How to protect yourself from phishing using the Endesa name

What is phishing?

The only way to protect yourself from the scammer is to know how their scams work. Phishing (a play on the word "fishing") is a 3-step scam:

1. They win your trust: cybercriminals lull you into a false sense of security by disguising themselves as a familiar brand with which you have a relationship. They copy its logos, imitate its emails and even build entire websites that resemble the originals. Their objective is to impersonate your bank, your insurance agent, your electricity company.

2. They use a good excuse: they need a reason that will make you enter your most sensitive data. It could be anything: a technical incident, a payment error, an urgent situation, etc. They usually frame it as something you should do very quickly before you get a chance to think about it.

3. They capture your sensitive data: such as your credit card number or the password for your Private Customer Area, etc.

The success of the scam depends largely on the skills of these criminals, since they are not all capable of creating a convincing lure. Whatever the, the best way to ensure they fail is for you to be on the alert.

Most common types of phishing attacks

There are different types of phishing, each with its own characteristics and methods of targeting users. The first step to avoid falling into the trap and becoming another victim of this lurking digital threat is to familiarise yourself with them:

Email phishing

This is the most common or traditional form of phishing. It involves an attack through fake emails that appear to come from legitimate sources or organisations (banks, companies, NGOs).

The goal is to trick the user into clicking on a malicious link or providing personal or confidential information, such as passwords, banking details, or login credentials.

Spear phishing

This term refers to a targeted attack aimed at a specific individual or group within an organisation or company to gain access to sensitive information or compromise internal systems.

Spear phishing attacks are usually carried out through personalised emails that appear to come from a colleague or superior, requesting access to private documents or credentials.

Whaling

This is a variant of spear phishing, but specifically targets senior executives or decision-makers within an organisation in an attempt to steal financial information, authorise transfers, or access strategic data. (For example, fake emails supposedly from the CEO requesting an urgent funds transfer).

Clone phishing

The attacker clones a legitimate, trusted email previously received and resends it to the victim, adding a malicious link or attachment.

The goal is to exploit the user’s trust in the original email to trick them into giving away confidential information.

Pharming

This method involves a technical manipulation that redirects the user from a legitimate website to a fake one without them noticing, in order to steal passwords, credentials, or banking data.

For example, you might type your bank’s URL into the browser, but when you click, you are unknowingly taken to a fake site designed to look identical to the original. There, you’ll enter your login details, which will be captured by the attacker.

Smishing (SMS phishing)

Attacks don't just come via email; they can also be sent by text message (SMS). The goal is to trick the user into clicking on a link or replying with personal information, much like with email phishing.

Common cases include SMS messages that appear to come from shipping companies, asking you to click a link to track a package or verify details.

Vishing (phone phishing)

This threat comes through a phone call, where the attacker pretends to represent a legitimate company to verbally obtain confidential information, which they record or note down for later misuse.

Impersonating banks or other financial institutions to request confirmation of card numbers or passwords is one of the most common scenarios.

Examples of phishing using Endesa’s name

Because we are the country's main power company, cybercriminals could not resist Endesa and they have tried to use its good name to trick their victims on many occasions. They have used a variety of strategies, one of which involves orchestrating full-scale phishing campaigns. Their favourite tactic is as follows:

• A) You receive an email that appears to be from Endesa.

B) You are informed of a payment error, and that you are entitled to a refund.

C) You are asked to enter your name, ID and credit card information.

How to avoid phishing under Endesa's name

First of all, stay calm: Endesa constantly monitors these types of attacks and we counter attack to ensure the security of our customers' data.

The second is to systematically ignore this type of email. If you have any doubt, please do not hesitate to contact us. It is free and we will be happy to answer your questions. On the next page you will find a selection of Endesa Customer Service channels. Before you trust a strange email, or a suspicious call, get information from the authorised source: endesaclientes.com, the Endesa Customer Service page.

The third strategy is to be proactive. Why let a bunch of hackers fool you? If you are aware of your energy consumption and the status of your electricity and gas bills, that will never happen. They can't fool you if you know more than they do. That is why we encourage you to register in your Private Client Area if you have not already done so.

You can check the status of your bills (past ones and those that are being calculated), check your electricity consumption for every hour of every day, edit your contractual information such as, for example, the bank account from which your bills are paid...

Take control so that nobody controls you. Help us beat the cybercriminals.

“If you receive any suspicious emails or calls, don’t hesitate: contact the official Endesa Customer Service and we will deal with your concerns”.

What if I’ve fallen for the scam? Steps to follow

If you’ve fallen into the trap and realise you’re a victim of a phishing scam, it’s crucial to act quickly to minimise the damage and protect as much of your personal information as possible. Here’s a step-by-step guide you can follow:

• Step 1: Identify the type of attack

Check if you clicked on a suspicious link, downloaded a malicious attachment, or disclosed personal information. It’s important to first determine the type of phishing involved (email, text message/SMS, phone call, etc.).

• Step 2: Disconnect your device (if necessary)

If you downloaded an attachment or suspect your computer, phone, or tablet has been compromised, disconnect it from the Internet to prevent attackers from remotely accessing more information on your device or network.

• Step 3: Change your passwords

Promptly update the passwords for all affected accounts, starting with the most sensitive ones that provide access to confidential information (email, banking, social media). Be sure to use strong, unique passwords for each account.

• Step 4: Enable two-factor authentication

Enable two-factor authentication on all platforms, apps, and websites that support this security feature to add an extra layer of protection. Additionally, scan your device with an updated antivirus or antimalware program to eliminate any potential threats.

• Step 5: Contact those involved

If you shared or disclosed banking details, contact your bank immediately to have them block cards or accounts and monitor upcoming transactions. Cancel any existing agreements and inform them that you are revoking your consent.

If the attack involves your company, notify the IT or cybersecurity department. Also, alert your contacts so they don’t fall for the same scam.

• Step 6: Report the incident

Report the scam to the relevant authorities, such as the police, Guardia Civil (Civil Guard), CNMC (National Commission for Markets and Competition), INCIBE (National Cybersecurity Institute), the OSI (Internet User Security Office), etc.

• Step 8: Monitor your accounts

Regularly check your bank transactions, social media activity, and email over the following days to quickly spot any unauthorised access or suspicious changes to your accounts and profiles.

When we contact you through our official channels, it will always be on behalf of ENDESA ENERGÍA. Moreover, for new contracts, we will both provide and request information to ensure your security.