if scammer escalates and becomes violent, so they rationalise that giving in to the scam will be cheaper and less stressful than going to the police and potentially putting their life at risk.


The police are not there to protect individuals, they’re there to protect the government. This has been made abundantly clear in a number of cases where police have disclaimed any duty to citizens & residents.

Given all of that, the victims are reacting appropriately.


I would not generalize. Different countries have different police forces. It's true that police will reflect some of the problems of their society (either violence, racism or others), but even that might be more or less strong tendency.


Every police force exists for the state. They are the means by which the state exerts violence on you. The army is the means by which the state exerts violence on all the other countries' citizens.


More properly, police in US have a duty to society, not to any specific individual. They are law enforcement. Not crime prevention or victim protection.

This is of course a huge problem, because as seen in Uvalde in elsewhere, not only do police have no obligation to help you (which by itself is reasonable of undesirable), but are also empowered to prevent you from helping yourself.


Why would they be afraid of a random stranger on whatsapp?


They don't undertand the technical details. All they know is someone appears able and willing to violate social and legal norms, and was able to make contact. To lizard brain, it can feel like meeting a mugger in a dark alley.


in scams and high pressure sales

...but you repeat yourself, sir.


off with their heads


Sure, you think that, but then the one time it does happen and you don't give them money and someone gets serious hurt or dies, you never forgive yourself ever again. And out of worry that that may happen, a lot of people will be safe rather then sorry. Since money is less important then lives.


Soon your calls won't be safe either; Voice cloning is getting REALLY good.


Onset of dementia can help you become prone to scams like this. Most victims are elderly.

It’s not a guarantee for avoiding dementia, but doing heavy cardio regularly before you hit old age might help mitigate it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: