Unicaja tried to warn its clients by sending text messages and via warnings on its website and App. / sur

Massive phishing campaign targets Unicaja bank customers with many victims falling for the fraud

The Spanish banking group has sent out messages to warn its clients that requests for personal data or account access codes are not genuine. Some customers have already lost thousands of euros in the scam


Anyone who is a customer of Unicaja Banco in Spain will probably have received a message by SMS, online or via the app by now, telling them that the bank will never ask for details to access their account and that if they have the slightest doubt they should not provide any information.

The messages were sent out earlier this week, including several on Twitter, telling people they should ignore any communication which asks for their details, delete it and, above all never to click on a link.

The reason? Phishing again: cybercriminals are pretending to be from the bank because they are trying to gain access to clients’ accounts. Dozens of people have fallen for it, and the thieves have got away with thousands of euros.

The police say the criminals have been targeting all banks that offer online banking recently, but they have now turned their attention to Unicaja. The Office of Internet Security recently issued a similar warning about a campaign aimed at Banco Santander clients.

How it works

What the criminals are doing in the case of Unicaja is imitating the bank’s website. First, a client receives a text message on their phone, among the normal messages they might receive from the bank, warning that somebody has tried to access their account. This type of scam is known as ‘smishing’. The message then says that if the client had not been trying to access the account, they should verify their identity immediately, by clicking on a link.

If they do, the website they are redirected to does look just like the Unicaja one, but instead of the web address being unicaja.es, it ends in sa.com.

Next, the client receives a phone call, supposedly from the bank’s customer service department (this is known as spoofing). As the client thinks there has been an unauthorised attempt to access their account, they are likely to believe the call is genuine.

That is a big mistake, because then they are asked for their personal data or a confirmation code that has been sent to their mobile phone. That is also a clue that this is an attempt to defraud: if you receive a code to confirm a transfer that you haven’t made, do not give that code to anybody, said the bank.

Some clients who have been cheated in this way lost money directly through Bizum, because as they had given the criminals the codes, they could access and freely operate the account until the bank became aware of the situation and blocked it. By then, however, in the most recent cases, several thousand euros had already been stolen.