Who This Guide Is For
This article is written for you – everyone who has ever ordered a package online, whether from Amazon, AliExpress, Temu, or a small independent shop. It is for people waiting for a birthday gift, a holiday delivery, or a business supply. It is for parents juggling online shopping for back-to-school season, for professionals who rely on deliveries for their work, and for anyone who receives a text message about a shipment and does not think twice before clicking.
You are not a cybersecurity expert. You probably do not spend your days analyzing the legitimacy of every SMS that lands on your phone. And that is precisely what the criminals behind this scam are counting on.
Over the last 18 months, smishing attacks in Spain have skyrocketed. Statistics compiled from cybersecurity incident reports show that Correos is now the most frequently impersonated entity in the country, accounting for 43% of all SMS phishing campaigns. These attacks are not rare or isolated. They are a daily reality for millions of people.
The scam preys on a simple psychological vulnerability: when you are expecting a package, you want to see that it is on its way. The criminals know that. They build their entire operation around that moment of anticipation. And when you are tired, distracted, or in a hurry, the split second you click that link could be the moment you lose access to your money.
This guide will show you exactly how the scam works, walk you through the real stories of people who have lost thousands of euros, and give you the simple, expert-backed habits that will protect your bank account forever.
How the Scam Actually Works: A Step-by-Step Breakdown
The attack that security researchers at Antiphishing.biz recently intercepted uses a now-classic smishing pattern with a dangerous twist. It targets sellers on classified ad platforms like OLX, Vinted, or Wallapop, but the same technique is also used against anyone who has ever received a package.
Step One: The Hook – A Message That Feels Urgent
It starts with an unsolicited text message. The sender appears as “Correos” or “Correos Express.” The message tells you that your package is being held or that delivery has failed. It might say that an address is missing, that customs fees are unpaid, or that a small payment is required to reschedule the delivery.
The amounts mentioned are deliberately small – often less than three euros, sometimes as low as 0.27 or 0.80 cents. The criminals know that a small amount does not trigger suspicion. You think, “It is only a couple of euros. If it is a scam, I have not lost much. If it is real, I need my package.” That is exactly the trap.
The message usually includes a deadline. “You have 24 hours to claim your package.” “Your package will be returned to sender in 48 hours.” This manufactured urgency is the criminals’ most powerful weapon. When you are afraid of losing a package you have been waiting for, you stop thinking clearly. You stop looking at the web address. You just want to solve the problem as quickly as possible.
Step Two: The Trap – A Website That Looks Exactly Like the Real One
If you click the link, you are taken to a webpage that has been carefully designed to mirror the official Correos website. The same colors. The same logos. The same fonts. The same layout. The criminals have copied everything that makes the real site feel familiar and trustworthy.
Threat Intel: This deceptive layout was detected, analyzed, and contained firsthand by the
Antiphishing.bizsecurity team during our automated link scanning workflows. To protect the public, the phishing source domain has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

But look closely at the address bar. The official Correos website is . The fake page in the intercepted attack used a domain that looked almost correct at first glance: correos.es. That is not Correos. That is a domain that the criminals registered specifically to trick you.correos.compr-verif.digital
They know that most people glance at the first part of the address – “correos” – and assume the rest is fine. It is not fine. The extra words, the hyphen, and the ending are all screaming red flags. But when you are in a hurry, you may not notice..digital
Step Three: The Theft – A Request for Everything That Should Never Be Shared
The fake website asks you to enter your personal information: your full name, your address, your phone number. Then it asks for your credit or debit card details – the full number, the expiration date, and the CVV code. Finally, it may ask for the one-time SMS verification code that your bank sends to your phone.
Here is what the criminals are doing. They are not interested in the small payment you think you are making. They are collecting every piece of information they need to take control of your bank account. With your card details and the SMS verification code, they can authorize large transactions, transfer money to accounts they control, and drain your available balance before you even realize something is wrong.
Once you submit that information, the criminals have what they need. The fake page may thank you and say your package will be delivered soon. But no package is coming. The only thing that will arrive is a series of unauthorized charges on your bank statement.
Two Real Stories That Will Make You Think Twice
These are not scare tactics. These are the actual experiences of real people who fell for this exact scam.
A Client Lost €4,200 in Less Than One Hour
A client of the law firm Sanahuja Abogados Penalistas, based in Valencia, received an SMS that appeared to be from Correos. The message informed her that her package was being held because customs duties of €1.95 had not been paid.
The amount was tiny. The message felt real. She was expecting a package. She clicked the link, entered her card details, and completed what she thought was a routine payment.
Within twenty minutes, the criminals behind the scam had used her information to make three online purchases and two wire transfers. The total loss was €4,200.
Her lawyer, Juan Antonio Signes García, explains that the small payment is just the bait. “What the victim does not know is that she is not paying two euros – she is handing over the keys to her bank account. With the card data and the verification code, the criminals can operate in minutes. By the time the bank alerts you, it is already too late.”
Victims in Madrid Found Unauthorized Charges After Falling for the “Failed Delivery” SMS
In December 2025, a wave of smishing attacks swept through Madrid. Criminals sent thousands of text messages claiming that a delivery had failed and that a small payment – usually less than three euros – was required to reschedule the shipment.
The pattern was consistent across all the attacks: an SMS about a failed delivery, a link, a fake website asking for card details, and then a small payment to “reprogram” the package.
When victims checked their bank accounts later, they found charges they did not recognize. Some had fraudulent purchases made on foreign commerce websites. Others received a second message demanding another small payment to complete the “validation.” The criminals kept coming back until the victims’ cards were empty.
The attacks were reported across multiple districts in Madrid, including Lavapiés, Chamberí, Salamanca, and Tetuán. The criminals have since expanded their methods to include automated phone calls and voice messages that mimic customer service agents, pressuring victims to confirm their personal information over the phone.
The Seven Red Flags That Give Away the Fake Message – Every Single Time
You do not need to be a cybersecurity expert to spot these scams. You just need to know what to look for. Here are the seven signs that a message about a package is fraudulent.
Red Flag One: The Message Creates Panic with a Deadline
“Your package will be returned in 24 hours.” “Immediate action required.” “Payment needed to release your shipment.” These phrases are designed to make you act without thinking.
Real delivery notifications are informative. They tell you when your package will arrive. They do not threaten you with deadlines or demand immediate payment. If a message tries to rush you, that is your signal to stop entirely.
Red Flag Two: The Message Asks for a Payment by SMS
No legitimate delivery company – not Correos, not SEUR, not DHL, not FedEx – will ever send you a text message asking for your credit card information or demanding a payment for customs fees or delivery rescheduling. These transactions, if they are legitimate, are handled through the company’s official website or app, not through a link sent by text.
If a message asks for your card number or a payment, you are looking at a scam.
Red Flag Three: The Web Address Is Not Exactly the Official Domain
The official Correos website is and correos.es. The fake site in the intercepted attack used correos.com. The difference is subtle but crucial.correos.compr-verif.digital
Before you click any link or type any information into a website, look at the browser’s address bar. Does the domain end with exactly ? Or does it contain extra words, hyphens, or unusual endings like correos.es, .digital, .top, or .info? If you see anything other than the official domain, close the tab immediately..xyz
Red Flag Four: The Link Is Shortened or Contains Random Characters
Legitimate delivery companies use clear, readable tracking links that include your specific tracking number. Scammers use link shorteners like or random character strings to hide the real destination. If the link looks strange or does not clearly show the company’s name, do not click it.bit.ly
Red Flag Five: The Message Does Not Include Your Name or a Tracking Number
Real delivery notifications are personalized. They include your name and a specific tracking number that matches a package you are actually expecting. Scammers send messages in bulk to random phone numbers. Their messages are generic. “Your package” – not “Maria’s package.” If the message does not address you by name and does not include a tracking number you recognize, treat it as fraudulent.
The criminals are casting a wide net. They are not targeting you specifically. They are targeting thousands of people at once, hoping that a few are actually expecting a package and will click without thinking.
Red Flag Six: The Message Has Spelling or Grammar Mistakes
Real companies employ professional copywriters. Their messages are polished and correct. Scammers often make mistakes. Missing accents, awkward phrasing, or sentences that feel slightly off are all warning signs.
In one common version of the scam, the message contains the phrase “Su paquete ha sido suspendido debido a que falta un número de calle.” Real speakers of Spanish would phrase this differently. The missing accent on “número” is a dead giveaway.
Red Flag Seven: The Message Asks for Your SMS Verification Code
This is the most important red flag of all. No legitimate company will ever ask you to provide the one-time SMS verification code that your bank sends to your phone. That code is for your eyes only. It exists to prove that you are the legitimate account holder.
If a website asks for your SMS verification code, you are looking at a scam. The criminals need that code to authorize a transaction. Giving it to them is like handing them your signature on a blank check.
Real Official Warnings from the Authorities
You are not alone in fighting this threat. Multiple official organizations have issued urgent warnings and created tools to help you stay safe.
Correos Has a Free Tool That Verifies Every Email
Correos has created an official Email Verifier tool to help customers distinguish real communications from fake ones. The tool is available on the company’s official website at .correos.es
Here is how it works. You copy the email address and the alphanumeric code from the suspicious message and paste them into the verifier. If the system returns an “OK,” the message is legitimate. If it does not, it is a phishing attempt.
This tool is free, it takes less than a minute to use, and it could save your bank account. Bookmark it now.
The Security Code Is Mandatory in All Real Correos Emails
Correos has stated clearly that every legitimate email they send about shipments and packages includes a secure code. If the message you received does not have that code, it is not from Correos. This is a simple, yes-or-no test. No code. No click.
INCIBE Provides Free, Confidential Advice
The Spanish National Cybersecurity Institute, known as INCIBE, has a free helpline available at 017. If you receive a suspicious message and you are not sure what to do, you can call that number and speak to a cybersecurity professional. The service is free, confidential, and available to all residents of Spain.
Official Warnings from Police and Consumer Protection Agencies
The National Police of Spain has confirmed the existence of this scam and warned that it can empty your bank account. Correos has issued repeated regional alerts about the increase of phishing attempts, emphasizing that the company never requests personal or banking information by email or text. Consumer protection organizations have also highlighted the danger, noting that the criminals keep coming back for more. Once you have provided your card details, they may attempt multiple small charges, hoping you will not notice.
Expert Advice: How to Keep Your Bank Account Safe Starting Today
The advice below comes from cybersecurity professionals, law enforcement agencies, and the official Correos security team. Following these simple rules will protect you from this scam and every future variation of it.
Rule One: Never, Ever Click Links in Unsolicited Delivery Messages
This is the single most important rule in this guide. If you receive a text message or email about a package delivery – especially one that asks for a payment or personal information – do not click any links in that message. Do not call any phone numbers in the message. Do not reply.
Instead, open a new browser tab. Type the official website of the delivery company manually. For Correos, that is . Log in or enter your tracking number directly on the official site. If there is a real issue with your delivery, it will be displayed there. If you see nothing, the message was a scam. Delete it and move on.correos.es
That one habit – typing the official address yourself instead of clicking a link – would have prevented every single victim story in this article.
Rule Two: If You Are Expecting a Package, Use the Official Tracking Number
When you make an online purchase, the seller provides a tracking number. Use that number to check your delivery status on the official website of the delivery company. Do not rely on text messages that arrive out of nowhere. The tracking number is your proof. If a message about your package does not include that specific tracking number, it is not about your package.
Rule Three: Verify Every Suspicious Message with Correos’s Official Tool
Correos has provided a free, easy-to-use tool that verifies whether a message is legitimate. Before you click any link or enter any information, take the message to the Email Verifier on the Correos website. Paste the sender address and the alphanumeric code. The system will tell you immediately whether the message is real or fake.
Rule Four: Never Share Your SMS Verification Code with Anyone
This rule is absolute. Your bank sends you a one-time SMS code to verify that you are the legitimate account holder. That code is for you and you alone. No legitimate customer service representative from any company will ever ask you to read that code back over the phone or type it into a web page that you reached by clicking a text message link.
If anyone asks for your SMS verification code, you are talking to a criminal. Do not give it to them. Hang up. Close the page. Call your bank using the official number on the back of your card to report the incident.
Rule Five: Check Your Bank Account Regularly
Set aside five minutes each week to review your recent transactions. Look for small test charges – often $0.00, $1.00, or small amounts under three euros – as well as larger purchases you do not recognize. Criminals sometimes test a stolen card with a tiny transaction before making a big purchase. If you see anything suspicious, report it to your bank immediately.
Rule Six: Enable Transaction Alerts on Your Bank Cards
Most banking apps allow you to set up push notifications or SMS alerts for every transaction above a certain threshold – often as low as one euro. Enable this feature. That way, if a criminal does manage to get your card details, you will know about the first fraudulent charge within seconds, not days, and you can block your card immediately.
Rule Seven: Use a Credit Card Instead of a Debit Card for Online Purchases
Credit cards offer significantly better fraud protection than debit cards. If a fraudulent charge appears on your credit card, you can dispute it, and the card issuer will typically remove the charge while they investigate. With a debit card, the money leaves your bank account immediately, and recovering it can be a much longer, more difficult process.
For online shopping and any situation where you might encounter a scam, a credit card is safer.
Rule Eight: If a Deal Feels Too Good to Be True, It Almost Always Is
Some variations of this scam involve offers of “lost packages” being sold for absurdly low prices – sometimes as little as €2.28. These are phishing attempts. Correos does not sell lost packages via Facebook or email. If an offer seems unbelievable, it is. Do not click.
What to Do If You Have Already Fallen for This Scam
If you realize that you have clicked a link, entered your card details, or provided your SMS verification code on a suspicious website, do not panic. But do not wait, either. Time is the enemy. Act immediately using this step-by-step checklist.
First, contact your bank or credit card issuer immediately using the phone number on the back of your physical card. Do not use any phone number from the suspicious message. Tell them that your card details may have been compromised in a phishing attack. Ask them to block the card and issue a new one. If any fraudulent charges have already appeared, report them immediately and request a chargeback. The faster you act, the more likely you are to get your money back.
Second, review your recent transactions carefully. Look for small test charges as well as larger amounts. If you see anything you do not recognize, report it to your bank. Keep a record of the transaction dates, amounts, and merchant names.
Third, change your passwords. If you used the same email address and password combination on any other websites – your bank login, your email provider, your social media accounts, your online shopping accounts – change those passwords immediately. Scammers will try the stolen credentials on other popular services to see where else they work. Use strong, unique passwords for each service.
Fourth, save all evidence. Take screenshots of the SMS you received. Capture the URL of the fake website if you still have it. Save any error messages or confirmation pages you saw. These will be useful when filing reports with the authorities and your bank.
Fifth, report the phishing attempt. Forward the fake SMS to 017, the INCIBE helpline. File a report with the National Police of Spain. If you are in another country, report the scam to your local law enforcement and to your national consumer protection agency. Your report helps authorities track scam campaigns and potentially recover funds.
Sixth, call the INCIBE helpline at 017 for free, confidential advice. The cybersecurity professionals on the line can guide you through the next steps and help you secure your accounts.
Seventh, consider filing a police report. Many victims delay reporting because they feel embarrassed or ashamed. Do not let that stop you. These criminal networks defraud thousands of people every day, including professionals with advanced training. There is nothing shameful about being targeted by a sophisticated scam. The shame belongs to the criminals.
The Bigger Picture: Why the Scammers Keep Coming Back
The Correos smishing scam is not going away. Every major shopping season – Black Friday, Christmas, the Three Kings holiday, back-to-school – the messages return. The criminals know that when people are buying more, they are also expecting more packages, and they are more likely to click without thinking.
In the 2025 holiday season, fake websites impersonating delivery companies increased by 86%, according to data from NordVPN. DHL was the most frequently spoofed brand, with a 206% increase in fraudulent pages. But Correos remains the most frequently impersonated entity in Spain, accounting for 43% of all smishing campaigns.
The criminals are able to keep operating because their campaigns are cheap to run and hugely profitable. A single successful victim can net them thousands of euros. Even if only a small fraction of the people who receive the message fall for it, the criminals still make a profit.
Correos has responded by launching public awareness campaigns, creating the Email Verifier tool, and working with law enforcement to take down fraudulent websites. The Guardia Civil has also issued warnings about scammers impersonating law enforcement to lend credibility to fake transactions.
But no amount of official action can fully protect you if you do not know what to look for. Your awareness is the final line of defense.
A Final Word
The fake Correos payment scam is a masterpiece of psychological manipulation, not technical sophistication. It uses a small, seemingly insignificant payment to lower your guard. It uses the anxiety of waiting for a package to override your better judgment. It uses your own hope that your delivery is on its way to trick you into handing over the keys to your bank account.
But the scam has a fatal weakness. It falls apart the moment you pause, take a breath, and ask one simple question: “Did I get this message out of nowhere, and is it asking me for money?”
If the answer is yes, you are looking at a scam. Close the message. Open your browser. Type manually. Check your delivery status through the official website. That extra thirty seconds will protect your account, your savings, and your peace of mind.correos.es
Correos has invested in security tools, awareness campaigns, and fraud detection. But none of it works if you click a link in a text message without checking the address first. The scammers are counting on your speed, your trust, and your hope that your package is on its way. Do not give them any of those things.
Stay slow. Stay skeptical. And always, always type the address yourself.
This attack was detected, analyzed, and contained firsthand by the Antiphishing.biz security team during their automated link scanning workflows. The phishing source domain has been completely disabled within their infrastructure to protect the public.
