The Catalan government has been the target of cybercriminals attempting to steal €1.7 million over the last ten years, according to official figures. An investigation into Catalan government cyber fraud attempts reveals that while the majority of attacks were thwarted, a total of €49,120 in public funds was successfully stolen. This introduction outlines the scale of the issue.
The data was made public following a successful transparency request by the newspaper ARA. The government, known as the Generalitat de Catalunya, initially resisted releasing the information, citing security concerns. However, it was compelled to do so by Catalonia’s public information commission. The figures show that while attempts were significant, authorities successfully blocked or recovered 94% of the targeted funds. This focus on financial security is notable alongside other recent Generalitat investments in security and social programs.
Your browser does not support the video tag.
Home » Catalan Government Cyber Fraud: €1.7m Targeted in a Decade
A Breakdown of the Catalan Government Cyber Fraud Attempts
The fraud attempts varied in size and success rate, affecting multiple government departments. The healthcare sector, which manages a large volume of resources and deals with numerous suppliers, was a frequent target.
Key incidents highlighted in the report include:
- 2024: The Presidency department detected and blocked an attempt to steal €573,941. In a separate incident, the Catalan Health Institute was defrauded of €232,252, of which all but €10,220 was recovered.
- 2023: The Catalan Health Service lost €22,222 in a fraud that was not recovered.
- 2020: A cyberattack on the Department of Social Rights and the Ministry of Culture resulted in a loss of €14,367 after €16,676 of the initial €31,043 stolen was recovered.
- 2016-2017: Two of the largest early attempts, targeting €561,719 at the Catalan Health Institute (2016) and €289,888 at the Department of the Interior (2017), were completely neutralised.
How the Catalan Government Cyber Fraud Scams Work
According to the Catalan police force, the Mossos d’Esquadra, the primary method used by criminals is identity theft. The attackers impersonate legitimate companies that provide services to the government. They take advantage of publicly available contract and supplier information. Investigations into these crimes often fall to the Mossos d’Esquadra’s central fraud unit.
The common tactic involves sending a fraudulent email to a department’s economic management unit, pretending to be a supplier. The email informs the department of a change in bank account details. Consequently, this redirects future invoice payments to an account controlled by the criminals. Authorities have traced a significant number of these criminal organisations to Romania. Therefore, they advise government staff to always make a verification phone call to a known contact at the supplier before changing payment details.
Recovery Efforts and Future Prevention
When a fraud is detected, the government’s protocol involves immediately requesting that financial institutions block the fraudulent account and freeze the funds. A formal police report is filed, and action is taken to reverse the transaction as quickly as possible. Since 2016, banks have reportedly improved their systems for detecting suspicious activity. For example, they now flag a newly created account suddenly receiving a large payment from a government body.
Recognising that human error is a key vulnerability, the Presidency department is now working with the Catalan Cybersecurity Agency. Their goal is to “reinforce the awareness and sensitisation of public employees” on security matters. This focus on security is a critical component of the Catalan government’s broader digital transformation efforts.
A Battle for Transparency
The release of this data followed a year-long process. Initially, the Catalan government and the Cybersecurity Agency denied the information request. They argued that disclosure could “compromise security” and “create unnecessary social alarm.” However, the Commission for the Guarantee of the Right of Access to Public Information (GAIP) sided with the media outlet. It stated that revealing the figures did not pose a substantial security risk. The GAIP affirmed that releasing the information serves public transparency. Moreover, it allows citizens to scrutinise how the administration manages and preserves public funds. The data was ultimately released following an official resolution mandating its disclosure.
Apply to join our community of Entrepreneurs, Senior Executives and Founders at Bizcelona .
