Financial institutions and their customers in Spain, Portugal, and Mexico face direct fraud exposure — attackers can silently hijack active banking sessions and drain accounts before fraud controls trigger. The simultaneous targeting of desktop and mobile banking channels means customers who rely on mobile banking as a secondary authentication factor are not protected by that control alone. Organizations operating under PSD2 (EU Payment Services Directive), GDPR, or Mexico's LFPDPPP face potential regulatory and notification obligations if customer banking credentials or personal data are confirmed compromised.
You Are Affected If
Your organization operates or provides banking services to customers in Spain, Portugal, or Mexico
Employees or customers access banking platforms from Windows endpoints that receive external email
Android devices used for mobile banking are not managed by an enterprise MDM solution with application control
MFA for banking application access relies solely on SMS or app-based codes delivered to the same device targeted by BTMOB RAT
Your email gateway does not filter or sandbox phishing emails with financial-lure content targeting Spanish, Portuguese, or Spanish-language recipients
Board Talking Points
Attackers are running coordinated campaigns against banking customers and institutions in Spain, Portugal, and Mexico, capable of stealing credentials and hijacking banking sessions on both computers and phones simultaneously.
Security teams should immediately verify phishing defenses, mobile device management controls, and MFA configurations for banking access — prioritizing affected regions within the next 5 business days.
Without action, the organization risks undetected banking fraud, customer credential theft, and potential regulatory notification obligations under applicable data protection law.
GDPR — campaign targets financial sector organizations in Spain and Portugal; confirmed credential or personal data compromise of EU residents triggers Article 33 breach notification obligations
PSD2 — banking session hijacking and credential theft directly undermines strong customer authentication requirements under the EU Payment Services Directive for affected financial institutions
Mexico LFPDPPP — financial sector targets in Mexico handling personal financial data face notification and security obligations under Mexico's Federal Law on Protection of Personal Data Held by Private Parties if customer data is confirmed compromised
