What is vishing: how to spot phone scams in Spain
Vishing (voice + phishing) is one of the most dangerous and common phone scams in Spain. Criminals pretend to be your bank, Correos, or Social Security to steal personal data and money. The NoCall community has flagged more than 1,805 numbers linked to spam and scams, with 0 reports today alone.
How does vishing work?
Vishing is a form of social engineering. Scammers research victims beforehand (data breaches, social media, or bought marketing lists) and call with partly real information to win your trust. The goal is to get data they do not have yet: passwords, SMS verification codes, or card details.
They often use caller ID spoofing so your phone shows your bank's real number. That makes the scam especially hard to spot.
Common vishing tactics in Spain
Fake bank call
They say there is a suspicious charge or unauthorised access to your account. They ask you to "verify your identity" with your password, PIN, or SMS code. In reality they use that code to authorise a transfer from your account.
Example: "Hello, we are calling from the security department of [bank]. We detected a suspicious transaction of €1,200. To cancel it, we need you to confirm the code we just sent by SMS."
Fake Social Security / tax authority
They impersonate Social Security or the tax agency. They mention a pending refund or a problem with your benefit and ask for bank details to "process the refund" or "regularise your situation".
Example: "We inform you that you have a €325 refund pending from Social Security. To process it, we need your bank account number."
Correos / parcel scam
They say a parcel is held at customs and you must pay a fee. They send a link or ask for card details by phone. Correos does not collect fees that way over the phone.
Fake tech support
They claim your router, PC, or internet line has a problem. They want you to install remote-access software or give access to online banking. Movistar, Vodafone, and other carriers do not call customers like this out of the blue.
"Relative in trouble" call
Someone pretends to be your child from a new number, saying they lost their phone and need money urgently. Always verify by calling your relative on a number you already trust.
How to protect yourself from vishing
1. Be wary of urgency
Scammers create pressure so you cannot think clearly. No legitimate process requires an instant phone decision. If they rush you, treat it as a red flag.
2. Never give sensitive data by phone
Your bank will never ask for passwords, PINs, SMS codes, or full card details by phone. No public body will ask for banking data that way either. If they do, it is vishing.
3. Hang up and call back yourself
If you have doubts, hang up and call the organisation's official number (from its website or your card). Do not use the number they gave you on the call or the number on your screen — it may be spoofed.
4. Check the number on NoCall
Search our database with more than 1,805 identified numbers. If the number was already reported as a scam, you will see it right away.
5. Turn on automatic blocking
With the NoCall app, numbers reported as vishing by the community can be blocked automatically on your phone — you may not even receive the call.
Protect yourself from vishing with NoCall
Automatically block numbers linked to phone scams before they reach you.
Download NoCallIf you fell for vishing
- Contact your bank immediately. Block compromised cards and accounts. Ask to reverse any fraudulent transactions.
- Change your passwords. If you shared online-banking or other credentials, change them at once from a trusted device.
- Report to the police. Go to a Policía Nacional station or Guardia Civil post with details: caller number, time, what they said, and what you shared.
- Call 017 (INCIBE). Spain's national cybersecurity helpline is free and confidential and can guide you on next steps.
- Report the number on NoCall. Your report helps protect others who might get the same call.
Check a suspicious number
Did you get a suspicious vishing call? See whether the number was already reported: