Skip to content
MovetoSpain

Guide: Work & Taxes

Banking and Bizum Scams in Spain: Phishing, Vishing, and Payment Fraud Expats Face

Protect yourself from SMS phishing, fake bank calls, Bizum fraud, and currency exchange traps targeting expats in Spain. Practical verification steps and reporting guide.

Updated February 15, 2026
BankingScamsDaily Life

Moving money in a new country is stressful enough without criminals exploiting the learning curve. Spain's banking system is safe and well-regulated, but expats are disproportionately targeted by phishing, phone scams, and payment fraud — precisely because they are still learning how things work.

This guide covers the most common banking and payment scams affecting expats in Spain, how to verify every suspicious contact, and exactly what to do if you are targeted.

This path is usually a good fit if

  • You have opened or are opening a Spanish bank account and want to know what threats to watch for.
  • You use Bizum, bank transfers, or mobile banking and want to recognize fraud attempts before they cost you money.

This path is harder if

  • You have already sent money to a suspected scammer — skip to the reporting section below and act today.
  • You are not yet in Spain and only using international transfers — currency exchange traps still apply, but most of this guide covers in-country banking fraud.

Why expats are prime targets for banking fraud

Scammers exploit three things that most new arrivals share:

  1. Unfamiliarity with how Spanish banks communicate. You do not yet know what a real SMS from CaixaBank, Santander, or BBVA looks like — so a fake one is harder to spot.
  2. Language gaps. A phishing message in rapid Spanish creates urgency before you can properly translate and evaluate it.
  3. Time pressure. You need a working bank account for your NIE appointment, rental deposit, or utility setup, so you are more likely to act quickly on something that looks official.

Understanding these pressure points is your best defense.

SMS phishing (smishing)

This is the single most common banking scam in Spain. You receive an SMS that appears to come from your bank — often spoofed to appear in the same message thread as legitimate bank texts.

How it works

  • The SMS warns of a "suspicious login," "blocked card," or "security update required."
  • It contains a link to a fake website that looks identical to your bank's login page.
  • You enter your credentials and a one-time code. The scammer uses them instantly to access your real account.

!SMS sender names can be faked

In Spain, scammers can spoof SMS sender IDs so the message appears under your bank's name in your phone's message thread — right alongside real bank texts. The sender name alone means nothing.

How to verify

  • Never click links in SMS messages from your bank. Open your bank's app directly or type the URL manually in your browser.
  • Spanish banks state clearly: they will never ask for your full password, PIN, or OTP via SMS or email.
  • If in doubt, call the number printed on the back of your bank card — not any number included in the message.

Email phishing

Similar to smishing but via email. Fake emails mimic your bank's branding, often with subjects like "Actualización de seguridad" (security update) or "Movimiento sospechoso" (suspicious transaction).

Red flags

  • The sender address does not match the bank's official domain (e.g., @caixabank.es vs. @caixabank-seguridad.com).
  • The email asks you to "verify" your identity by clicking a link and entering credentials.
  • Generic greetings ("Estimado cliente") instead of your name.
  • Grammar or formatting errors — though AI-generated phishing emails are improving fast.

+Check the URL before anything else

Hover over (or long-press on mobile) any link before clicking. If the domain is not exactly your bank's official website, it is a phishing attempt. Even one extra character or hyphen in the domain means it is fake.

Phone scams (vishing)

Vishing — voice phishing — is increasingly sophisticated in Spain. The caller claims to be from your bank's fraud department and may already know your name, partial account number, or recent transactions (often from data breaches or social media).

Common patterns

  • The caller says they have detected a fraudulent charge and need you to "confirm" a code sent to your phone to cancel it. That code actually authorizes a transfer.
  • They ask you to move money to a "safe account" while they investigate. There is no such thing — your money is already in a safe account at your bank.
  • They pressure you to stay on the line and not call anyone else.

How to protect yourself

  • Hang up. Call your bank directly using the number on your card or app.
  • Your bank will never ask you to read out OTP codes, move money to another account, or install remote access software.
  • If the caller knows some of your details, that does not prove they are legitimate — data from breaches circulates widely.

!Caller ID can be spoofed too

Scammers can make their phone number appear as your bank's real customer service number. The number displayed on your screen is not proof of identity.

Bizum scams

Bizum is Spain's instant mobile payment system, used by over 26 million people. It is incredibly convenient — and its speed is exactly what scammers exploit.

The request-vs-send confusion

This is the most common Bizum scam and it targets people who are new to the system:

  1. You are selling something on Wallapop, Milanuncios, or similar.
  2. The "buyer" says they will pay you via Bizum.
  3. Instead of sending you money, they send a payment request (solicitud de dinero).
  4. If you are not paying close attention, you approve the request — and you have just sent them your money instead of receiving theirs.

!Read every Bizum notification carefully

A Bizum payment request looks almost identical to a payment notification if you are moving quickly. The key difference: a payment request asks you to confirm sending money OUT. Always read the full notification text before tapping accept.

Other Bizum fraud patterns

  • Overpayment scam: Someone "accidentally" sends you more than the agreed amount via Bizum, then asks you to return the difference. The original payment is later reversed (using a stolen account), and you lose the "refund" you sent.
  • Fake Bizum notifications: You receive a text or WhatsApp message claiming someone sent you money via Bizum, with a link to "collect" it. Bizum payments arrive automatically — you never need to click a link to receive money.

How to use Bizum safely

  1. Only use Bizum with people you know or can verify in person.
  2. Read the full notification text before confirming anything — distinguish 'you are receiving' from 'you are sending.'
  3. Never return an overpayment without first confirming with your bank that the original funds are settled and legitimate.
  4. Remember: Bizum payments are instant and irreversible. Treat every confirmation like handing over cash.

Currency exchange and transfer traps

When moving larger sums from abroad to Spain, or converting currencies for property purchases or deposits, you may encounter:

  • Unlicensed money transfer services advertising on expat Facebook groups or forums. They offer great rates but have no regulatory oversight — your money may simply vanish.
  • Bait-and-switch exchange rates: A service quotes a favorable rate, then applies a different rate at execution, adds hidden fees, or delays the transfer while the rate moves against you.
  • Fake "currency broker" websites that mimic licensed FX companies.

How to verify a money transfer service

  • Check that the provider is registered with the Banco de España as an authorized payment institution or electronic money institution. The public registry is searchable at bde.es.
  • For EU-regulated services, verify their authorization in their home country's financial regulator database.
  • Licensed services will always provide a clear breakdown of fees and the exchange rate before you confirm the transfer.

+Stick to regulated providers

Established services like Wise (formerly TransferWise), CurrencyFair, or your own bank's international transfer service are regulated and transparent about fees. An unlicensed service offering a "better" rate is not worth the risk.

ATM and card skimming

While less common than digital fraud, card skimming still occurs, particularly in high-tourist areas.

What to watch for

  • Loose or bulky card slots on ATMs — skimmers are physical overlays that capture your card data.
  • Tiny cameras pointed at the keypad to capture your PIN.
  • People standing unusually close while you use an ATM.

Prevention

  • Use ATMs inside bank branches rather than standalone machines on the street.
  • Cover the keypad with your hand when entering your PIN.
  • Enable transaction notifications in your bank app so you see every charge in real time.
  • If anything on the ATM looks unusual, use a different machine and report it to the bank.

How to report banking fraud in Spain

If you have been targeted or have lost money, act fast. Speed matters for fund recovery.

Reporting steps

  1. Call your bank immediately using the number on your card. Request a block on your account or card and ask about chargebacks or fraud recovery.
  2. File a police report (denuncia) at the nearest Policía Nacional station or online at sede.policia.gob.es. Bring screenshots, transaction references, and any communication with the scammer.
  3. Report to INCIBE (Instituto Nacional de Ciberseguridad) via their hotline 017 or at incibe.es. They handle cybersecurity incidents and can provide guidance.
  4. If your bank does not resolve the issue, file a formal complaint with the Banco de España's claims service (Servicio de Reclamaciones) at bde.es.
  5. Report phishing URLs and SMS to the OSI (Oficina de Seguridad del Internauta) at osi.es to help protect others.

iYour bank may be liable

Under EU Payment Services Directive (PSD2), if you did not authorize a transaction and you reported it promptly, your bank generally must refund you — unless they can prove you acted with gross negligence. Do not accept a refusal without escalating. File a claim with the Banco de España if needed.

Prevention checklist

Banking fraud prevention for expats

  • Enable transaction notifications (push and SMS) for every bank account and card.
  • Never click links in SMS or email messages claiming to be from your bank.
  • Call your bank using only the number on your card or in your official app — never use a number from a message.
  • Read every Bizum notification fully before confirming — verify whether you are sending or receiving.
  • Use strong, unique passwords for your bank app and enable biometric login.
  • Register for your bank's two-factor authentication if not already active.
  • Keep your phone's operating system updated to patch security vulnerabilities.
  • Verify any money transfer service is registered with the Banco de España before sending funds.
  • Use ATMs inside bank branches, not standalone machines in tourist areas.
  • Screenshot and save any suspicious messages immediately — they are evidence if you need to file a report.

What to do this week

  1. Open your bank app and confirm that real-time transaction notifications are turned on for all accounts and cards.
  2. Save your bank's official customer service number (from the back of your card) in your phone contacts — so you never have to trust a number from a message.
  3. Practice identifying a Bizum payment request vs. a payment receipt in the app — send a small amount between your own accounts or with a trusted friend.
  4. Check that two-factor authentication is active on your online banking.
  5. Bookmark INCIBE's reporting page (incibe.es) and save the 017 hotline number in your phone.

Related guides