The National Cybersecurity Institute (INCIBE) and the National Police have warned of a new digital fraud campaign using the smishing technique, targeting a large number of users. Cybercriminals are impersonating parcel delivery companies by sending fraudulent text messages. In these messages, the recipient is falsely informed that there is a problem with the delivery of a parcel, usually claiming that the house number is missing from the delivery address, with the ultimate aim of stealing personal and banking details.
This fraud mainly affects those who, after receiving the SMS, click on the link provided and fill in the forms with their private information. The strategy seeks to create a sense of urgency in the user so that they provide their card credentials and make a payment under the pretext of unblocking the shipment. Therefore, the authorities strongly recommend not clicking on any suspicious links and, in case of doubt, contacting the INCIBE Cybersecurity Helpline on 017 for professional guidance.
For those who have received the message but have not interacted with it, the recommended protocol is to report the incident through INCIBE's official mailbox to help prevent new victims, block the sender, and delete the message immediately. It is essential to remember that the authenticity of any notification of this type must always be verified through official sources or the website of the courier company mentioned, checking the actual status of the order.
If the victim has already entered their details on the fraudulent website, it is vital to contact their bank as soon as possible to block cards and stop any suspicious activity. Likewise, all possible evidence of the fraud should be collected, such as screenshots and links, and online witnesses can be used to validate this evidence before filing a formal complaint with the State Security Forces.
Finally, those affected are advised to practise egosurfing in the months following the incident to monitor their presence on the internet and ensure that their details are not being circulated illegally. If personal information is found to have been published without consent, users can exercise their right to be forgotten to request the removal of such content, thereby strengthening their digital security after the attempted scam.