Phishing emails are still one of the most-used tools for cyber criminals to defraud customers of financial institutions.

To create these fraudulent emails, cybercriminals use social engineering techniques to impersonate financial institutions. These emails are increasingly sophisticated and difficult to distinguish from legitimate ones. That's why it's so important to learn how to analyse them and detect possible attempts at fraud.

Generally, the messages contained in the emails instruct the user to carry out an action relatively urgently, such as clicking on a link or opening an attached document, in order to solve a problem or to receive payment of a certain amount.

The objective is to persuade the victim to access a false page designed to look like that of the bank, but controlled by the criminal, by clicking on the link. When they do so, the criminal can collect their bank credentials and details, with all the risk that this entails.

The information they may be looking for include:

  • The identifier and PIN for accessing online banking.
  • Details of bank cards.
  • Mobile phone number.
  • The security codes needed to sign transactions, such as those printed on your coordinates card and those sent to your mobile phone.

How does this phishing attack work for CaixaBank customers?

Currently, one of the phishing campaigns that most affects CaixaBank customers is the one that requests the details of customers' coordinates card. The victims are customers who do not yet have the CaixaBank Sign electronic signature tool and still operate with the codes on the coordinates card.

In order for the cybercriminal to obtain this information fraudulently, they show the victim various screens with a very similar design to that of the financial institution's web page, and asks them to enter all their details.

The victim receives an email with a link. When they click on it, they will find a fake website that looks very similar to the CaixaBank website, telling them to enter their online banking login details.

Once entered, you will be asked to enter each of the coordinates on your coordinates card, or to provide a photograph of the card.

Then, you are asked for your mobile phone number or the 6-digit code sent to it.

With all this information, the cybercriminal has all the information they need to make a transaction. They have the identifier and PIN to access online banking, all the details of the coordinates card and the security code sent to the customer's phone before signing the operation through online banking.

How to avoid being a victim of this and other similar scams?

Remember that CaixaBank will never request bank information or credentials via email, SMS or other digital channels. If you receive any such notification, be wary, analyse the email carefully and don't click anything if you can't ensure it's legitimate.

If you do not have the CaixaBank Sign signature tool yet, download the application to set it up. CaixaBank Sign replaces the coordinates card, so you can make fully secure online transactions. Once you have set up CaixaBank Sign, we will disable your coordinates card and the service will only work through your mobile.