WARNING: Spanish banks warn of latest email invoice scam doing the rounds

Image of what a cybercriminal could look like. Credit: Fam Veld/Shutterstock.com

Be aware that a new email scam is doing the rounds impersonating the two Spanish banks, Santander and BBVA.


Internet scams unfortunately are the order of the day. So much so that the Internet Security Office (OSI) has once again detected a new campaign involving a malicious email scam impersonating the identity of two Spanish banks, Santander and BBVA.

These emails have the usual suspicious files attached that pretend to be an invoice for a payment or a payment settlement. In reality, they are a Trojan-type malware which is being distributed.

In the case of Banco Santander, the email is sent by the user ‘fycout@gruposantander.es’ – simulating an official Santander Group account. Its subject line is ‘Confirmation – Payment notification’, in order to capture the attention of the victim and ultimately spread the malware.

Image of Banco Santander scam email. Credit: OSI

The body of the mail informs the recipient that a payment settlement letter – a zipped file that is actually malware – is attached. ‘To gain the user’s trust, it provides online security advice via a link’, the OSI explained.

These emails do not appear to have any spelling mistakes, although they lack the entity’s logos and the format is very simple.

When checking the details of this supposed letter and unzipping the file, the name of the executable (.exe) file is usually a succession of numbers and letters such as “210909836-042205-sanlccjavap0003-3991.exe”.

In the case of BBVA, the email comes from the account ‘confirming.bbva_bbva@accitraf.com’ – again simulating an official bank account. The subject line is ‘BBVA-Confirming Facturas Pagadas al Mencimiento’ (BBVA-Confirming Invoices Paid on Maturity).

Image of BBVA scam email. Credit: OSI

‘The format of this e-mail address is very different from the one used by the bank. The domain has no connection with BBVA, which may give us a clue that it is not genuine’, explained the OSI.

There are no spelling mistakes in the body of the mail, although, as in the previous case, it lacks the logo of the entity and the format is very simple. It talks about information related to ‘invoices paid on maturity’ and attaches a compressed file, which supposedly contains the invoice.

This e-mail also tries to gain the user’s trust through security advice. It reminds them which data should not be provided by this means, as well as using formal warnings that are common in many entities, which talk about the privacy and confidentiality of the attached data.

After downloading the malicious file and unzipping it, you will see a name like ‘InvoicesPaidOnDue.PDF.vbs’ – although it may look like a PDF file at first glance, it is actually a Visual Basic script (code tool), as reported by larazon.es.


Thank you for taking the time to read this article. Do remember to come back and check The Euro Weekly News website for all your up-to-date local and international news stories and remember, you can also follow us on Facebook and Instagram.

FacebookTwitterRedditWhatsAppTelegramLinkedInEmailCopy Link
Go Back
Written by

Chris King

Originally from Wales, Chris spent years on the Costa del Sol before moving to the Algarve where he is a web reporter for The Euro Weekly News covering international and Spanish national news. Got a news story you want to share? Then get in touch at editorial@euroweeklynews.com