Scammers Use Spain-Portugal Blackout for TAP Air Refund Phishing Scam

SEO: Cybercriminals are using the recent power outages in Spain and Portugal to launch phishing attacks disguised as TAP Air Portugal, aiming to steal personal and financial data.

Cybersecurity researchers at Cofense Intelligence recently uncovered a deceptive email campaign containing fraudulent messages designed to mimic official communications from TAP Air Portugal, the national airline of Portugal.

This particular scheme exploited a significant news event: the widespread power outage that affected both Spain and Portugal on April 28, 2025. It is worth noting that these malicious emails were distributed while the disruption was still ongoing. This timing suggests the perpetrators’ deliberate attempt to take advantage of the confusion and travel disruptions caused by the outage.

The fake email looked like a legitimate email from TAP Air Portugal claiming that people could receive money back for late or cancelled flights because of European air travel rules. The email also claimed the money would be deposited into their bank account within two days.

The email’s title prompted people to fill out a form for refunds, requiring victims’ personally identifiable information (PII), including names, addresses, contact details, and sensitive financial data. When clicked, users were directed to a fake webpage that appeared to be a form for refunds. However, when they clicked on the Submit button, nothing happened, and their sensitive personal and financial details were transferred to the attackers.

Cofense Intelligence’s analysis reveals that this campaign was not limited to a single language as the threat actors targeted both Portuguese-speaking and Spanish-speaking individuals. This was evident in the use of two distinct email subject lines.

For Portuguese speakers, the subject line read “Atualização de compensação: atraso em seu voo recente,” translating to “Compensation update: delay in your recent flight.” Simultaneously, Spanish-speaking targets received emails with the subject line “Compensación por su vuelo: Complete su solicitud ahora,” meaning “Compensation for your flight: Complete your request now.”

This multilingual approach underscores the broad scope and careful planning of this phishing attack, researchers noted in their blog post shared exclusively with Hackread.com.

This campaign highlights how quickly cybercriminals can exploit real-world events, like the power outage in Spain and Portugal, to conduct phishing attacks. By impersonating a trusted airline and promising compensation, they aim to deceive users into revealing sensitive personal and financial data. Everyone must remain alert and carefully examine any unexpected emails, especially those requesting personal information or financial details.