Bank Phishing in Spain: How to Spot Fake Santander, BBVA & CaixaBank Scams

Spain is in the grip of a phishing crisis. In 2025 alone, INCIBE -- Spain's national cybersecurity institute -- managed 97,348 incidents, a 16.6% increase over the previous year. Of these, 21,571 were phishing cases. Bank phishing accounts for roughly 40% of all cybersecurity incidents reported to INCIBE, making it the single largest category of cyber fraud in the country.

If you bank with Santander, BBVA, CaixaBank, Sabadell, or ING in Spain, you are a target. Here is what you need to know.

How Bank Phishing Works in Spain

The Dominant Vector: Smishing

The most common method is SMS spoofing -- known as smishing. Criminals send text messages that appear to come from your bank's official number. In many cases, the fake SMS arrives in the same conversation thread as legitimate bank messages on your phone.

Attack Type	How It Works	Target Banks
Spoofed SMS	Fake message in real bank thread	Santander, BBVA, CaixaBank
Phishing email	Replica of bank login page	All major banks
Fake banking app	Malicious app mimicking real one	BBVA, Sabadell
Phone call follow-up	Call after SMS to extract codes	ING, CaixaBank

Typical Smishing Messages

• "Su cuenta ha sido bloqueada temporalmente. Verifique su identidad: [link]"
• "Movimiento no autorizado detectado. Confirme aqui: [link]"
• "Nuevo dispositivo ha accedido a su banca online. Si no fue usted: [link]"

Every one of these messages creates urgency to make you click without thinking.

Why Spain Is Especially Vulnerable

Spain's high smartphone banking adoption makes it fertile ground for smishing. Over 70% of Spanish adults use mobile banking apps, and the cultural habit of responding quickly to bank notifications plays into scammers' hands.

The Scale of the Problem

• 97,348 cybersecurity incidents managed by INCIBE in 2025
• 21,571 phishing cases specifically
• 40% of all incidents involve banking fraud
• 16.6% year-over-year increase

The Anatomy of a Bank Phishing Attack

Step 1: The Bait

You receive an SMS or email that looks identical to a real bank communication. The sender name shows "BBVA" or "Santander" -- not a random number.

Step 2: The Fake Page

The link leads to a website that is a pixel-perfect copy of your bank's login page. The URL might be something like bbva-seguridad.com or santander-verificacion.es -- close enough to seem real at a glance.

Step 3: Credential Harvesting

You enter your username, password, and possibly your NIF/DNI. The page then asks for a verification code, which the criminals use in real time to access your actual account.

Step 4: The Drain

Within minutes, the attackers initiate transfers, change passwords, and drain available funds. Some sophisticated operations call you pretending to be from the bank's fraud department, asking you to "confirm" the very transfers they are making.

How to Protect Yourself

The Golden Rules

1. Banks never send links via SMS. If you receive a text with a link, it is fake. Period.
2. Never enter credentials from a link. Always open your banking app directly or type the URL manually.
3. Check the URL carefully. Look for the exact domain: bbva.es, bancosantander.es, caixabank.es.
4. Enable two-factor authentication on all banking apps.
5. Never share verification codes over the phone, even if the caller claims to be your bank.

Verify Through Secure Channels

When you receive a suspicious communication claiming to be from your bank, verify it through a completely separate channel. Call the number on your physical bank card -- not the number in the message.

For sharing sensitive banking information with trusted family members or financial advisors, consider using a service like LOCK.PUB to create password-protected links that expire automatically, rather than sending account details through iMessage or email.

Bank-Specific Red Flags

Santander

• Never sends SMS with links
• Official domain: bancosantander.es
• Has a dedicated phishing reporting email

BBVA

• Uses push notifications through the app, not SMS links
• Official domain: bbva.es
• Allows reporting suspicious messages through the app

CaixaBank

• All communications go through the CaixaBankNow app
• Official domain: caixabank.es
• Has in-app security alerts

Sabadell & ING Spain

• Both have moved to app-only notifications for security alerts
• Never request full credentials via email or SMS

What to Do If You Have Been Phished

Step	Action	Contact
1	Block your cards immediately	Your bank's 24h phone line
2	Change all banking passwords	Via official app only
3	Report to INCIBE	Call 017 (free, confidential)
4	File a police report	Guardia Civil or Policia Nacional
5	Save all evidence	Screenshots of messages, emails, URLs

Important Reporting Channels

• INCIBE: Call 017 (free helpline) or visit incibe.es
• Guardia Civil: Online reporting at guardiacivil.es
• Policia Nacional: Report at policia.es or in person
• Your bank: Every major Spanish bank has a fraud reporting mechanism

How LOCK.PUB Helps With Secure Sharing

If you need to share banking details, account numbers, or financial documents with a family member, lawyer, or accountant, avoid sending them through regular SMS or email -- the very channels that phishers exploit.

LOCK.PUB lets you create a password-protected, expiring link for any sensitive information. The recipient needs the password to access it, and the link disappears after the set time. It is a simple way to share what matters without leaving it exposed in a message thread.

Stay Vigilant

Bank phishing in Spain is not slowing down -- the 16.6% increase in 2025 shows it is accelerating. The best defense is simple: never click links in bank messages, always go directly to your bank's app, and report suspicious messages immediately. Your awareness is your strongest security tool.