Catalonia’s regional police force, the Mossos d’Esquadra, has issued an urgent public warning about a sophisticated phone scam that exploits lingering public health concerns to hijack victims’ WhatsApp accounts.

Your browser does not support the video tag.

In a coordinated alert with the Catalan Cybersecurity Agency (Agència de Ciberseguretat de Catalunya), officials have detailed a new fraud campaign where criminals impersonate public health authorities to steal personal data. Though the COVID-19 pandemic has largely subsided from its peak six years ago, cybercriminals are exploiting its legacy to instil fear and manipulate potential victims.

How the Scam Unfolds

According to the warning, the scam begins with an unsolicited phone call. The fraudster, posing as an official from either Spain’s Ministry of Health or the regional Departament de Salut, informs the target that they are eligible for a new COVID-19 booster vaccine.

To establish credibility, the caller then recites personal information about the victim, such as their full name, address, or email. Authorities believe criminals obtain this data beforehand from illegal marketplaces on the dark web, where information from previous data breaches is sold. This step aims to lower the victim’s guard and make the call seem legitimate.

Once trust is established, the scammer instructs the victim that to confirm their vaccine appointment, they must read back a six-digit verification code they are about to receive via an SMS message. However, this code is not for a vaccine appointment. It is the one-time password required to register a WhatsApp account on a new device. By providing the code, the victim unknowingly gives the criminals complete control over their account.

The Aftermath of a Hijacking

After seizing control of the WhatsApp account, the criminals can then impersonate the victim to commit further fraud. A common tactic is to message the victim’s contacts with a fabricated emergency, asking for an urgent bank transfer. Exploiting personal relationships is a hallmark of many prevalent digital frauds, including the notorious ‘distressed son’ scam, which has led to numerous arrests across Catalonia.

Law enforcement agencies issued this warning as they adapt to evolving criminal strategies. Indeed, such sophisticated scams highlight the ongoing challenge of cybercrime, a key focus for police. This aligns with other public safety initiatives, such as Barcelona’s newly formed unit to tackle repeat offenders.

Official Advice: Verify and Protect

Authorities unequivocally state that neither the Ministry of Health nor the Departament de Salut contacts citizens by phone to schedule new COVID-19 booster shots. The entire premise of the call is a fabrication.

The Mossos d’Esquadra and the Cybersecurity Agency offer clear advice to the public:

  • Never share SMS verification codes. These codes are a primary security feature for services like WhatsApp, banking apps, and email; never share them with anyone over the phone or via message.
  • Be sceptical of unsolicited calls. Be cautious of unexpected calls from government agencies, especially if they ask for personal information or codes.
  • Verify independently. If you have any doubts about a health-related communication, you should hang up and contact your trusted local Primary Healthcare Centre (CAP) directly or call the official 061 CatSalut Respon health information line to confirm the information.

Originally reported by local outlet El Caso, this renewed warning critically reminds citizens to remain vigilant against social engineering tactics that prey on trust in official institutions.