Whatsapp from BBVA, the spoof that fooled a friend

man the bbva spoofs are getting way too good lately. i almost bit on one last month because it came through the same text thread as my actual 2fa codes. they make it look so official. really appreciate you sharing this because people think it will be obvious and it just isn't. seville seems to be a hotspot for this stuff right now.

this is why i basically never answer whatsapp if it is a number i do not know, even if they have the bank logo. spanish banks will almost never reach out via whatsapp for anything serious. if there is a real issue they will put a notification inside the actual app. sorry your friend went through that. hope they did not lose too much.

good on you for stopping him. 350 euros is a specific enough amount to make someone panic without it being so high that it feels impossible. the move to whatsapp is interesting because it feels more personal than a standard sms. i told my bank to disable all types of text notifications and i only use the app alerts now. it's the only way to be sure what's real.

this exact thing happened to me last month in valencia but with santander. the scariest part is that the message appeared in the same thread as my actual bank notifications. i still don't understand how they spoof the sender id so well that it bypasses the phone's security filters. definitely never click those links because the bank will almost always just send a push notification through the app instead of a whatsapp message.

is your friend using a spanish sim or his original number from home. i've noticed that my friends with us numbers rarely get these but those of us on vodafone or movistar are constantly targeted. i wonder if the local carriers are doing anything to block these spoofed accounts or if they just let it happen. it makes the whole banking experience here feel really insecure.

did your friend manage to get any of the money back through the fraud department. i heard bbva is actually pretty strict about not refunding if you gave away the sms code yourself. it is a nightmare. seville is bad for these targeted scams right now since so many expats are moving in.

this is why i keep most of my savings in a revolut or charcoal account and only leave a small amount in my local spanish bank for bills. the security features on the traditional spanish banks feel decades behind. bbva has a decent app but the way they allow these third party communications is a mess. glad your friend didn't lose his money.

it is crazy how the advice changes every few months. last year it was all about the dgt text scams and now they are targeting newcomers with bank accounts. the dnv crowd is an easy target because we are still figuring out how the system works and we are terrified of losing our residency over a bank issue. thanks for the heads up on the 3 week delay too. that is helpful to know.

i actually disagree that it was targeted phishing. these guys run scripts that send out thousands of messages a minute. since bbva is one of the biggest banks in spain, they're bound to hit a bunch of actual customers in every batch. it's just a numbers game for them. he probably just got unlucky that day at 2pm. it's less about his specific data and more about volume.

sevilla is bad for this lately. i've heard of people getting calls from what looks like the official policia number too. they tell you there is an issue with your digital nomad visa and ask for a payment to fix a filing error. basically if anyone asks for money or a login via whatsapp or a phone call, it's a scam 100 percent of the time. no exceptions in spain ever.

did your friend recently sign up for anything using his spanish phone number. i noticed a huge spike in these messages right after i registered my nie with a local utility provider. i have a theory that some of these databases aren't as secure as they should be. those numbers are gold for scammers targeting expats because they know we're often stressed about keeping our paperwork and banking in order.