What is phishing?

Every year the number of daily phishing attacks multiplies, making it one of the most common scams on the internet. Those who carry out this scam obtain confidential information such as bank passwords or credit card information, but how do they do it?

Phishing is an attempt at stealing one's identity: Cybercriminals pose as a well-known and reputable company, institution, or service to trick you into stealing your private data, access credentials, or banking details. This fraudulent practice is based on social engineering, that is, its success is based on the trust you have in the company or institution that is being impersonated. For this reason, many of these communications use the identity of financial or banking services.

Additionally, phishing is also sometimes used to infect devices with some type of malware (malicious program).

How do I receive a phishing scam?

Most cases of phishing cases are distributed via email since cybercriminals have a large number of email addresses that they have gathered in many different ways. Therefore, it is relatively easy for them to use this medium for their phishing attacks.

However, there are also other means of propagation such as:

  • Social media, through the creation of false profiles pages.
  • Sending text or multimedia messages to mobile phone numbers.This practice is known as Smishing.
  • Phone calls, to both mobile phones and landlines.

Which companies, institutions or services are most used in phishing?

Many are the services that have been affected by phishing, ranging from public institutions such as the Tax agency and Correos (the national postal service), the State Security Forces and Bodies such as the Police or the Civil Guard to private companies such as Dropbox, Microsoft, Apple, Iberia, etc., and of course, banking entities like us. On more than one occasion we have detected that our brand has been used by cybercriminals to try to steal the access codes to the online banking service, as well as other customer banking information (credit card number, CVV, coordinate card, PIN, etc.).

Being a victim of any type of phishing attack can cause serious problems, mainly of a privacy nature, but falling into the trap of bank phishing can be even more painful, since it could lead to significant economic loss.


Icon / PlayerCreated with Sketch.

Phishing, how to avoid internet scams.

Online scams can come from sites that appear to be trustworthy. Learn how to protect yourself.


What is the process for stealing data in phishing?

The process can be summarised into these steps:

  1. The cybercriminal selects the brand to be impersonated.
  2. Then, after determining what information he wants to obtain from the user, he select the medium through which to spread his false message.
  3. He creates a message that is usually worrying and provokes a reaction in the user, usually to click on a link provided or downloading and executing an attached file.
  4. He then redirects the victim to a false web page, which is practically the same or very similar to the legitimate one of the impersonated service.
  5. The user, thinking that they are on the official site, ends up filling out the different forms that are provided on the malicious website.
  6. Finally, the captured data will be stored on some remote server controlled by cybercriminals and subsequently used to carry out fraudulent actions: impersonating someone, committing other crimes on their behalf, hijacking user accounts, stealing money, sending spam, etc.

How can I avoid being a victim of a phishing attack?

Email is the most common means used by cybercriminals to attack you with phishing techniques. Here are some of the steps you can take to prevent phishing and internet scams:

  1. Always find out who is sending the emails
    If you do not know the sender or the domain does not match the company or service it claims to be, then you may be facing a case of phishing. For example, if you receive an email on behalf of Santander, and the email domain does not include the bank’s name, it is suspicious. The same applies if the mail that reaches you is using a free mail service such as Gmail, Outlook, Yahoo !, etc.
  2. Be suspicious of alarmist subjects
    The subject is usually very flashy or requests some sort of urgent action. Some examples that can help you: "You have a new security message", "Suspicious movements detected", "Deletion of inactive accounts", "You have received a notification", "You have a package waiting", etc.
  3. Look at the writing and spelling
    Phishing emails often have poorly constructed or meaningless phrases, words with strange symbols or characters, misspellings, etc. A service with a good reputation will ensure that both the structure and design of the email and its content are correct, since the image transmitted to users is a very important aspect for any reputable service. But beware, cybercriminals are also improving their practices, so if you find a suspicious message that is worded perfectly, make sure you have at least verified the other clues before deeming it to be trustworthy.
  4. Look for signs of personalisation
    A phishing message is barely personalised or not at all. Anonymous communications such as "Dear customer", "User notification" or "Dear friend", are indications that should warn you. If a criminal wants to swindle hundreds of thousands of people, it is very difficult for him to know each of their names. So they use generic formulas like the ones mentioned above.
  5. Be suspicious when they request your personal or bank details
    Whether they are calls or emails requesting your full electronic signature, it is not common to request these data through such channels due to the risk of fraud and scams.
    In our case, with the application of the SCA regulations for e-commerce, on some occasions we will send a message/notification to your mobile phone with a link that will redirect you to the Bank's identification page. There we will ask you for the access code you use to access your Online Banking or the card PIN, if you do not have a Digital Banking contract. Find out more about this regulation here.
  6. Before clicking, check the URL of the link
    The aim of the criminals is for you to click on a link to take you to a fraudulent website, instead of the legitimate page. Therefore, it is important to check that the link is reliable. To do this, you can place the cursor over the button or the link and check the address shown in the bottom left of the browser or your email customer. If what you see is suspicious, don't click!
  7. Do not download files without looking at the extension
    If the message you receive asks you to download a file that has more than one extension, something like "filename.doc.zip", or it is a compressed file (.zip) or an executable (.exe ), do not even think about downloading it as it is more than likely that your devices end up infected. In any case, if you trust the source and choose to download the file, always scan it with an antivirus before opening and executing it.

What to do if it is too late and you have fallen into the trap?

It can happen. You would not be the first or the last: this time you did not realise that it was an attempted fraud, you did what the message asked you to do. If you are in this situation, the most important thing is to acknowledge it, act calmly and with common sense, analysing what you have just done and act accordingly.

If you have provided your bank details (card number, PIN, CVV, coordinate card, etc.) the first thing you have to do is contact your bank and explain what happened so that they may take the appropriate reactive measures and mitigate the consequences of the phishing as much as possible. If you are a Santander customer, contact Superlínea as soon as possible on 915 123 123.

You must also act if, instead of bank details, what you have been asked for is other private information: contact the corresponding service and report the situation so that in the case of any problems, you can demonstrate that it was for this reason.
As a complementary measure, you should regularly monitor what the internet knows about you, to see if criminals are using this data without your consent. And in the case of bank accounts, it never hurts to check your movements frequently. This way you can detect any suspicious movements in time.

If your device has been infected, you will have to disinfect it. If you have problems in this, you can go to the OSI website where you will find very clearly explained steps that you must follow and they can also help you in this task by calling their support line on 017.
Finally, we recommend that you report the facts to the Police so that with all the evidence of the crime they can take the appropriate measures to hunt down cybercriminals.


You might be interested in