Digital fraud in Spain

Digital fraud: what it is, the most common types and how to protect yourself in Spain

Digitalisation isn't the future – it's already part of our daily lives. Working, keeping in touch with our loved ones, doing the shopping… a large part of our day-to-day activities takes place online. This has brought us great benefits, but also some risks, such as cybercrime.

Person viewing a fraudulent “toll notice” message on a smartphone showing signs of a phishing scam in a home setting.

Digitalisation has brought great benefits but also risks such as falling victim to digital fraud.

Key points about digital fraud

  • Digital fraud uses technology to manipulate someone to gain an illegitimate financial advantage.
  • Cybercrime has risen by 500% in eight years.
  • The main types of digital fraud are phishing (via email), smishing (via text message) and vishing (via phone call).
  • To avoid digital fraud, it is important to be wary of urgent messages claiming to come from your company, to verify the sender and never to share sensitive data.

Digital fraud is not a minor issue. It is a real risk that can have a very negative impact on individuals, businesses and institutions. Understanding what it is and how it works is essential to being able to prevent it and knowing what to do if you are affected by this cybersecurity issue.

What is digital fraud and why is it on the rise?

Digital fraud is an unlawful act in which technological means are used to deceive or manipulate a user, a system or an organisation with the aim of obtaining an illegitimate financial gain. The National Cybersecurity Institute (INCIBE) links it to social engineering, which involves manipulating people into carrying out an action without them realising that they are being deceived. Fraudsters can thus obtain protected information that allows them, for example, to access someone's bank accounts.


Cybercrime accounts for 20% of all crime in Spain. Between 2016 and 2023 it grew by 500%, according to the Interior Ministry's Crime Statistics, revealing a worrying trend for which we must be prepared.

Most common types of digital fraud in Spain

Not all forms of digital fraud share the same characteristics. Depending on the medium through which they occur, they have different implications and consequences. The most common forms in Spain are phishing, smishing and vishing. Read on to understand the differences between them.

Phishing: email fraud

Phishing is a key tool for cybercriminals, often serving as the starting point for digital fraud. Its name is a play on the English word 'fishing', which aptly illustrates the mechanics of the scam: fraudsters cast a mass 'line' in the form of an email in which they pretend to be someone they are not. They usually pose as organisations the user trusts such as their energy supplier, their bank or the tax office.


The email usually appeals to a sense of urgency, fear or the promise of an immediate reward, which lowers the recipient's mental defences. Phishing messages warning of an alleged unpaid bill, an account freeze or a pending refund are common, and they include a link that redirects the user to a fake website mimicking that of the legitimate company.


The key to the success of these scams lies not in a technical failure of security systems, but in the psychological manipulation of the user. When the victim clicks on the fraudulent link and enters their login credentials or bank details, believing they are resolving a genuine problem, they are handing over their confidential information directly to the attackers. What’s more, in the age of generative artificial intelligence these attacks have become far more sophisticated, making it extremely difficult to distinguish a fake message from a genuine one.

Smishing: SMS messages that blend in with those from your provider

With smishing, the fraudulent communication takes place via an SMS. Cybercriminals exploit the fact that users often associate this type of message with legitimate and urgent notifications from their utility provider, bank or courier company amongst others. The scam often involves alarming the victim with messages such as "Suspicious access to your account has been detected, check it here", or "Your bill is overdue; avoid service disconnection via this link". The most dangerous aspect of smishing is that scammers sometimes manage to slip their fake messages in so that they appear on the user's mobile phone within the same conversation thread as genuine messages from the impersonated company, which leads the victim to trust them.

Vishing: fraudulent calls

Vishing takes place via a voice phone call (the term is derived from the words 'voice' and 'phishing'), which allows for a much more direct, human and persuasive form of contact. The criminal calls the victim, posing as a telephone operator, a support technician or a security officer from their bank, for example. 
Sometimes they tell the user that fraud or an unauthorised charge is taking place on their account at that very moment. Faced with this alarming situation they capitalise on the fear and anxiety this may cause the victim and guide them step by step to get them to reveal their login details or the one-time verification codes they have just received on their mobile with the aim of stealing their money.

How to avoid digital fraud: step by step

Follow these steps to avoid falling victim to digital fraud:

Secure passwords

Set strong passwords that only you can remember.

Two-factor authentication

Add an extra code to prevent unauthorised access, even if your password is stolen.

Be wary of urgency

If a message claiming to be from your provider puts you under pressure, be suspicious.

Check the sender and any links

Check who is sending you a message and where a link takes you before clicking on it.

Don't share sensitive information

Never share passwords, bank details or verification codes.

Contact your company

If you have any doubts contact the genuine company to verify the authenticity of the messages.

How to spot an attempt at digital fraud impersonating Iberdrola España

Iberdrola España has a zero-tolerance policy towards digital fraud. Our priority is to protect our customers from any scams that may be carried out in the company's name. To this end we implement the following measures:

Secure communications

We will never ask you for personal details via email or SMS.

Secure passwords

Access to My Customer Area and the Customer App is password-protected.

Secure payments

Bill payments follow the secure PSD2 protocol.

Two-factor authentication

For key processes we verify your identity twice to prevent any fraud.

If you notice any activity that you suspect may be fraudulent you can report it using this form.

Discover more articles on cybersecurity

Explore key topics in greater depth and stay up to date with the latest information on cybersecurity in Spain. Read our featured content.

hombre hablando por teléfono

TELEPHONE SCAMS

Find out how to spot and act with telephone scams

Technician working on the installation of an energy unit, checking information on a tablet in front of an air conditioning system.
Energy certificate scams

Fake energy certificates: warning signs to identify fraud

Other areas of innovation at Iberdrola España

icono personas