Lorraine Williamson
When Sarah Grace discovered she’d been conned out of nearly £100,000, it wasn’t through carelessness or greed. She had double-checked every detail — company registration, authorisation, and correspondence. Everything appeared legitimate.
Sarah is a trauma-informed hypnotherapist, EMDR coach, and author of From Shadows to Self-Love, based in southern Spain.
But the fraudsters had cloned a genuine investment company’s website. The domain looked identical, the emails mirrored official ones, and even the customer service number connected to the criminals. “I thought I was dealing with professionals,” she recalls. “In reality, they’d built a perfect fake.”
The site even cloned a real broker’s credentials from the Financial Conduct Authority’s register, a tactic now common in investment fraud.
A growing threat for expats
Sarah has lived in rural Spain for more than 20 years, having moved from the UK as a single mother seeking a new start. Like many British residents, she manages her finances online, often in English. That combination of cross-border banking and digital communication makes expats prime targets for cyber-enabled fraud.
Spain’s National Cybersecurity Institute (INCIBE) reports that online scams and phishing now account for a significant share of all cybersecurity incidents nationwide. In 2023 alone, INCIBE handled over 83,000 cases involving citizens and businesses — many linked to fraudulent investments, identity theft, or cloned websites.
The warning from INCIBE is clear: scams in Spain are becoming increasingly professional, and victims are often educated, cautious people who believe they’ve done their due diligence.
The grooming behind the scam
The criminals who targeted Sarah weren’t opportunists. They played a long game — calling regularly, sending realistic documentation, and maintaining a calm, reassuring tone. When she hesitated, they applied subtle emotional pressure: act fast, don’t tell anyone, this offer is private.
For Sarah, their tactics were chillingly familiar. Having survived 14 years of childhood abuse, she recognised the same pattern of coercion, secrecy, and control. “It felt like being groomed all over again,” she says. “They won my trust, isolated me, and made me compliant.”
From trauma to trust
People-pleasing, secrecy, and hyper-independence are common survival strategies for trauma survivors. They once protected her, but in adulthood, made it harder to question authority or ask for help. “It’s not stupidity,” Sarah explains. “It’s conditioning. Scammers know exactly which buttons to press.”
When she realised the money had gone, she lay awake through the night, numb with shock. “If it could happen to me — someone trained in trauma and psychology — it could happen to anyone.”
How to spot the red flags
Even authentic-looking operations reveal clues if you know what to watch for:
- Slight changes in website or email domains — extra letters or unusual endings.
- Pressure to act quickly with “exclusive” opportunities.
- Requests for secrecy or avoidance of independent checks.
- Shifting explanations, confusing jargon, or evasive answers.
- Unusual payment requests, especially to personal or crypto accounts.
- Emotional manipulation — charm followed by guilt or anger when questioned.
If someone urges you not to tell anyone else, that’s the moment to tell everyone.
Scam awareness in Spain: INCIBE’s advice and helpline
INCIBE runs free, confidential support for anyone in Spain who suspects a scam or data breach:
📞 017 – Cybersecurity Helpline
Available every day from 9.00 am to 9.00 pm, offering help in Spanish and English.
You can call from any phone within Spain to report fraud, phishing, or suspicious online activity.
Crypto scams in Spain and how to spot fraud before you invest