If you use Bizum daily to pay friends, for secondhand purchases, or in stores, you probably value its speed and convenience; that's why it's a good idea to know it well. how the most common scams operate and what signs should alert you.
Although the system is secure and complies with European regulations, criminals rely on urgency, distraction, and social engineering to convince the victim to authorize the operation; therefore, the best defense is understand how Bizum works and how to differentiate real payments from fraudulent requests.
Is Bizum secure? What the regulations and your bank say
Bizum works as an account-to-account payment method integrated into your bank's app and complies with the European payment regulations (PSD2), which requires Strong Customer Authentication (SCA) with two factors in operations that require it.
Validation is carried out by your bank according to its own security policies (PIN, fingerprint, biometrics, signature, single-use codes), so the fraud cases you see in the press do not come from system technical failures, but rather through deception that gets the user to provide data or accept requests.
If you are going to receive money, you do not need to enter your credentials or approve anything; when it is your turn to authorize, it will almost always be because you are sending money or accepting a request, so that clue is key to not taking the bait.
Signs to suspect a transaction with Bizum
Scams often start with messages or calls that demand urgent information or data; if you're going to receive a payment, remember not to enter passwords; therefore, Be wary if you are asked to validate a supposed income with keys or through an external link.
- Neither your bank nor Bizum will ask you for your account number. No SMS/WhatsApp codes; if someone does it on your behalf, cut off communication.
- Suspicion of alleged institutions (Social Security, Treasury, Post Office) requesting personal or banking information via text message or phone call.
- If you are taken to a link outside the app, don't complete anything until you confirm that the URL is legitimate; changes are made within mobile banking.
If you receive a notification in Bizum that is actually a collection request (not a payment), review it carefully and reject it if you don't expect it or don't understand it.
The most common Bizum scams and how they operate
Cybercriminals have developed several tricks; the Bank of Spain, through its Bank Customer Portal, warns of four very common strategies: false buyer, false seller, impersonation of organizations and messages from networks or messaging apps.
Reverse Bizum (the false buyer)
Very common in buying and selling (Wallapop, Vinted, etc.): the scammer says he wants your product, offers to pay by Bizum and, instead of sending money, sends you a collection request; if you accept it thinking it's the deposit, you transfer the money to him/her.
To avoid this, review each alert and check if it is an incoming payment or an shipping request; remember: to receive a Bizum you don't need to authorize anything.
The fake seller (non-existent products)
An attractive item is offered at a suspiciously low price, you are asked to pay in advance via Bizum and, after collecting payment, the seller disappears; the trick here is to combine urgency and bargains to force your payment without guarantees.
Compare prices, look for reliable reviews, and use buyer protection methods; if something is too good, probably not.
Institutional impersonation (phishing and vishing)
You receive a call or message from “Social Security”, “Hacienda” or “Correos” claiming a refund or incident; they send you a notification that, in reality, is a collection request; if you accept, you make a payment to the criminal.
The OSI (of INCIBE) has warned of calls that they supplant Social Security and, in addition, SMS messages with fake numbers urging you to return or "verify" payments; hang up and contact the institution's official channel.
Contacts through networks and messaging
A supposed friend/family member writes to you saying that they sent you money by mistake and asks you to return it with a Bizum button; in reality, you didn't receive anything and if you accept you are sending money without any counterpart.
Verify by another means before moving a euro; identity theft is common when a third party take control of an account of your contact.
Fake prizes and raffles
You receive an SMS or email saying you've won something without having participated; the urgency is the trap to get you not to verify the source; they ask you to click on a link and provide information or make a purchase. a “management” payment.
No legitimate prize rushes you or demands money upfront; do not click or provide any information and delete the message if you notice any rare spellings or strange domains.
Phishing and the role of vishing
Phishing clones your bank or service's website to steal your username and password; combined with vishing (phone call), they ask for ID and card to “cancel a charge”, but in reality they are looking for capture credentials and codes.
It is vital not to call numbers with suspicious messages, not to open links that are not from the official website, and to manage any incident from the verified app or channel from the bank.
How to differentiate a payment from a request
A golden rule: if the app asks you to authorize with a PIN, signature or biometrics for a Bizum that supposedly "comes to you", it is probably a shipping request and not an income.
If the notification is purely informative, such as “You have received X euros from Y” and does not ask you for action, then it is a a royal fertilizer in your account.
Before accepting, check the concept, name, number and meaning of the operation; taking ten seconds to review avoids most errors.
Limits and operation that are worth knowing
The limits depend on your entity, Check the maximum Bizum you can use., but there are common ranges: minimum amount per operation €0,50 and usual maximum of €1.000 by sending.
Some entities allow up to 2.000 € daily received, they set limits on monthly operations received (e.g., 60), limits on shipments or requests per month (e.g., 30) and, in certain banks, up to 150 shipping operations per month.
There is also a maximum number of recipients per operation (frequent: 30 contacts) and not all merchants are integrated yet, so it's a good idea to confirm before paying in store.
Secure online shopping with Bizum
For purchases on e-commerce and second-hand platforms, apply the basic rules: avoid suspicious websites, check reviews, and always enter through the official domain with HTTPS.
- Be wary of impossible offers and newly created profiles with no history.
- Access stores from the search engine or by typing the URL, not from links on networks.
- Please review the product name and description carefully, and read reviews from other buyers.
In purchases between individuals, avoid paying money in advance if there are no guarantees; do not authorize shipments under pressure or urgent messages that force quick decisions.
Essential preventive measures
Security starts with your phone and your habits; setting up banking and Bizum properly reduces risks and limits the impact if something goes wrong because puts limits on transactions.
Set transfer limits
Many banks allow you to set maximum daily and per transaction amounts: for example, €0,5 minimum and €1.000 maximum per shipment, €2.000 per day and €5.000 per month as frequent references.
If you rarely move large amounts, lower your limits; that way, if someone tries to abuse it, the system itself will block the excess.
Activate two-factor authentication
PSD2 already requires it, but reinforce your mobile: automatic lock, PIN or biometrics, and be careful not to share the unlocked device; every click counts. prevent unauthorized access.
Passwords and key management
Don't share your banking credentials with anyone. Use a password manager and create unique and strong passwords. Combine upper and lower case letters, numbers, and symbols to enhance your security. entropy.
Do not share data through calls or links
Don't hand over your ID, card, or codes by phone, text message, or app; verify any requests through official channels and keep your devices safe. updated and malware-free.
What to do if you think you've been scammed
Act quickly: the sooner you move your piece, the more chances you have of limiting damage; start by contact your bank and explain in detail what happened.
The entity can analyze the movement and activate protocols; although Bizum is immediate and irrevocable, sometimes speed allows limit risks and record the incident.
Report to Bizum to record the case; the system records transaction data (phone number, time, receiving entity), which serves as trail for research.
File a complaint with the State Security Forces and Corps; add everything you have: screenshots, numbers, concepts, and any details (accent, gender, city) that you can help identify to the scammer.
If you shared bank details, change your passwords and consider blocking or renewing your cards; consult the Spanish Data Protection Agency if you gave away personal information by deception.
Collect evidence without deleting anything
Save screenshots of chats (WhatsApp, email, social media), Bizum notifications, receipts, and URLs; keep entire conversations in case a backup is required. judicial comparison.
The OSI offers forms to report fraud; keeping a record helps stop active campaigns and protect to other potential victims.
Expert support if applicable
In complex procedures, an expert report can be key; computer experts analyze digital traces and economic experts assess the impact of fraud and financial patterns.
Their work is reflected in a report with legal validity, useful for clarifying responsibilities and facilitating the recovery of amounts stolen if the case reaches the court.
Real cases of vishing with Social Security
A campaign has been detected in which they call as “TGSS” to make a return, sometimes without explaining the reason; they ask to use Bizum and send a notification which is actually a collection request.
The hook usually starts with an SMS or a call asking for validation with ID and card number; that information is enough to try other chained scams.
Remember the rule: currently, no public body makes refunds through Bizum; if they offer it to you, hang up and check on the official channel of the institution.
Identify a scam attempt in time
Before trading with someone, verify their identity in your address book or by direct call; if you don't recognize the sender, don't complete the transaction until confirm your identity.
Read the notifications carefully: does it say "money request" or "received"? Check the amount, name, and account; access your bank history to check movement.
Be wary of emergencies, alleged Bizum payments sent by mistake, or sellers demanding advances; when in doubt, ask for time and check with your entity.
Disadvantages to take into account
Since it's integrated into each bank, the experience may vary; some entities are less polished or have strict limits that restrict use; payments are immediate and irrevocable, something to consider.
It also requires that both parties have Bizum and are mobile-savvy; for older or less digital people, this can be a operational barrier.
What to do if you don't recognize a payment or receive a strange one
If you detect an unknown transaction, check the details in your app and call your bank immediately; they will guide you on how to proceed. claim or block possible subsequent charges.
If you receive a Bizum from a stranger, don't move that money; it could be a mistake or part of a money laundering attempt; the right thing to do is consult with the entity and do not forward anything to third parties without verification.
FAQ
Can a Bizum payment be cancelled after it has been sent? No, the operations are instantaneous and irrevocable; if you make a mistake, consult how to override a bizum or asks the receiver to return it voluntarily.
Can I recover money from a scam? You must report it to the bank, file a complaint and provide evidence; although it is not easy, the trace of the movement and the collaboration between entities can assist in the investigation.
What are the usual limits? Minimum transfer amount: €0,50; maximum transfer amount: €1.000; many banks have up to €2.000 in receipts per day, and monthly transaction limits (e.g., 60 in receipts). 30 submissions/requests per multiple operation up to 30 recipients and, depending on the entity, up to 150 shipments per month.
How do I detect a reverse Bizum? If they ask you to authorize to “receive” money, they are actually asking you to you send a payment; rejects and confirms with the other party through a reliable channel.
Adopt verification habits, be wary of emergencies, and never share data through unofficial channels; with attention to detail, well-configured limits, and active strong authentication, the vast majority of frauds can be avoided and if they do occur, reacting quickly makes all the difference.
