Understanding the landscape
Digital fraud involves attempts to deceive someone into sharing personal information, banking credentials, or money through electronic messages. The messages often appear to come from trusted organisations including banks, the tax authority, social security, postal services, or even family members.
Two terms you will hear frequently: phishing refers to fraudulent emails, while smishing refers to fraudulent SMS messages. Both follow similar patterns and aim for the same result: access to your information or your money.
Eight things that reveal a fraudulent message
Unexpected urgency
Messages that insist you must act immediately, that your account will be suspended, or that you have only hours to respond. Legitimate organisations do not communicate this way. Banks send formal letters for serious account matters.
Links that don't match the sender
A message claiming to be from your bank but containing a link to a web address that doesn't include your bank's name, or includes extra words or misspellings. Hover over any link before clicking to see the real destination.
Requests for passwords or PINs
No legitimate bank, government agency, or reputable company will ever ask for your password, PIN, or complete card number by email or SMS. Ever. This is a firm rule with no exceptions.
Generic greetings
Your bank knows your name. A message that begins with "Dear customer" or "Dear user" instead of your actual name is often a sign that it was sent to thousands of people at once, not specifically to you.
Spelling or grammar errors
Many fraudulent messages contain small but noticeable errors in spelling, grammar, or punctuation. Sometimes this is deliberate, to filter out people who are likely to notice. Spanish-language messages may use awkward phrasing from automated translation.
Unexpected prizes or refunds
Messages claiming you have won a prize, are owed a refund, or have an unclaimed payment waiting. These often ask for a small fee or your bank details to process the "payment". Legitimate refunds are initiated by the organisation, not requested from you.
Sender address doesn't match
The display name of an email can be set to anything. Always check the actual email address in the sender field. If your bank is BBVA, a genuine email will come from an @bbva.com domain, not from a free email service or a domain with extra characters.
Attachments you didn't expect
Emails with attachments you weren't expecting, especially from senders you don't recognise, carry significant risk. Fraudulent attachments often install software on your device when opened. Do not open attachments unless you are certain of the sender's identity.
If you receive a suspicious message
- Do not click any links in the message.
- Do not reply to the message or call any number it contains.
- Do not share any personal information, passwords, or card details.
- If it claims to be from your bank, call your bank using the number on the back of your card.
- Report suspicious SMS to your mobile operator by forwarding to 7726.
- Report digital fraud to INCIBE via their helpline at 017 (free, available in Spain).
- You can also file a report with the Policia Nacional online at politica.es.
