THE VICTIM'S TESTIMONY
Natalia Fuentes, a 28-year-old shoe store owner in Salamanca, spends her workday engaged with clients via phone and social media. With over 40,000 followers on TikTok, she frequently handles digital transactions, making her susceptible to scams, such as the smishing incident she narrowly avoided.
“It's a good thing I didn't call the phone number in the message, because if you do, they pretend to be the bank, they ask for your information and codes, they make you nervous and by the time you realize it's too late.”
What is the Scam?
Smishing is a type of online scam wherein criminals impersonate financial institutions, companies, or public organizations via text messages. Their goal is to collect private information such as passwords and confirmation codes, or to trick victims into making unauthorized transfers.
The Testimony of the Specialist
Daniel de la Fuente
Psychologist specialized in cybersecurity
According to the National Cybersecurity Institute (INCIBE), smishing is the most reported scam in Spain, with 25,133 cases documented in 2025. The actual number may be higher due to victims' reluctance to disclose their experiences out of shame. Daniel de la Fuente explains that fear of judgment leads many victims to hide their mistakes, perpetuating the cycle of deception.
“We go on autopilot and in multitasking mode, so we don't stop to reflect and we fall into smishing.”
Scammers craft messages to elicit automatic responses from victims, utilizing various psychological mechanisms that provoke intense emotions, thus reducing critical thinking. De la Fuente elaborates on the vulnerabilities criminals exploit:
The Psychological Gears of the Scam
Authority
Scammers often impersonate legitimate institutions, such as banks or official agencies.
Familiarity
Victims tend to pay more attention to communications from entities they consider important.
Fear
Scammers instill fear of losing something valuable if their requests are ignored.
Coherence
Initial requests are simple, gradually leading to more complex demands, including sharing personal information.
Social Proof
Victims often don't share their experiences, preventing wider awareness of the risks.
De la Fuente emphasizes that scammers do not choose victims randomly; they aim for those awaiting communications from reputable institutions, particularly during high-activity periods like tax season or major sales. He advises: “If you receive unexpected communication, take a moment to reflect before responding.”
Don't Forget
“If you receive a communication with a request that you did not expect, do not respond quickly; give yourself a moment to reflect.”
The Testimony of the Cybersecurity Expert
Laura del Pino
Head of Information Protection and Security Culture at BBVA in Spain
“The best protection against fraud begins with a security pause. If in doubt, always verify through official channels.”
How to Protect Yourself from ‘Smishing'
Before responding to communications from banks or companies, consider the following precautions:
01
Distrust Urgency: Delete messages that urge you to act quickly, whether by clicking a link or calling a number.
02
Beware of Requests for Personal Data: Reputable banks will never solicit sensitive information via text messages.
03
Avoid Using Provided Contacts: Never call suggested numbers or click links in suspicious messages.
04
Exercise Caution: Take your time to verify communications via official channels:
- Official app.
- Website accessed directly through the browser.
- Commonly used phone numbers.
05
Verify Before Trusting: Be alert, as criminals may misuse personal information to seem credible.
06
Confirm Authenticity: Institutions like BBVA implement verification systems to help customers confirm the legitimacy of communications.
Credits
Drafting: Claudia Vila and Javier A. Fernández
Editorial coordination: Juan Antonio Carbajo and Francis Pachá
Design: Juan Sanchez
Development: Rodolfo Mata
Product coordination: Adolfo Domenech
