Spain warns of fake health card renewal scam targeting citizens

The Spanish Ministry of Health has issued a high-level alert after detecting a widespread phishing campaign tricking people into believing they must renew their Tarjeta Sanitaria Individual (health card). The scam, spread through text messages and emails, impersonates the Ministry and requests users’ personal and banking details.

We know how convincing this can feel. We cannot find our teenager’s health card, so we understand how easy it would be to click a link that promises a quick fix. That small, panicked moment is exactly what the scammers are counting on.

Authorities have made it clear

We know how convincing this can feel. We cannot find our teenager’s health card at the moment, so we understand how easy it would be to click a link that promises a quick fix. That small, panicked moment is exactly what the scammers are counting on.

Authorities have made it clear: the Ministry of Health is not requesting the renewal of your health card. Any message claiming otherwise should be treated as fraudulent.

A convincing hoax mimicking official communication

Recently, hundreds of citizens reported receiving messages to replace their health cards as part of a supposed new verification system. These emails and SMS messages often warn of a limited time to act, suggesting users could lose access to public healthcare if they fail to respond promptly.

The messages include links to fake websites that closely mimic the Ministry’s official page. Scammers go to great lengths to appear legitimate — adding logos of regional health authorities, using official-style language, and even including a “human verification” step to enhance credibility.

However, several warning signs reveal the fraud. The Ministry logo often lacks its characteristic yellow background, and the sender’s email domain does not match the official sanidad.gob.es. Grammar errors in subject lines such as “Renovacion” (missing accent) or “Actualiza su TSI” are further red flags.

How the scam unfolds

Victims who click the fraudulent link are redirected to a counterfeit page that asks them to select their autonomous community. They then have to fill in their personal ID (DNI or NIE). The site displays a summary of the “request” and claims the new card will be delivered to their address for a small fee of €2.99 — allegedly for postage.

To complete the process, users are prompted to enter their personal information and card details. Once these are submitted, the scammers obtain full access to the data, enabling identity theft or unauthorised transactions.

A final “secure authentication” screen even pretends to send a verification code, mimicking legitimate banking procedures to create a false sense of safety.

AI based voice fraud method

What to do if you receive the message

If you’ve received one of these messages but haven’t clicked the link, report it to the Ministry’s cybersecurity incident mailbox and block the sender. You can also call the Cybersecurity Helpline on 017 for advice.

If you’ve already entered your details, authorities urge you to act immediately. Contact your bank to block suspicious activity and cancel your card. Save all evidence, such as screenshots, and file a report with the police. Regularly check if your data appears online (known as egosurfing) to detect possible misuse.

The Ministry reminds the public that the Spanish Social Security card does not normally need renewal. Your social security number remains valid for life, and any updates or replacements can only be made through official government platforms requiring secure identification via DNIe, digital certificate, or the Cl@ve system. If a supposed government website allows you to proceed without these verification tools, it is almost certainly fake.

Staying safe online

This latest phishing wave shows how cybercriminals continue to exploit official branding and citizens’ trust in government systems. As digital administration grows, so too does the importance of vigilance.

Spain’s National Cybersecurity Institute (INCIBE) reiterates a simple rule: never click on links in unsolicited messages. When in doubt, access public institutions only through their verified official websites.

The Ministry’s warning is a useful reminder that online caution is now an essential part of everyday life — and that even the most official-looking message can sometimes be the most dangerous.

Any message claiming otherwise should be treated as fraudulent.

A convincing hoax mimicking official communication

Over recent days, hundreds of citizens have reported receiving messages urging them to replace their health card as part of a supposed new verification system. These emails and SMS messages often warn of a limited time to act, suggesting users could lose access to public healthcare if they fail to respond promptly.

The messages include links to fake websites that closely mimic the Ministry’s official page. Scammers go to great lengths to appear legitimate — adding logos of regional health authorities, using official-style language, and even including a “human verification” step to enhance credibility.

However, several warning signs reveal the fraud. The Ministry logo often lacks its characteristic yellow background, and the sender’s email domain does not match the official sanidad.gob.es. Grammar errors in subject lines such as “Renovacion” (missing accent) or “Actualiza su TSI” are further red flags.

How the scam unfolds

Victims who click the fraudulent link are redirected to a counterfeit page that first asks them to select their autonomous community, then to fill in their personal ID (DNI or NIE). The site displays a summary of the “request” and claims the new card will be delivered to their address for a small fee of €2.99 — allegedly for postage.

To complete the process, users are prompted to enter their personal information and card details. Once these are submitted, the scammers obtain full access to the data, enabling identity theft or unauthorised transactions.

A final “secure authentication” screen even pretends to send a verification code, mimicking legitimate banking procedures to create a false sense of safety.

What to do if you receive the message

If you’ve received one of these messages but haven’t clicked the link, report it to the Ministry’s cybersecurity incident mailbox and block the sender. You can also call the Cybersecurity Helpline on 017 for advice.

If you’ve already entered your details, authorities urge you to act immediately. Contact your bank to block suspicious activity and cancel your card. Save all evidence, such as screenshots, and file a report with the police. Regularly check if your data appears online (known as egosurfing) to detect possible misuse.

The Ministry reminds the public that the Spanish Social Security card does not normally need renewal. Your social security number remains valid for life, and any updates or replacements can only be made through official government platforms requiring secure identification via DNIe, digital certificate, or the Cl@ve system. If a supposed government website allows you to proceed without these verification tools, it is almost certainly fake.

Staying safe online

This latest phishing wave shows how cybercriminals continue to exploit official branding and citizens’ trust in government systems. As digital administration grows, so too does the importance of vigilance.

Spain’s National Cybersecurity Institute (INCIBE) reiterates a simple rule: never click on links in unsolicited messages. When in doubt, access public institutions only through their verified official websites.

The Ministry’s warning is a useful reminder that online caution is now an essential part of everyday life. Even the most official-looking message can sometimes be the most dangerous.