As Spanish banks tighten fraud controls, cybercriminals are shifting tactics. Forced out of traditional digital channels, many are turning to a new favorite tool: Bizum, Spain’s popular mobile payment app.
As highlighted in our latest 2025 Digital Banking Fraud Trends in Spain report, three in 10 fraudulent payments reported by BioCatch customers in Spain occurred on the digital platform.
Once trusted for peer-to-peer transactions, Bizum is now enabling a new wave of fraud. Let's explore why criminals are targeting the platform and what it signals about the evolving landscape of digital fraud.
What is Bizum?
If you live in Spain, chances are you've used Bizum to send or receive money. The real-time mobile payment system lets users transfer funds directly to a contact using their phone number. If the recipient is already a Bizum user, the money arrives instantly through their bank’s app. If not, they receive an SMS with instructions to register and claim the payment.
Bizum is widely used for everything from splitting a dinner bill among friends to paying for secondhand items at a store. It’s fast, convenient, and seamlessly integrated with most major Spanish banks. But those same benefits also make it an appealing target for fraudsters.
Speed without safety nets
Bizum’s biggest draw is its speed. Transfers are completed in seconds, but that immediacy comes at a cost. There's no "cancel" button. Once funds are sent, they’re gone unless the recipient voluntarily returns them.
Scammers exploit this by manufacturing urgency, a classic social engineering tactic. They pressure victims into making quick payment decisions, such as placing a deposit for a rental or purchasing in-demand concert tickets. Once the payment is made, the scammer disappears.
In more advanced cases, victims receive phishing messages that appear to come from their bank or from Bizum, urging them to resolve an account issue or complete a verification. These messages often include malicious links that direct victims to fake login pages or deceptive prompts designed to initiate unauthorized money transfers.
Scammers also use Bizum to send payment requests (known as “Bizum inverso”), posing as legitimate contacts and relying on the recipient to misinterpret the request as an incoming payment. For example, a fraudster may pretend to be a landlord returning a security deposit. Believing they are receiving money, the victim approves the request, but rather than receive the deposit, the funds go directly to the scammer.
Trust, simplicity, and exploitation
Because Bizum is embedded within trusted banking apps, it carries a strong sense of legitimacy. For most people, “just send it by Bizum” feels safer and more familiar than a request via wire transfer or crypto wallet.
Its simplicity is part of the appeal. To send money, users need only a phone number. No IBAN, no waiting, no multi-step verification process. But that same simplicity also reduces friction for scammers, who can easily use fake or stolen phone numbers, set up temporary bank accounts, or trick users into sending money to the wrong contact. The combination of user trust and ease of use creates an ideal environment for social engineering and fast scams.
Scams hidden in everyday transactions
Bizum is commonly linked to scams involving fake online listings. On platforms like Wallapop, Milanuncios, or Facebook Marketplace, criminals advertise high-demand or time-sensitive items, such as smartphones, limited-edition sneakers, festival passes, or last-minute vacation rentals. Once the victim sends a deposit via Bizum to hold or buy the item, the scammer vanishes and becomes unreachable.
Tourists and expats, who may not be as familiar with Bizum, are particularly vulnerable, falling for scams during urgent rental searches or last-minute purchases.
Account compromise and cross-border crime
Many scams extend beyond basic social engineering. Sophisticated fraud operations often involve account takeovers, in which criminals compromise real bank accounts, activate Bizum without the account owner’s knowledge, and use those accounts to receive illicit transfers. This makes the fraud harder to trace and turns unsuspecting customers into money mules.
This particular tactic has cross-border implications. International scam networks may exploit compromised Spanish accounts or mule networks to move funds across borders, often laundering the proceeds through cryptocurrency or other anonymized channels.
Low stakes, high volume, and a regulatory gap
Many Bizum-related scams involve small-value payments, typically under €60. This makes them easy to execute and harder to detect.
Victims are more likely to take the risk, and small losses aren’t as frequently reported. Yet, when executed at scale, these low-stakes scams add up quickly.
Low-value transactions also often evade traditional banking fraud filters. Compounding the issue is the regulatory lag. Unlike credit card payments, Bizum transfers are considered irrevocable and voluntary, even when made under false pretenses. There’s no built-in dispute or chargeback process.
This legal gray area leaves banks limited in their ability to recover funds or assist victims, and creates a low-risk, high-reward environment for fraudsters.
Rethinking real-time fraud controls
Bizum’s growth highlights a broader industry challenge: how to maintain seamless user experiences while staying ahead of increasingly agile scam tactics. The traditional controls designed for batch-based payment systems are no longer sufficient in today's real-time, mobile-first environment.
To stay ahead, banks must evolve their fraud-prevention strategies. That includes deploying real-time transaction monitoring, leveraging context-aware authentication, and adopting advanced tools like behavioral biometrics to identify suspicious patterns, even when logins and transactions appear legitimate.
Customer education remains an important secondary defense, equipping users to recognize common red flags like urgency, impersonation, and social pressure.
As real-time payment adoption accelerates, so does the risk of real-time fraud. Forward-looking banks will be those that rethink their approach now, building security that's just as fast, adaptive, and seamless as the payments it protects.
