Protect your digital money like you protect your home

In 5 min you'll know: how to spot phishing, protect mobile codes and react within 24h if you're defrauded

You lock your front door. You check the hob before leaving. But when a message from "your bank" arrives asking you to click a link, most people open it without thinking. Phishing works precisely because it imitates something you trust — your bank, the Tax Authority, MB Way. And the damage isn't symbolic: a single transfer made under deception can empty your account in minutes. In Lesson 5 you learned to choose a bank with low fees and to monitor your account. Now you'll learn to protect that account from attacks that use your trust against you.

Before you continue: when you took out your last loan, did you compare the (annual percentage rate of charge — total credit cost) (annual percentage rate of charge) of at least 3 offers — or did you only look at the monthly payment?

(Answer in the next paragraph.)

Rule number one of digital financial security: no legitimate institution will ask for your details by text, email or phone call. Your bank won't call asking for your PIN. MB Way doesn't send links to "verify your account". The Tax Authority doesn't send emails with zip attachments. If you receive a message that creates urgency — "your account will be blocked", "we have a refund for you", "confirm within 24 hours" — it's almost always fraud. Urgency is the scammer's weapon. Your defence is to stop, not click, and verify directly in the app or on the official website.

MB Way has become a prime target. The most common scheme works like this: someone contacts you via a marketplace or social network, shows interest in an item you're selling, and asks to pay by MB Way. Then they say they'll send you a verification code and ask you to share it. That code isn't a payment — it's an authorisation to withdraw money from your account. Never share codes you receive on your phone. MB Way never asks for codes to receive money — only to send it.

Marketplaces are another attack vector. Buying or selling on platforms like OLX or Facebook Marketplace carries real risks. The buyer who insists on paying upfront by a method you don't recognise, the seller who asks for a transfer before showing you the item, the profile created two days ago with a stock photo — these are signs that something isn't right. The (Portuguese securities market regulator), Portugal's financial market regulator, regularly issues alerts about fraudulent investment schemes and fake platforms posing as intermediaries.

If you've been scammed, the first 24 hours are decisive. Call your bank immediately and request a block on your account or card. File a complaint with the Polícia Judiciária through the cybercrime.pt portal. Change the passwords for all financial services you use. And don't be ashamed to report it — scammers rely on victims' silence to keep operating.

The rule is this: never click on links from unsolicited messages, never share codes from your phone, and if something seems urgent, it's probably fraud. Protecting your digital money doesn't require technical knowledge — it requires the same care you take when you lock your front door.

Primer · CMVM — verificar quem te aconselha

The — Comissão do Mercado de Valores Mobiliários — is Portugal's investment-markets regulator: shares, bonds, funds, brokers, investment advisers and trading platforms. Before trusting money to any entity that calls itself "investment adviser" or "broker", you can (and should) verify it is registered with the CMVM.

What the CMVM does for ordinary investors:

It keeps a public register of authorised intermediaries (search at web3.cmvm.pt/sdi/intermediarios).
It publishes alerts about unauthorised entities and ongoing scams.
It runs the Investor Compensation Scheme, which covers up to €25,000 per financial entity if the broker fails — it does NOT cover losses from poor investment decisions.

Worked example. Helena receives an email from a "financial adviser" promising a guaranteed 12% annual return. Before sharing data or transferring money, she goes to web3.cmvm.pt/sdi/intermediarios and searches for the entity's name. If it doesn't appear, the CMVM doesn't recognise it — it's almost certainly fraud. Guaranteed-return promises above 5% per year are, as a rule, a warning sign. Without CMVM registration, the compensation scheme doesn't apply either.

Continua a leitura — o quiz aparece a seguir.

Download the digital security checklist 0–24h (1 page) →

Your promise: This week, today, I will download the checklist and check my messages for the 5 fraud warning signs.