Share
SCAM VERDICT

Spain bank smishing with an AI-voice callback: why the SMS now says "call us"

Short answer: a bank text that tells you to call a number about a transfer you do not recognise is a scam. INCIBE confirmed this campaign in Spain. When you call, an automated greeting pretends to be your bank, then a fake "security department", sometimes using an AI-cloned voice, pressures you into moving your money to a "safe account". Banks do not work this way. Never dial the number in a text. Use the number on the back of your card or your bank's official app.

SafeBrowz Threat Research Security ResearchJune 28, 20268 min read

Verdict: a bank SMS that says "call this number" is the new trap in Spain

This is a scam. INCIBE, Spain's national cybersecurity institute, has confirmed a smishing campaign that impersonates banks and alerts you to a transfer you will not recognise, then asks you to call a phone number "if you do not recognise the movement". Call it, and you hear an automated message that simulates the bank, followed by a person claiming to be from the bank's "security department" who reports a suspicious transaction and walks you toward transferring your funds to a so-called backup or safe account. Increasingly the voice is cloned by AI. No real bank moves your money to a "safe account", and no real bank makes you do it over the phone. Do not call the number in the text. Open your bank's official app, or call the number printed on the back of your card. Report it to INCIBE on the free line 017 and to the Policia Nacional or Guardia Civil.

The Brief

For years the standard bank smishing in Spain put a link in the text: "actividad sospechosa en tu cuenta, verifica aqui". That changed. On 7 June 2026 a new rule began requiring Spanish operators to block SMS, MMS and RCS messages sent from alphanumeric sender aliases that are not listed in a national alias registry run by the CNMC, the system designed so a "SANTANDER" or "BBVA" sender name can be verified as belonging to that brand (CNMC, cnmc.es, 2026). It is a genuinely good measure. It also pushed fraudsters to adapt.

One adaptation is to drop the link entirely and tell you to call instead. INCIBE has published an aviso describing exactly this: an SMS impersonating a bank, warning of a transfer, and giving a number to call if you do not recognise it (INCIBE, incibe.es, aviso de ciudadania). When you call, "el usuario escucha una locucion automatizada que simula ser del propio banco", an automated message that pretends to be the bank, and then a person identifying as the "departamento de seguridad" tells you a suspicious transaction was detected and gives you instructions to "fix" it. Spanish press covered the AI-voice escalation of this around 20 to 21 June 2026, with INCIBE warning that criminals now clone voices to make the call sound convincing (Moncloa, moncloa.com, June 2026). The bank name is the bait. The call-back number is the trap.

How the call-back smishing works in Spain

The chain has three stages, and each one is designed to move you off the things you can verify and onto the things the scammer controls.

Stage one is the text. It impersonates a Spanish bank, Santander, BBVA, CaixaBank, or whichever brand the run is targeting that day, and says a transfer is about to leave your account. It gives a code and a phone number, and tells you to call if you do not recognise the movement. INCIBE notes these messages often have clumsy wording and missing accents, a useful tell. Because of the new alias-registry rule, many of these now arrive from a plain numeric sender or land inside an existing bank message thread by number spoofing, rather than from a clean "SANTANDER" alias.

Stage two is the automated greeting. You call, and a recorded message imitates the bank's phone menu so the line "feels" official before any human speaks. This is theatre, built only to lower your guard.

Stage three is the human, or the cloned voice. A calm "agent" from the "security department" tells you an unauthorised transaction was detected. Notably, INCIBE warns the script often says "we will not ask you for personal or banking data", which sounds reassuring and is precisely why it works. Instead of asking for your password, the agent directs you to move your own money to a "cuenta de seguridad", a backup or safe account, to "protect" it. That account belongs to the fraudster. In the 2026 escalation, the voice itself may be AI-cloned to sound like a real bank employee, removing the accent and hesitation that used to give callers away.

The tell: your bank never moves your money to a "safe account"

This single rule defeats almost every version of the scam. No legitimate Spanish bank, and no fraud-prevention team at Santander, BBVA, CaixaBank, or any other, will ever phone you and instruct you to transfer your balance to a different account "for safety". If your bank genuinely detects fraud, it blocks the card or freezes the transaction on its side. It does not need you to push money around to protect it.

So the moment a caller, however calm, however official the line sounded, tells you to make a transfer, send a Bizum, read out a code from your banking app, or install an app so they can "help", it is a scam. The reassurance that "we will not ask for your data" is part of the act. The ask is not your data, the ask is your transfer.

๐Ÿ›ก LIVE CHECK

If the text did include a link, check it before you touch it

This newer wave often has no link at all, just a number to call, and a phone scam is not something a URL scanner can read. But many bank-smishing texts still carry a link to a fake login page. If yours does, paste it below first. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis โ†’ ยท No URL is logged to your identity.

Why the SMS suddenly says "call" instead of "click"

The shift is a direct response to Spanish policy. Since 7 June 2026, operators must block messages whose alphanumeric sender alias is not registered, and unregistered or unauthorised senders are filtered out (CNMC, cnmc.es, 2026). The aim is to stop a fraudster from sending a text that simply shows "BBVA" as the sender. It is a meaningful win against classic alias-spoofed smishing.

But a rule that hardens one channel pushes attackers toward the channels it does not cover. A phone call is not an SMS alias, so the call-back script sidesteps the registry entirely. Reporting around 20 to 21 June 2026 framed exactly this trade-off: the alias block closes part of the road, but it does not stop a synthetic voice on the other end of a call (Moncloa, moncloa.com, June 2026). This is the same logic behind voice-driven payment fraud elsewhere, like the Tikkie AI-voice payment request scam in the Netherlands, where the request to send money arrives by a convincing voice rather than a clickable link.

The 30-second check: verify on your side, not theirs

This works whether the contact is genuine or fake, because it never relies on the text or the call.

  1. Do not call the number in the text. Do not click any link in it either. Treat the number and the link as part of the scam, not a way to check it.
  2. Open your bank's official app, or call the number on your card. The number printed on the back of your bank card and the customer-service number inside the official app are the only numbers you should trust. A real fraud alert will be visible there too.
  3. If a transfer was really pending, the app shows it. Your banking app shows real transactions and any genuine security hold. If nothing is there, the text was fake.
  4. Never move money to a "safe account". No bank asks this. The instant a caller pushes a transfer or a Bizum "to protect your funds", hang up.
  5. Report it. Call INCIBE on the free line 017, keep screenshots of the message and the call log, and file a report with the Policia Nacional or Guardia Civil.

Red flags in the Spain bank call-back scam

  • A text that tells you to call a number. A bank alert that hinges on you dialling a number from the message is the core of this scam. Use the number on your card instead.
  • An urgent "transfer you do not recognise". The warning about a transfer about to leave your account exists to make you panic and call. Check the app calmly instead.
  • "We will not ask for your personal or banking data." INCIBE flags this reassuring line specifically. It is bait, because the real ask is a transfer, not your data.
  • Pressure to move money to a "cuenta de seguridad" or safe account. No legitimate bank ever instructs this. It is the whole point of the scam.
  • A voice that sounds a little too perfect, or oddly flat. AI-cloned voices can sound polished but lifeless, with no real background or hesitation. If something feels off, hang up and call your bank yourself.
  • Clumsy wording or missing accents in the SMS. INCIBE notes these texts often read awkwardly and drop accents that a real bank message would keep.

What to do if you already called or transferred

Move fast. The sooner you act, the more you can contain.

  1. Call your bank now using the number on your card. Report the fraud, ask them to block the card and stop or recall any transfer, and have them watch for further movement. Speed matters most for transfers and Bizum.
  2. If you sent a Bizum or transfer, ask about recall immediately. A very recent transfer may still be reversible if you act within minutes to hours. Your bank's fraud line can tell you.
  3. If you installed any app the caller asked for, remove it. Turn off mobile data and Wi-Fi, uninstall it, and change your banking password from a clean device. Remote-access apps let them act as you.
  4. Change your banking credentials. Update your online banking password and PIN from a device you trust, and review recent logins and beneficiaries you do not recognise.
  5. Report it. Call INCIBE on 017, and file a formal report (denuncia) with the Policia Nacional or Guardia Civil so there is an official record for your bank.

How to report it in Spain

  • INCIBE helpline 017. The free national cybersecurity line, 017, available every day of the year. INCIBE and its citizen service OSI (osi.es) can guide you on next steps.
  • Report to INCIBE online. You can also report the incident through INCIBE at incibe.es and forward the fraudulent message so it feeds the warnings.
  • File a denuncia. Report financial fraud to the Policia Nacional or the Guardia Civil, keeping screenshots of the SMS, the number you were told to call, and your call log as evidence.
  • Tell your bank. Contact Santander, BBVA, CaixaBank, or whichever bank was impersonated, through the official app or the number on your card, never through the text.

How SafeBrowz helps with this threat

Be honest about scope. The core of this scam is a phone call, and SafeBrowz scans links and pages, not the words a caller says. So the primary defence here is the human rule: never call the number in a text, and never move money to a "safe account". Where SafeBrowz does protect you is when the smishing text does include a link, which many bank-impersonation texts still do. If a message points you to a fake Santander, BBVA, or CaixaBank login or "verificar cuenta" page, SafeBrowz's 3-layer engine (Local + APIs + AI) flags it before you type anything, because it checks the domain against a 550+ brand database, not just a static blocklist. A bank name sitting on a domain that is not the bank's own is caught even if the page is brand-new. The free SafeBrowz Android app applies the same check on your phone, where these texts actually land, so a tapped link opens into a warning instead of a credential trap.

SafeBrowz works from a threat-intelligence methodology and an internal brand database. It does not collect or store your browsing history.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that checks every URL before it renders, on every page, against a 550+ brand database. Free forever, with optional Premium AI deep scan at $14.99 per year. It runs on Chrome, Firefox, and Edge, with Safari coming soon, plus a live Android app.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

See pricing and Premium features

Frequently asked questions

Is the bank SMS telling me to call a number real?

No. INCIBE has confirmed a smishing campaign in Spain where an SMS impersonates a bank, warns of a transfer you will not recognise, and tells you to call a number "if you do not recognise the movement". When you call, an automated message pretends to be the bank and then a fake "security department" pressures you toward a transfer. A real bank does not run fraud prevention this way. Never call the number in the text. Use the number on the back of your card or your bank's official app.

What happens when you call the number in the scam text?

You first hear an automated recording that imitates the bank's phone menu, which is theatre to make the line feel official. Then a person, sometimes using an AI-cloned voice, claims to be from the bank's "security department" and says a suspicious transaction was detected. They often reassure you that they will not ask for your personal or banking data, and instead instruct you to move your money to a "safe" or backup account. That account belongs to the fraudster.

Why are these scam texts now asking me to call instead of click a link?

Because of a Spanish rule that took effect on 7 June 2026 requiring operators to block SMS sent from alphanumeric sender aliases that are not in the CNMC alias registry. That makes it harder for fraudsters to send a text that simply shows "SANTANDER" or "BBVA" as the sender. So many have switched to a call-back script, since a phone call is not covered by the SMS alias rule. The rule is a real improvement, but it does not stop the synthetic voice on the call.

Is the AI-cloned bank voice a real threat?

Yes. Spanish press and INCIBE warned around 20 to 21 June 2026 that criminals are cloning voices with AI to make these bank-impersonation calls sound convincing, removing the accent and hesitation that used to give scammers away. An AI voice can sound polished but oddly flat, with no real background. The defence does not depend on detecting the voice: no real bank ever asks you to move money to a safe account, so that instruction alone marks the call as fraud.

How do I report a bank smishing scam in Spain?

Call INCIBE's free cybersecurity helpline on 017, available every day of the year, and you can also report through incibe.es and the OSI citizen service at osi.es. Keep screenshots of the SMS, the number you were told to call, and your call log, then file a formal report (denuncia) with the Policia Nacional or the Guardia Civil. Tell your bank directly through its official app or the number on your card.

I already called and was told to move my money. What should I do?

Act fast. Call your bank using the number on your card, report the fraud, and ask them to block the card and stop or recall any transfer or Bizum, which may be reversible if you act within minutes to hours. If you installed any app the caller asked for, remove it and change your banking password from a clean device. Then report it to INCIBE on 017 and file a denuncia with the Policia Nacional or Guardia Civil.

Related SafeBrowz coverage

Bottom line: in Spain, a bank text that tells you to call a number about a transfer you do not recognise is a scam, confirmed by INCIBE, and the voice that answers may be AI-cloned and posing as the "security department". No real bank moves your money to a "safe account" or makes you do it over the phone. Never call the number in a text, use the number on your card or your bank's official app, and report it to INCIBE on 017 and to the Policia Nacional or Guardia Civil. And because many of these texts still carry a link to a fake bank page, put SafeBrowz on your phone and browser so that fake login never loads before you type a password.