How to identify and avoid online scams in 2025

The internet is fantastic… until an urgent message with an “irresistible” link pops up. I’ve seen it a thousand times: tax refunds from the tax office (“Hacienda”), held packages, “guaranteed” investments. That’s why we’ve prepared this practical 2025 guide: you’ll learn how to spot and avoid online scams in minutes, with clear signals, examples, and a step-by-step plan if you already shared any data. My mantra is simple: share only what’s necessary, don’t click through links, use unique passwords, and enable two-factor authentication. Let’s make prudence a habit.

Universal signs of a digital scam (and how to confirm them safely)

Quick checklist (what I always check):

  • Artificial urgency: “click now,” “final notice,” “immediate refund.”

  • Unreal promises or threats: magic prizes, account blocks, fines if you don’t pay.

  • Brand/agency impersonation: copied logos, odd domains, spelling mistakes.

  • Requests for sensitive data or money over insecure channels.

How I confirm in 30 seconds (without risking it):

  • I don’t use the links. If it claims to be from the bank, the Spanish Tax Agency (AEAT), or Correos, I open the official app or type the website by hand. “If it looks like it’s from the bank or the tax office, I don’t touch the link: I go to the official website or app.” (exactly like that). AEAT’s own guides stress typing the address and checking the certificate.

  • I check the domain and the padlock (valid certificate) before entering any data. AEAT emphasizes this on its online portal.

  • I distrust unexpected attachments/surveys with prizes. AEAT and INCIBE recommend not opening and not responding to unsolicited messages.

Email and messaging: phishing, smishing, and vishing without taking the bait.

Scammers “fish” via email, SMS, and phone calls. The recipe to shield yourself is boring… and effective:

  • Don’t reply to or share data in unsolicited messages. Delete and block. (Explicit recommendation from INCIBE and AEAT).

  • Keep your OS, browser, and antivirus up to date; this reduces vulnerabilities and filters spam. (Best practices reinforced by the FTC/INCIBE).

  • Enable 2FA (two-step verification) on email, social media, and banking. “Two-step verification is my daily armor.”

Common examples in Spain (and how I verify):

  • Banks: “suspicious activity” → I log in through the app or call the number on the official website.

  • AEAT: “tax refund” with a shortened link → the Agency won’t ask for credentials by email/SMS; go to the Electronic Office by typing the address and check the certificate.

  • Correos/parcel services: “pay €1.79 in fees” → I track the shipment from the official website without using the SMS link.

“Privacy comes first: I share only what’s necessary—and thoughtfully.” The less data you expose, the fewer darts can hit you.

Social media and marketplaces: “too good to be true” deals and trap profiles.

This is where haste and excitement work against you:

  • Wallapop/Vinted/Marketplace: be wary of “prepayments,” off-platform shipping, and profiles with no history. If they pressure you with “last unit” or “another buyer already paid,” that’s a bad sign.

  • WhatsApp/Instagram: watch for impersonation (friends/celebrities), fake giveaways, and requests for SMS codes (that’s how they steal your account). Enable a PIN on WhatsApp and never share your screen with strangers. (Recent alerts from law enforcement/INCIBE highlight this vector).

“In Spain, I’m skeptical of AEAT tax refunds, marketplace ‘bargains,’ and urgent Bizum messages.” That mantra saves me a lot of trouble.

Investment, crypto, and “tech support”: the costliest scams (and how to cut them off in time)

Seven red flags before investing a single euro:

  • “Guaranteed” returns.

  • Pressure to deposit today so you don’t “miss the train.”

  • No regulatory documentation or supervised entity.

  • They contact you via social media and ask to “take it off-platform.”

  • They won’t accept traceable transfers; they prefer crypto or vouchers.

  • They ask you to install remote-control software.

  • No verifiable address or customer support.

Fake tech support: calls claiming to be from Microsoft/your bank to “clean a virus” or “secure your account.” Hang up, contact the official number yourself, and never install apps or grant remote access.

“I use long, unique passwords; my password manager is my lifeline.” Avoid reusing credentials across banking, email, and crypto.

Already took the bait? Act within minutes: passwords, bank, report, and recovery

    1. Change critical passwords and sign out on all devices.

    • Contact your bank to block cards and transactions, and monitor activity. (INCIBE lists this as a top priority.)

    • Scan your device if you opened attachments or installed anything.

    • Monitor your footprint (search your name/email online) and exercise your rights if your data is circulating without consent.

    • Alert your contacts if your account was stolen to stop the domino effect.

    Reporting in Spain (official channels):

    • National Police (at a station and via online information channels).

    • Guardia Civil (electronic headquarters and in-person assistance).

Conclusion

The key to staying safe is turning caution into a routine: don’t click links, verify domains, use 2FA and unique passwords with a manager, and keep your devices up to date. With more than a thousand cyber scams a day in Spain, every small barrier helps. And if something smells off, stop and verify through official channels.

Frequently Asked Questions

Check the full URL, avoid shortened links, never share data, and access the Electronic Office by typing the address and checking the certificate. If in doubt, call through official channels.

Change passwords, enable 2FA, review sign-ins, contact your bank, and scan your device. Call 017 for help (INCIBE) and file a report if there’s any loss.

At the National Police or Guardia Civil (in person or online, depending on the case). For guidance, call INCIBE 017.

It combines phishing detection, safe browsing practices, and account hardening (unique passwords + 2FA). You’ll get clear steps and support to reduce risk on email, messaging, and marketplaces.

Setup is guided and quick: we audit your accounts, enable 2FA, and tune your browser/security tools. Most users complete the essentials in a single session.

We apply a privacy-first approach: minimal data, no unnecessary logs, and clear consent. You also get ongoing guidance to keep your protections current.

POST  RELACIONADOS 

  • UPCT Edificio de Laboratorios de Investigación (ELDI) Campus Muralla del Mar, C. Ángel, s/n, 30202 Cartagena, Murcia
  • trustlab@upct.es
X-twitter

Copyright ©2025TRUST Lab. All Rights Reserved