Phishing is one of the most common techniques used by cybercriminals to steal personal and financial data. With the help of social engineering techniques, cybercriminals impersonate the identity of known companies, people, brands or services to try to deceive their victims. Their ultimate goal is most commonly money and/or sensitive information, usually obtained by infecting a device through the downloading of malware.

Over the years, hackers have evolved and perfected their methods of deception, creating phishing emails that are increasingly sophisticated and difficult to detect. For this reason, users must learn to recognise the signs that cybercriminals may give in order to avoid their trap. 

When we receive a new email, we must ask ourselves the following questions:


1. Is this message suspicious?

To deceive their victims, cybercriminals may create emails that inspire confidence or curiosity by imitating the identity of a bank, a video streaming platform or simply by writing an attractive message that encourages you to click on a link or file. 

Although the sender is apparently known and/or the message is very tempting, unexpected e-mails or replies that we have not requested should not be trusted.


2. Who is sending this email?

It is essential that we analyse the sender's email address in detail and not rely solely on the name it shows us. You must always check the domain name: if the email is from an official entity or service provider, it is very likely that corporate email addresses will include a unique corporate domain. Receiving a message from a generic domain such as gmail or outlook is suspicious.

Cybercriminals may also create domains that at first sight seem genuine, but if you look closely are subtly different to the real domain. For example: caixabank.com is genuine, but caixabanc.com is not. This is why it is necessary to confirm that the incoming email address includes the official domain of the company in order to not be fooled by small changes that are sometimes almost imperceptible.

In any case, if the domain of the email seems legitimate but the content of the mail seems suspicious, it is always advisable to contact the sender by another channel (by telephone, for example) to confirm the legitimacy of the email before clicking on any link or attachment that it may contain.


3. Is it an urgent request?

Creating a sense of urgency is a common tool used by hackers. Messages such as "Your password has expired. You have 24h to change your access passwords..." push a victim to make a quick and hasty decision. 

In addition to haste, a need for confidentiality is also widely used in this type of scam. Messages like "Please don't tell this to anyone. It is a secret and confidential matter. I trust you... " seek to dissuade victims from carrying out relevant security checks and from confirming the request with someone. In the case of urgency or secrecy in a message, it is always necessary to contact the sender via another channel to verify that the email is legitimate.


4. Who is the email for? 

Phishing campaigns are generally targeted at hundreds of thousands of people around the world. It is therefore common for them not to include the personal data of potential victims and to use generic terms such as "friend," Dear customer" or "Good morning", without using the name of each individual. 

However, hacking techniques are improving and it is increasingly common to find phishing aimed at specific victims, as in the cases of CEO Fraud and Invoice Fraud.

For this reason, even the sender knowing the user's name is not proof of legitimacy.

5. Is the link legitimate? 

If the email contains a link, you need to check where it leads to before clicking, as this could be a trap. We must analyse the website address or URL to see if it is known. How to do this?

Passing the cursor over the link without clicking it allows you to see the website address and check whether it is familiar or not. This appears in a small pop-up window and at the foot of most internet browsers. If the address to which the link is directed does not correspond to the one indicated in the message, it could lead to a malicious website.


6. Is the message well written?

A company or other entity sending a message with poor phrasing or spelling is an alarm signal that indicates a possibly fraudulent email.

Phishing campaigns are sometimes carried out from abroad and are intended to attack people of various nationalities. Cybercriminals therefore translate their messages into several languages, sometimes with many errors due to the use of machine translation.

Poorly constructed sentences, overly literal translations, words with strange symbols or semantic errors are clues that we might be dealing with scammers. But there are also many cases of perfectly written phishing emails. Any type of text, whether well-written or not, is able to conceal an attempt at fraud. 

7. If you're still not 100% sure...

It is possible that even if all the elements of the email are analysed you still cannot be 100% sure of its legitimacy. Phishing is increasingly sophisticated and sometimes it is very difficult to distinguish fraudulent emails from legitimate ones.

In these cases, the authenticity of the sender must be confirmed through another channel. In other words, if you receive a suspicious email from a company or individual, it is advisable to contact them by telephone to check that the communication is real and legitimate. 

Are you sure it is CaixaBank contacting you?

Although companies are always investing more in new and better cybersecurity measures, users must learn to recognise the threats lurking in the digital world. We can all be the target of cybercriminals, including banking service users. 

For example, as a user of CaixaBank Sign, you may receive an email or fraudulent text message from a cybercriminal with a subject like "There is a problem with your CaixaBank Sign." 

If you do not analyse such an email by using the security steps outlined above, you risk clicking on a fraudulent link, which may result in you transferring your access passwords to cybercriminals.  

In any case, to carry out transactions and other operations, we will always ask you for a second security code, either a code from your coordinates card or a code we send to your phone by SMS. Remember that this code must never be shared with third parties.