VishingGuías

How to verify whether a call or text from your bank is real

Learn how to check step by step whether a message or call from your bank is legitimate using verified channels, the official app and the rule of never giving out your keys.

N
By Equipo NoCall
NoCall Editorial
31 May 202612 min read
How to verify whether a call or text from your bank is real
#banca#verificación#smishing#vishing#seguridad#RCS

If you get a call or a text from your bank and you have doubts, the rule is simple: don't give out any information, hang up or ignore the message, and verify it yourself through a channel you control. Open the bank's official app, ring the number on the back of your card and check whether there's a genuine alert. A legitimate bank never loses anything by letting you verify.

This guide isn't about explaining how the scam works (for that you have the article on vishing and the guides section). Here we get practical: how to confirm, in 2026, that a banking communication is authentic before you do anything. Because the problem usually isn't falling for an obvious con. The problem is reasonable doubt: a message that looks real, arrives at a bad moment and rushes you.

Why can you no longer trust the number or the name that appears?

For years, people relied on whatever the screen showed. If the text's sender said "BBVA" or "Banco Santander", or if a number similar to your branch's called, you assumed it was genuine. Those days are over.

The caller ID can be faked (this is what's known as spoofing) and SMS sender names can also be imitated. A scammer can make exactly the same name and number your bank uses appear on your screen. And here's the most uncomfortable detail: many phones group texts by sender, so the fraudulent message can slip into the same thread where you have your bank's real alerts. Seeing it next to legitimate messages guarantees nothing.

That's why modern verification isn't about looking at who seems to be calling, but about checking the content through an independent channel. The signal that appears on the screen is precisely what the attacker controls. What the attacker does not control is your banking app, the number on the back of your card and your common sense.

Which channels are verifiable and which aren't?

Not every channel a bank uses offers the same level of assurance. Some are designed to be checkable; others, by their very nature, never will be. Knowing the difference is half the battle.

ChannelVerifiable?What you should do
Bank's official appYes (you log in with your own credentials)It's your source of truth. Open the app and check for alerts.
RCS message from a verified senderYes (shows logo + verification badge)Trust the verification badge, not just the name.
Traditional SMSNo (the sender can be faked)Treat it as unverified. Never tap links.
Incoming callNo (the caller ID can be faked)Hang up and call the number on the back of your card yourself.
EmailNo (the address can be imitated)Don't tap links; go to the website by typing the address.
Website you're linked toNo (it could be a copy)Type the official address yourself; don't arrive via a link.

The underlying idea is simple. A channel is reliable when you initiate the contact or when the system itself shows you cryptographic proof of identity (like RCS verified sender). A channel is not reliable when someone contacts you and the only "proof" is a name or a number on the screen, because that's exactly what gets manipulated.

What is RCS verified sender and why does it matter?

RCS is the evolution of SMS: rich messages that travel over data or Wi-Fi rather than the classic telephone network. Its big advantage over SMS for this issue is the verified sender.

When a bank sends messages over RCS with verified sender, your phone shows the institution's official logo and a verification badge inside the conversation. It's not a name anyone can type: it's an identity the carrier and the messaging system have checked. BBVA, for example, rolled out a verified RCS messaging channel in early 2026 precisely so its customers could tell at a glance what's real from what isn't.

Two important nuances so you don't get overconfident:

  • The verification badge is the signal, not the name. An ordinary SMS can say "BBVA"; only the verified RCS badge gives you the assurance.
  • Not every bank nor every phone has RCS active yet. If your bank still texts you via classic SMS, don't assume the SMS is fake just because it lacks a badge; simply treat it as unverified and check via the app.

There's a regulatory change worth keeping on the radar: from June 2026, alphanumeric sender IDs for SMS and RCS (those "BANK"-style names instead of a number) will have to be entered in a CNMC registry, and carriers will block unregistered senders. That's good news, but it doesn't change your routine: until the ecosystem is clean, you're still the one doing the verifying.

How do I verify a bank text or call step by step?

This is the operational part. Memorise the sequence, because it works the same for a text, a call or an email.

  1. Don't react in the heat of the moment. The scammer's first goal is to get you to act fast: a "blocked" account, an "unauthorised charge", a "held" delivery. The rush is alarm signal number one. Take a breath. Nothing legitimate gets resolved in thirty seconds.

  2. Don't tap any link or download anything. It doesn't matter how believable the domain looks. If the message takes you to a website to "confirm" details, assume it's a copy until you verify it on your own.

  3. Don't give out keys, codes or details. Your bank will never ask you for your full password, your PIN, your card's CVV or a one-time code (OTP) over the phone or by text. That code you receive to "confirm your identity" is exactly what the scammer needs to log in or validate a transaction. Reading it out is the same as handing over the keys.

  4. Close the channel they contacted you through. Hang up the call. Don't reply to the text. Don't use the phone number that appears in the message.

  5. Open the bank's official app yourself. Open it from the icon on your phone, not from any link. If there's a real problem (a suspicious charge, a pending verification), it will show up in there, in the alerts inbox or in notifications. The app is your source of truth.

  6. If you need to speak to someone, call them yourself. Use the number printed on the back of your card or on the bank's official website (typed by you, not searched on Google where fake adverts sometimes sneak in). That way you're the one initiating contact through a channel you control.

  7. Check the sender with judgement. If it was an RCS message with a verification badge and logo, it gains a lot of credibility. If it was a plain SMS or a call, treat it as unverified by default, no matter how well written it was.

The golden rule that sums all this up: valid verification is always initiated by you, through a channel you choose. If the contact came from outside and asks you to act right there, it's not verification, it's pressure.

And if the "bank call" sounds like a real person, even someone you know?

Here a new layer from 2026 comes in: AI voice cloning. With just a few seconds of audio, an attacker can generate a voice that sounds like a convincing agent or even like a relative. INCIBE has documented cases in Spain of cloned voices used in fraud, and the defence is exactly the same as for any call: hang up and verify by another means.

A voice sounding human, confident and professional proves nothing. Knowing your name or some detail about you doesn't either: plenty of personal data circulates after data breaches. Identity isn't proven by how someone sounds, but by you confirming the transaction inside your app or by calling the official number. If you want to understand this technique better, we cover it in AI voice cloning in phone scams.

What will your bank really ask for and what won't it?

Being clear about this red line saves you most of the trouble. You don't need to know how to spot every scam; it's enough to know what it's impossible for your bank to ask you.

Your bank CANYour bank NEVER does
Alert you to a transaction in the app or via verified RCSAsk you for your full password or PIN by phone/SMS
Ask you to confirm a transaction inside the appAsk you for the OTP code it just sent you
Block a card and notify you to activate it in the appAsk you for the full card number and CVV by phone
Ask you to come to a branch or call the official numberRush you to avoid an "imminent block"
Inform you of an access attemptAsk you to install a remote control app (AnyDesk, etc.)

Pay particular attention to the last row. If someone claiming to be from your bank (or from "support") asks you to install an application to "see your screen" or "help you sort it out", just hang up. That's the classic fake tech support pattern, and giving it remote access to your device is handing over your accounts. The same applies to the tax authority or Social Security: no government body will ask you for confidential details or payments by text or call. If you receive something like that, there's a dedicated guide in how to verify a notification from the tax authority or Social Security.

What about "held parcel" texts or one-off charges?

Even if they don't carry your bank's name, many scams end up in the same place: a fake payment gateway where you enter your card details. The held-parcel hook that asks for a small payment (for example, a customs fee of a couple of euros) is after exactly that: getting you to normalise entering your card into a form you don't control. The postal service and courier companies don't send payment links by text; payments are made in their official app or at a branch.

The verification is identical to the banking one: don't tap the link, go to the official tracking yourself by typing the address, and if they ask you for card details to "release" something, it's fraud. You'll find the details in parcel scams: the fake Correos text and, if the hook comes in the form of a QR code, in quishing: QR codes and links in texts.

How do I confirm whether a number that called me is suspicious?

A very handy tool even before you return a call or take a message seriously: check the number in a community database. In the NoCall directory of reported numbers you can search for a phone number and see whether other people have flagged it as fraud, bank impersonation or spam, along with their comments.

It's not foolproof (spoofing means a clean number can also be used fraudulently), but it adds context. If dozens of people report that same number as a "fake bank call", your doubt clears up on its own. You can also look at the dialling code to understand the origin, or check the current trends to find out which campaigns are active these days.

Learning to read these signals is a skill in itself; we explain it in how to read a number's risk signals.

What do I do if I think I've already given out some information?

If you've reached this point because you've already tapped a link, read out a code or given card details, don't panic, but act fast and in order:

  • Call your bank on the official number (back of the card) and explain what happened. Ask to block cards and transactions if appropriate.
  • Change the passwords for your online banking and for any account where you use the same key.
  • Watch your transactions over the following days and turn on transaction alerts in the app.
  • Gather evidence: screenshots of the text, the number that called, the time, what they said.
  • Report it to INCIBE by calling 017 (or 900 116 117), a free cybersecurity help service.
  • If there were charges, file a report with the Police or the Guardia Civil with the evidence.

The sooner you alert the bank, the more room there is to halt or reverse transactions. Speed here works in your favour, the opposite of during the scam.

In short: three sentences that protect you

If you take away only three ideas from this guide, let them be these:

  • The channel that contacts you proves nothing. Name, number and voice can be faked. The truth is in your app and in the number on the back of your card.
  • Your bank never asks you for keys, PIN or OTP codes by phone or by text. If they ask you for them, it's fraud, no exceptions.
  • Valid verification is initiated by you. Hang up, close the message and check through a channel you choose. The rush belongs to the scammer, not to you.

When RCS with verified sender is widespread and the CNMC sender registry is running at full capacity, telling what's real apart will be easier. Until then, your best tool is still the habit: stop, give nothing and verify it yourself.

If you've received a call or a text impersonating your bank, help others by reporting it in the NoCall directory. Every report makes it easier for the next person to recognise the fraud. And if you want to keep learning how to defend yourself, drop by our guides and the blog, where we cover every technique with the same practical approach.

Received a suspicious call?

Look up the number in NoCall before sharing data, calling back, or clicking any link.

Search a phone number or a company name (British Gas, EE and O2...) to check if it has been reported as spam.