A widespread phishing campaign targeting BBVA bank customers in Spain and Latin America uses high-pressure smishing tactics to steal login credentials and SMS OTP codes. Fraudulent websites mimic the legitimate BBVA portal to intercept security codes for unauthorized transactions. Users are advised to avoid clicking links in suspicious messages and to use the official BBVA app for account management.
Target: BBVA Bank Customers (Spain, Mexico, Colombia, Peru)
Threat Level: Critical (Real-time Account Takeover & OTP Theft)
Phishing Method Description
This attack uses High-Pressure Social Engineering. Victims receive an SMS (Smishing) claiming that an “unauthorized login from a new device” has been detected or that their “security account needs to be synchronized” immediately to avoid permanent blockage.
The link leads to a pixel-perfect replica of the BBVA “Banca Móvil” or web portal. The phishing kit is specifically designed to harvest:
Customer ID / DNI / NIF (Identification Number)
Access Password (Contraseña)
Mobile Phone Number
One-Time Password (OTP): The fake site prompts the victim to enter the SMS code in real-time. The attacker uses this intercepted code on the actual BBVA site to authorize fraudulent transfers or link their own device to the account.
⚠️ Red Flags to Watch For
Deceptive Domain: The official domain is bbva.es (Spain) or bbva.mx (Mexico). Phishing sites use lookalikes such as bbva-seguridad.online, verificar-acceso-bbva.net, bbva-asistencia.com, or free subdomains like ://firebaseapp.com.
Urgent & Alarming Tone: Language like “Acceso no autorizado detectado” or “Bloqueo preventivo” is used to bypass critical thinking.
Links in SMS: BBVA has a strict policy: they will never include clickable links in SMS messages sent to customers regarding account security or login issues.
🛡️ How to Protect Yourself
Use the BBVA App: Perform all your banking and notifications through the official BBVA App. The app uses biometric login and secure push notifications which are much harder to phish.
The “No Link” Rule: If you receive a security alert via SMS, ignore the link. Manually type www.bbva.es (or your local BBVA address) into your browser to check your account status.
Verify the Sender: Official alerts from BBVA usually come from a registered “BBVA” sender ID. If the message comes from a standard 10-digit mobile number, it is 100% a fraud.
Immediate Action: If you have entered your data on a suspicious page, call the official BBVA 24-hour fraud line immediately: 900 102 801 (Spain) or 55 5226 2663 (Mexico).
💡 Expert Security Tip:
This is a Real-time Man-in-the-Middle (MitM) attack. The scammers are acting as a “bridge” between you and the real bank. Your SMS OTP is the final key to your money. Never enter a code on a website you reached via a link. If the bank sends you a code, read the text carefully—it often explicitly warns: “No compartas este código con nadie.”