“Cybercrimes will be one of the most important challenges in the coming years in Spain”

Leaders League: Many high-profile corruption cases in Spain end in acquittals. What reforms do you believe are necessary to improve prevention and prosecution?

Bernardo Del Rosal: The last few years, specifically from 2019 to 2023, have been a period of intense legislative activity in the field of criminal reforms in Spain.

Although not all of the reforms that have been implemented and approved have had a direct impact on what could be called economic criminal law or white-collar crimes, some have included rules that modified or expanded existing crimes in that area.

For instance, Organic Law 1/2019, of February 20th, transposes into our internal legal system Directive 2014/57/EU of the European Parliament and of the Council, of April 16th, 2014, on criminal penalties applicable to market abuse, Directive 2017/541/EU of the European Parliament and of the Council, of March 15th, 2017, on combating terrorism and Directive (EU) 2017/1371 of the European Parliament and of the Council, of July 5th, 2017, on combating fraud affecting the financial interests of the EU by means of criminal law, as well as the improvement of the transposition of Directive 2014/62/EU of the European Parliament and of the Council, of May 15th, 2014, on the criminal law protection of the euro and other currencies against counterfeiting.

“Cybercrime has become a growing threat in Spain, increasing by 25.5% in 2023”.

In socio-economic matters, it modifies the crimes of insider trading in Article 285 of the SPC, the crime of market abuse in Articles 284, 285 bis, 285 ter and 285 quater of the SPC, the crime of corruption between individuals in Article 286 bis. The tax crimes in Articles 305 and following are also modified, increasing the amount defrauded to establish the criminal offence against the Treasury of the European Union, which was previously set at €50,000 and now rises to €100,000. Finally, it is important that the reform of this law establishes the possibility that the crime of misappropriation of public funds may give rise to the criminal liability of legal persons, which, until now, was not possible, although it was possible with other crimes related to corruption such as the crime of bribery or the crime of influence peddling.

It is difficult to claim that we need any other legal reforms to improve the prosecution of economic crimes, so the problem may be in the efficiency of our criminal justice system and the criminal justice agencies in charge of the prosecution of the crimes, which make criminal proceedings last much longer than desirable, or is required for the proper dispensing of justice.

What are the most common types of white-collar crime committed using new technology, and how have they evolved with the growth of digital platforms?

Both Spanish companies and consumers must stay vigilant, as cybercrime has become a growing threat in Spain, focusing it activity both in big, medium size or small companies and in consumers, increasing by 25.5% in 2023. It targets companies of all shapes and sizes as well as consumers. It now accounts for around a fifth of all registered crimes in the country. The most common types of cybercrime by far (90%) are online fraud schemes, up 27% compared to 2022 figures.

Data from Spanish banks confirms this trend. According to the banks, online fraud attacks increased by 117% in 2023, with recorded losses exceeding €240 million. The trend appears to be ongoing, as the first quarter of 2024 saw a 14.3% increase in online fraud compared to the same period in 2023, according to data from the Ministry of Interior.

“The first quarter of 2024 saw a 14.3% increase in online fraud attacks compared to the same period in 2023.”

Spain is one of the countries most affected by phishing. In 2022, it ranked as the second most affected country in Europe (after the UK), with 94% of Spanish organizations targeted by phishing attacks. According to Kaspersky, Spain also ranks second on the malicious email chart (i.e., the share of emails containing malicious attachments), with 9.53%, just behind Russia at 16.72%. 

How are Spanish authorities adapting to tackle online financial scams, and which strategies are proving most effective?

The Prosecutor General’s Office has a Unit specializing in cybercrime and a network of dedicated prosecutors. The Central Cybercrime Unit, coordinated by a chief prosecutor supported by two deputy prosecutors, has the scope is to coordinate all the activities of the prosecutors, nationwide. Every regional branch unit contains a district attorney and each provincial prosecutor is responsible for their respective provincial unit. Every specialized unit is assigned the number of prosecutors deemed necessary to handle the volume of activity anticipated. There is no such structure regarding judges. The Prosecutor General’s Office already established a first delimitation of what was to be understood as cybercrime in its Instruction 2/2011 of October 11th, entitled “Concerning Specialized High-Prosecutors on Computer-related Crimes and the Sections for computer-related crimes of the Prosecutor’s offices”.

From Law Enforcement perspective, the Ministry of Interior takes a lead when it comes to cybersecurity policy. The structure was consolidated by Royal Decree 770/2017, which stipulates that the State Secretariat for Security coordinate cybersecurity action with the CNPIC (National Critical Infrastructure Protection and Cybersecurity Centre).

“In 2022, Spain ranked as the second most affected country in Europe by phishing, with 94% of Spanish organizations targeted.”

Within the CNPIC, the OCC (Cybersecurity Coordination Office) undertakes the technical coordination and communication with the national CERTs and it is the POC with the cybercrime investigation units of Spanish LEAs. Spain has an integral model of LEAs with full capabilities across the country. The Guardia Civil and Cuerpo Nacional de Policía have specialist cybercrime units, engaged not only in investigative activities but also in forensics, R&D and intelligence. There are also some regional police forces, such as Catalonia’s Mossos d'Esquadra or the Basque country’s Ertzainza, with their own cybercrime units.

On the other hand, Spain has the Cybersecurity National Institute (INCIBE), an offshoot of Ministry of Economic Affairs and Digital Transformation. This Institute manages the INCIBE-CERT, the cybersecurity incident response center for citizens and Spanish private law entities, established by Royal Decree-Law 12/2018 (Spanish Network and Information Security Directive transposition).

What white-collar-crime trends do you predict will dominate in Spain over the next decade?

This is very difficult to predict because things change quickly these days, but cybercrime will probably be one of the most important challenges of the next years since many citizens, probably the vast majority, are not aware of its importance and may not even realize that they have been a victim of a cybercrime, as occurs in the case of massive data thefts. At the same time, the increase in the cyber-capabilities of the offenders, together with the high dependence that society has on information technology, means that cyber-attacks can obtain greater returns through the exploitation of technical and/or human vulnerabilities.