What is phishing and how does it work?

Phishing is a technique used by cyber criminals which consists of tricking people by posing as a legitimate company or service. The ultimate goal is to obtain our personal passwords, install malware on our devices or steal our money.

Cyber criminals use various channels to carry out phishing: email, SMS (smishing) or telephone calls (voice phishing or vishing). Although different channels are used to reach the end goal, the technique is always the same: impersonating trusted organisations to trick the victim into performing certain activities.

Ultimately, what cyber criminals do is throw a hook into the digital ocean to see if any of the hundreds of fish swimming there take the bait.

Why do they use the Correos image?

Correos is one of the main Spanish companies in terms of size, presence, human capital and physical and digital infrastructure. As the main parcel service in Spain, Correos has become a common target for cyber criminals to impersonate when carrying out phishing attacks, with a request for payment or to complete a delivery address in order to receive a parcel being the most commonly used ploys. 

What can I do to avoid it?

If you're not expecting a parcel and you receive a suspicious email or SMS, there's usually no doubt that it's a scam. But if you are expecting something, doubts can creep in, since cyber criminal techniques are becoming more and more sophisticated and it can be difficult to know whether the email you have received is a legitimate one from Correos.

So, whenever you receive this type of email or SMS, you should always ask yourself this very simple question: are you expecting a delivery, are you a Correos customer, or are you signed up to a Correos service? If you're not expecting any packages or deliveries, you're not a customer and you're not signed up to any services, ignore the email or SMS and delete it.

If, on the other hand, you are expecting a delivery or you are a Correos customer, you might be tempted to do what you're being asked to because you're worried that if you don't, you won't receive the package you're expecting. For this reason, it's very important to remember that Correos will never ask you for personal information, bank details or for you to carry out bank transactions by email or by text message (SMS).

General advice to protect yourself from fishing

  • Do not provide personal information such as bank details or passwords through suspicious web pages or through links contained in suspicious emails or text messages.
  • Contact the organisation that the email or message is supposed to be from before clicking any links or entering any information. In the case of Correos, you can contact our Customer Services.
  • Never open attachments or executable files: Official entities will never send you these types of files or ask you to open them over the phone or in an email or SMS.
  • Be very wary if you're asked to make a payment: Correos never asks you to make payments through email or by SMS. 
  • Hover over links in emails without clicking them to safely check which address they direct to.
  • Look closely at the sender and the subject of the message, as they often come from domains that don't exist and the subject lines aren't very clear.
  • Look at grammar and spelling: phishing emails and text messages often have spelling mistakes, punctuation errors and poor grammar.
  • Be careful with emails or messages that claim to require immediate action: urgency is never a good sign.
  • Be very wary of emails or text messages that use special offers or deals or claim that you've won a prize draw to get you to do something.

Any questions?

Customer service in our branches

Over-the-counter services can be received by visiting any Correos branch.

Data processing

Please write to us if you have any questions about personal data processing.