The National Police have long warned that computer fraud is rising, challenging both businesses and individuals. In Palma, the City Council confirmed it was a victim of a sophisticated phishing operation. Criminals impersonated a legitimate company and used fake bank accounts to access public funds, resulting in losses exceeding three hundred thousand euros. The case underscores how criminals exploit official channels and trusted identities to carry out financial crimes.
Authorities said the Metropolitan Municipality promptly informed the National Police, which has taken charge of investigating the incident. In a public update, investigators noted progress in the preliminary proceedings and stressed that significant advances were being made as officers conduct interviews, examine digital traces, and gather documentary evidence. The case is being treated with high priority due to its impact on public fiduciary trust and city services.
It appears that the incident began last February when Cort’s Treasury department received an email from the Contracts Division. The message reportedly claimed to come from Shamil, the company that had won several cleaning services contracts with the city. The email stated that the company was closing its bank account and that new banking details needed to be added to facilitate payment. In this way, the attackers sought to redirect funds to a different, fraudulently controlled account.
Following protocol, the department requested documentation to verify the provider’s identity and authorization. The Bank of Trust documents, bearing official stamps and signatures, were part of what the attackers submitted to mislead officials. The city council later confirmed that the fake documents and the advertised bank ownership proof looked authentic, enabling two invoices to be paid to the attackers’ account on March 8. The total payment amounted to 303,150.47 euros, divided into two separate transfers: 263,652.20 euros and 39,498.27 euros.
With the transfer completed, Cort believed the debt would be settled. However, Shamil’s company subsequently surfaced again, requesting further payments. The City Council detected the fraud, and that same day, staff from the Municipal Treasury, Intervention, and Legal Services filed a formal complaint with the National Police. They also notified both banks involved and the cleaning company affected to prevent additional losses and to preserve evidence for the investigation.
In its initial assessment, the Treasury Department confirmed there were no similar scams reported in other municipal departments. The council characterized the incident as a case of fraudulent manipulation rather than an ordinary computer error, noting that falsified documents and a flood of invoices had overwhelmed internal controls. Investigators are reviewing how the fraudsters obtained legitimate-looking documentation and what gaps allowed the breach to occur.
During ongoing countermeasures, the Treasury Undersecretariat emphasized the need for enhanced security against such schemes, which appear to be spreading across public administrations. Adrian Garcia, a senior official, met with bank representatives to discuss defensive measures and to exchange information that could prevent recurrence. He also convened a meeting with councilors and the Spokespersons Board to keep all municipal groups informed about the case and the steps being taken to safeguard city funds.
Palma City Council has indicated it has been pursuing a comprehensive retrofit plan in its Treasury department for several months. The episode accelerated the process and led to new protocol instructions focused on securing bank ownership certificates and validating provider identities. These measures aim to strengthen financial controls and reduce vulnerability to social engineering and document forgery in the future.
Additionally, Cort released a statement indicating the city’s experience aligns with a separate incident recently reported by Barcelona City Council. In that case, scammers used a similar tactic to obtain payments amounting to 350,000 euros by transferring funds to an unauthorized account after presenting convincing invoices. The parallel cases reinforce the need for robust verification procedures and cross-city information sharing to combat fraud more effectively. [Citation: Palma City Council Official Communications]