A campaign of malicious messages distributed via SMS or digital instant messaging channels (Smishing) has recently been detected. The messages impersonate BBVA and inform the recipients that there has been some anomaly or suspicious attempt to access their accounts, cards or other banking products, asking them to “verify” certain data through a link shown in the message.

Through this link, the victim is sent to a fraudulent site where confidential information is requested, such as tax identification number (NIF, NIE, passport, card number, cell phone number and password).

Subsequently, the cybercriminals make use of the confidential data provided to carry out a second attack. In this, they call the people who have provided the information, pretending to be the BBVA call center, and inform them that several fraudulent bank transactions have been made. They are then told that, in order to recover their money, they will receive a single-use code that they will have to provide in the same call.

In this way, having the access codes obtained from the fraudulent web page together with the code sent by SMS and provided in the call, the cybercriminals would have all the necessary data to be able to carry out the fraudulent transactions themselves, impersonating their victims.

Some security tips to protect yourself from this fraud would be:

– Never provide personal or banking data on websites that you have accessed through links contained in emails, SMS or digital instant messaging channels (Facebook Messenger, Whatsapp, Instagram, Telegram, etc.).

– Pay special attention to the link sent in the message, observing if it contains strange characters or words, as well as the domain to which it directs.

– BBVA will never request One Time Password (OTP) codes by email, call or SMS, these are secret and only requested in the bank’s official applications and in specific processes that require it.

– As a general rule, be wary of all alarming messages that have a tone of urgency and contain spelling mistakes.

– Avoid downloading files or clicking on links that come from SMS, emails whose sender you do not know or seem suspicious to you, and never reply to such suspicious messages.

– Remember that secure web pages always start with https, and not http, so do not provide personal or confidential data when browsing is not secure (login data, bank details, etc.).

– Please contact us by phone +41 44 2659 503, if you are a victim of this fraud or if you suffer any other security incident related to your accounts or cards.