Massive Phishing Campaign Targets Unicaja Bank Customers and Many Victims Fall For Fraud


Unicaja attempted to warn customers by sending text messages and through warnings on its website and app. / on

The Spanish banking group has sent messages to warn its customers that requests for personal data or account access codes are not genuine. Some customers have already lost thousands of euros in the scam


Anyone who is a Unicaja Banco customer in Spain will probably have already received a text message, online or via the app, telling them that the bank will never ask for details to access their account and that if they have any doubt , it should not provide any information.

The messages were sent out earlier this week, including several on Twitter, telling people they should ignore any communication asking for their contact details, delete it and, above all, never click on a link.

The reason? More phishing: cybercriminals pretend to be from the bank because they are trying to access customer accounts. Dozens of people fell for it, and the thieves fled with thousands of euros.

Police say the criminals recently targeted all banks offering online banking services, but they have now turned their attention to Unicaja. The Office of Internet Security recently issued a similar warning about a campaign aimed at Banco Santander customers.

Warning to Santander Bank customers about attempts to steal passwords and identities

How it works

What the criminals are doing in the case of Unicaja is imitating the bank’s website. First, a customer receives an SMS on his phone, among the normal messages he can receive from the bank, warning him that someone has tried to access his account. This type of scam is known as “smishing”. The message then states that if the customer has not tried to access the account, they should immediately verify their identity by clicking on a link.

If they do, the website they are redirected to looks like Unicaja’s, but instead of the web address being, it ends in

Then the customer receives a phone call, supposedly from the bank’s customer service department (this is called spoofing). Since the customer believes there was an unauthorized attempt to access their account, they likely believe the call is genuine.

This is a big mistake, because they are then asked for their personal data or a confirmation code that was sent to their mobile phone. It is also an indication that it is a scam attempt: if you receive a code to confirm a transfer that you have not made, do not give it to anyone, specifies the bank.

Some customers who were cheated in this way lost money directly through Bizum, because since they had given the codes to the criminals, they could freely access and operate the account until the bank became aware of the situation and blocks it. At that time, however, in the most recent cases several thousand euros had already been stolen.


About Author

Comments are closed.