Online fraud and scams have evolved significantly. They no longer arrive only by email: they can appear through SMS, phone calls, WhatsApp, social media, ads, fake stores, giveaways, QR codes or profiles impersonating companies and trusted people.

Most of these scams use social engineering: they try to create trust, urgency, fear or an irresistible opportunity so that the victim acts without checking. Prevention therefore depends not only on technical tools, but also on habits and training.
In this article we will discuss...
Common types of online fraud
- Phishing: emails impersonating banks, public authorities, platforms or suppliers to steal credentials or banking data.
- Smishing: SMS messages with links to fake pages or notices about parcels, fines, refunds or pending payments.
- Vishing: calls where the attacker pretends to be technical support, a bank, a company or a public authority.
- Fake stores: websites with very low prices, incomplete legal details and payments that are hard to dispute.
- Social media scams: giveaways, investments, fake profiles, job offers or messages from impersonated contacts.
- Malware: files, apps or links that install malicious software or steal information.
Warning signs
- The message asks you to act urgently or threatens immediate consequences.
- It requests passwords, verification codes, card details, ID numbers or banking data.
- The link does not match the official website or uses a strange domain.
- The offer looks too good to be true.
- There are writing errors, poor design or incomplete legal information.
- You are asked to pay through irreversible channels or outside the platform.
- The request does not fit your usual relationship with that organisation or person.
How to avoid online scams
- Always enter by typing the official address in the browser, not from received links.
- Verify through another channel any request for payment, bank account changes or sensitive data.
- Do not share verification codes: they are personal and often allow attackers to take over accounts.
- Use unique passwords and multifactor authentication for important services.
- Be cautious with ads or messages that rely on urgency, fear or prizes.
- Keep evidence if something looks suspicious: screenshots, emails, URLs and receipts.
What to do if you have already fallen for a scam
Act quickly. Contact your bank or payment provider if financial data is affected, change passwords from official websites, close active sessions and review transactions. If a company device or account is involved, inform the internal contact so they can assess whether there is a security breach.
It is also useful to report the fraud and preserve evidence. INCIBE provides help and reporting channels for phishing, smishing, vishing, fake stores and other social engineering scams.
Recommended official sources
- INCIBE: social engineering and online fraud.
- INCIBE: what social engineering is.
- INCIBE: fraud reporting.
Conclusion
The best defence against online fraud is a combination of caution, training and verification. Before clicking, paying or sharing data, check the source, the link, the urgency of the message and whether there is a safe way to confirm the request.