What is phishing and how to avoid it? Don’t rise to the bait!


The growing prevalence of e-commerce, online banking and card payments is being exploited by cybercriminals to get their hands on your bank details. The Bank Customer Portal is publishing a new series of articles detailing the techniques that fraudsters use and how you can protect yourself. We begin with this post on phishing, perhaps the most common of such scams.

Social engineering attacks involve obtaining information by manipulating users. The basic principle is “the user is the weakest link” in digital transactions. It is easier to deceive someone into giving up their password than it is to crack the complex security systems that protect companies.

Scammers employ various methods, such as email (traditional phishing), SMS (smishing), telephone calls (vishing), fraudulent websites (web spoofing), etc. But there are common traits to all these attacks that can help you identify them and act accordingly.

In phishing scams, fraudsters masquerade as reputable third parties, in this case by sending mass emails purportedly from a legitimate organisation or business, such as your bank. This is the first of numerous stages in the attack, with the ultimate goal being to steal large sums of money.

Such fraud aims to harvest the user’s personal information (name, identify card number) and bank details (card numbers, internet banking usernames and passwords, one-time passwords). The technique has been around since the 1980s. Unfortunately, it is yet to fall out of favour. The term “phishing” is a play on the word fishing.

So how do cybercriminals bait the hook?

These scam messages use all kinds of ruses to create a false sense of urgency, encouraging the user to respond swiftly to avert purported negative consequences. The following are a few examples:

  • Your account has been blocked or will be blocked imminently.
  • New regulations have come into force.
  • Improved security measures.
  • You are asked to confirm your identity.
  • You are offered discounts, promotions or prizes.


How can I spot a phishing email?

Common sense is key to avoiding scams:

  • Your bank will never ask you to provide your electronic banking password or credit card information by email or SMS.
  • Be wary of attachments. In all probability the file will contain a computer virus (malware).
  • Check the sender’s email address. Remember that scammers can mask the real email address behind a false address.
  • Beware of messages that contain links. Check links before you click. Do this by hovering the cursor over the hypertext. This will reveal the real link. The goal is to direct the victim to a false website (web spoofing) posing as a legitimate site, which the scammer uses to steal login credentials.


What should I do if I detect a phishing scam?

  • Never provide the information you are asked for, nor any other information.
  • Do not click on links or download attachments.
  • Mark the email as “spam”. If you can, report the identity theft to your email service provider. Block the sender to prevent them from sending you other fraudulent emails.
  • It is worth informing your bank of the scam so that it can warn other customers.
  • If you think you have fallen victim to phishing, contact your bank and ask them to block the fraudulent transaction and take any possible remedial action. Change your electronic banking password. Don’t forget to file a report with the police, Civil Guard or tribunals.

All this may already be familiar to you. But share the information with others nonetheless, giving real-life examples to illustrate the threat. The IT Security OfficeAbre en ventana nueva (Oficina de Seguridad Informática) website has further information on what tools you can use to protect yourself. Don’t be caught off guard. You are your own best defence against scammers.

Did you find this information useful?