Two-million-euro swindle of luxury Marbella real estate agency thwarted by National Police

Zoom

Cyber-fraudsters used sophisticated ‘smishing’ and ‘vishing’ to hijack a luxury Costa del Sol agency’s bank accounts.

SUR

Friday, 13 March 2026, 11:16

Cybercrime investigators from the National Police in Marbella have successfully recovered €2 million after a luxury real estate agency on the Costa del Sol was duped into transferring the funds to a criminal network.

The swift intervention, involving international police and judicial coordination, led to the freezing of four bank accounts in the Netherlands where the stolen funds had been diverted.

Just what is smishing and vishing??

The sophistication of the fraud highlights the professional level of the criminal organisation involved. The group combined advanced social engineering with two specific tactics:

• Smishing: Sending fraudulent SMS messages that appear to be from a legitimate bank.

• Vishing: Making phone calls impersonating financial advisors to build a false sense of security.

The sophistication of the fraud demonstrates a high level of professionalism within a criminal organisation that combines advanced social engineering techniques with smishing (the sending of fraudulent SMSs that appear to come from the bank in question) and vishing (phone calls impersonating financial advisors) in order to create a climate of trust that makes the recipients highly vulnerable to being scammed.

A few days ago, a report was filed at the National Police station in Marbella regarding a multi-million-euro online scam affecting a luxury real estate agency in this Costa del Sol town.

What role did fraudulent SMS messages play?

It all started with an SMS text message sent to the phone of a company representative impersonating their bank. The message informed the recipient at the real estate agency of "an email address change process" and urged them to contact a phone number if they did not recognise the transaction.

Upon contacting this phone number, a fake bank manager alerted the victim to alleged fraudulent charges on the company's account. Under the guise of processing the reversal and cancellation of these irregular transactions and refunding the money, the cybercriminals requested verification codes sent by SMS, which the victim provided, believing they were completing a legitimate security process.

How did the scammers take control of online banking?

Using this modus operandi, members of the criminal network gained operational control of the real estate company's online banking system and subsequently transferred two million euros to accounts in the Netherlands.

The swift police action required the urgent activation of international police and judicial cooperation mechanisms, which enabled them to secure the money and prevent its dispersal to third-party accounts. The speed with which the investigators acted proved crucial.

The operation involved cybercrime officers from Marbella's National Police, in collaboration with their counterparts in Spain's central cybercrime unit, Interpol, the Spanish government's commission on preventing money-laundering (Sepblac), the prosecutor's offices for international cooperation in Malaga and Madrid, as well as the fraud prevention department of the affected bank and duty magistrates.

The latter urgently ordered the issuance of the necessary seizure warrants to secure the funds transferred overseas.

How can you protect yous business from smishing and vishing attacks?

The National Police have issued a fresh warning to the public and businesses:

• Never provide banking or personal details via links in SMS or emails.

• Verify any suspicious communication by contacting your bank through an official, known channel.

• Be wary of "alarmist" messages that demand immediate action.

• Report any suspected fraudulent activity to the authorities immediately.

Lastly, as a preventative measure, the National Police again reminds the public of the importance of not providing personal or banking information through links received by SMS or email. Also, to always verify communications by contacting the institution or company directly through official channels, to be wary of alarmist messages requesting urgent action and to immediately report any suspected fraud to the National Police.