Phishing and Social Engineering

What Is Phishing?

Phishing is one of the most prevalent and consistently effective cyberattack techniques used against businesses and individuals worldwide. The term combines “fishing” (casting a lure to hook a victim) with “phreaking” (the hacker subculture). In a phishing attack, an attacker impersonates a trusted entity — a bank, a supplier, a government authority, a colleague, or an IT system — to trick the recipient into:

• Revealing login credentials or passwords
• Providing payment card or banking details
• Authorising a fraudulent bank transfer
• Opening a malware-infected attachment
• Clicking a link leading to a fraudulent website
• Granting access to systems or accounts

According to INCIBE, phishing is the most common cyberattack vector in Spain, implicated in over 60% of all cybersecurity incidents affecting Spanish businesses.

Social Engineering: The Human Element

Social engineering is the broader discipline of manipulating people into taking actions or disclosing information that serves the attacker’s purposes. Phishing is the most common form of social engineering, but the category includes many variants:

• Vishing (voice phishing): Telephone calls impersonating bank fraud departments, tax authorities (AEAT), IT support, or suppliers, requesting account credentials or authorising payments
• Smishing (SMS phishing): Text messages with fraudulent links, often impersonating courier services, banks, or government agencies
• Spear phishing: Highly targeted phishing using personalised information about the specific victim (name, role, colleagues, current projects) to increase credibility
• Whaling: Spear phishing specifically targeting C-suite executives or senior managers
• Business Email Compromise (BEC): Impersonation of a CEO, CFO, or supplier to authorise fraudulent transfers — the most financially damaging form
• Pretexting: Creating a fabricated scenario (e.g., impersonating an IT auditor or HR department) to obtain sensitive information
• Quid pro quo: Offering something of apparent value (free software, a prize) in exchange for credentials or access

Business Email Compromise (BEC) in Spain

Business Email Compromise (fraude del CEO or man-in-the-email in Spanish) deserves special attention as it is responsible for the largest individual financial losses from social engineering attacks. The most common BEC variants:

CEO Fraud (Fraude del CEO)

An attacker impersonates the CEO (or another senior executive) and sends an urgent email to the finance department instructing an immediate bank transfer to a new supplier or investment account. The email typically:

• Claims the matter is confidential and cannot be discussed with others
• Creates time pressure (“the window closes today”)
• Uses a spoofed email address or a look-alike domain (e.g., bm-consultiing.com instead of bm-consulting.com)

Supplier Impersonation

The attacker impersonates a known supplier and notifies the accounts payable team of a “change in banking details” — directing future payments to the attacker’s account. The notification may arrive by email (from a compromised or spoofed account) or phone.

Invoice Fraud

Fraudulent invoices from convincing fake supplier identities, designed to match existing approved vendor relationships.

How to Defend Against BEC

• Verbal confirmation: Always call a known contact (using a number from your own records, not from the email) to verify any request to change payment details
• Dual control: Require two independent authorisations for any bank transfer above a minimum threshold
• Email authentication: Implement DMARC, DKIM, and SPF records to prevent your domain from being spoofed
• Awareness training: Regular training on BEC scenarios for all finance team members

Legal Obligations After a Phishing Incident

If a phishing attack results in a data breach (access to personal data, theft of credentials containing personal information), Spanish companies have legal obligations:

1. GDPR notification to AEPD: Within 72 hours of becoming aware of the breach, if it is likely to result in a risk to individuals’ rights and freedoms (Article 33 GDPR / LOPD-GDD)
2. Notification to affected individuals: If the breach is likely to result in a high risk to individuals (Article 34 GDPR)
3. Internal documentation: The breach must be documented regardless of whether it is notifiable (Article 33(5) GDPR)

For financial fraud (money transferred to attackers), the company must:

• Report to the Policía Nacional or Guardia Civil: Criminal complaint (denuncia) as soon as possible — time is critical for bank fraud recovery
• Notify the bank immediately: Request a SWIFT/SEPA recall and freeze the destination account
• Legal counsel: For large amounts, immediate legal advice on recovery options

Employee Awareness Training

Security awareness training is one of the highest-ROI investments a business can make in cybersecurity. INCIBE’s studies show that organisations that conduct regular phishing simulation exercises and training reduce click rates on phishing emails from 25–30% (untrained) to below 5%.

An effective awareness programme includes:

• Initial onboarding training for all new employees
• Annual refresher training covering the latest attack techniques
• Phishing simulation exercises — realistic but fake phishing emails sent to employees to test and train their responses
• Clear reporting procedures — employees should know how and where to report suspicious messages without fear of blame

Technical Controls Against Phishing

Awareness training alone is insufficient — technical controls provide defence in depth:

• Email filtering: Intelligent spam and phishing filters (Microsoft Defender for Office 365, Google Workspace advanced protection) that block known malicious links and attachments
• Multi-factor authentication (MFA): Even if credentials are stolen, MFA prevents account takeover. MFA is the single most effective control against credential phishing
• Browser protection: Tools that warn users when they navigate to known phishing sites
• DNS filtering: Blocking connections to malicious domains at the network level
• Link rewriting: Email security products that rewrite links to check them at click time, rather than delivery time
• Sandboxing: Automatically running email attachments in an isolated environment to detect malware before delivery to the user

Frequently Asked Questions

What should an employee do if they suspect they have clicked a phishing link? Immediately disconnect from the network (unplug Ethernet, disable Wi-Fi), report to IT or the IT provider, do not restart the computer (preserves forensic evidence), and change all passwords from a different, unaffected device. Time is critical — the attacker may have already established persistence.

Are Spanish companies liable if an employee is phished and causes a data breach? Yes. Under GDPR, the organisation (as data controller) is responsible for implementing adequate security measures, including employee training and technical controls. A breach resulting from a phishing attack does not automatically absolve the company of liability — the AEPD will assess whether the measures in place were appropriate.

Is CEO fraud (fraude del CEO) a criminal offence in Spain? Yes. Perpetrators are prosecuted for fraud (estafa, Article 248 of the Spanish Criminal Code) and, where applicable, computer fraud (fraude informático, Article 264). Penalties of up to 6 years’ imprisonment are possible for large-scale fraud. However, most attackers operate from outside Spain and prosecution is difficult.

What is spear phishing and why is it more dangerous than regular phishing? Spear phishing is personalised to the specific target, using information gathered from LinkedIn, company websites, social media, and previous data breaches. Because the email includes accurate personal details, job titles, and references to real projects or colleagues, the recipient is far more likely to trust it. Spear phishing attacks have a much higher success rate than generic phishing.

How quickly do banks typically process a payment recall? SEPA credit transfers can sometimes be recalled within the first 5 business days through the bank’s internal recall process, but success rates decline rapidly with time. Transfers to non-SEPA destinations (common in BEC attacks, which often use intermediary accounts in the UAE, Hong Kong, or West Africa) are much harder to recover. Contacting the bank immediately — ideally within hours — gives the best chance of recovery.

How BMC Can Help

We assist businesses in assessing their exposure to phishing and social engineering attacks, designing employee awareness programmes, implementing technical controls, and responding to incidents — including advising on GDPR notification obligations, criminal complaints, and regulatory engagement following a successful attack.