Why you shouldn't answer "yes" on the phone: the "yes to the details" scam

Saying "yes?" as soon as you pick up the phone seems harmless, but it can open the door to serious problems if there's a scammer on the other end. In recent months, both the National Police and the National Institute of Cybersecurity They have warned of the so-called "yes" scam, and security firms have issued a warning about the increase in cyber scamsa variant of vishing that takes advantage the simple gesture of answering affirmatively to then manipulate voice recordings or force situations in which you end up revealing sensitive data.

Beyond the initial shock, it's important to understand how the scam works, what the warning signs are, and what steps to take if you suspect you've been tricked. The good news is that, by acting sensibly and following a few simple guidelines, you can minimize the risks. In this guide, we explain in detail what the relevant authorities and organizations have stated. from common social engineering techniques to steps to protect yourselfeven if you already answered "yes" without thinking.

What is the "yes" scam and why is it worrying?

The so-called "yes" scam is a telephone fraud in which criminals contact you posing as a trusted entity (bank, technical support, customer service) and seek an affirmative confirmation, either pre-arranged or spontaneous, while recording the conversation. The goal is to use this recording to lend an appearance of legitimacy to subsequent transactions or, directly, to pressure you and get additional information from you that does allow for actual fraud.

The National Police have warned on social media about this practice: the scammer engages in a conversation designed to elicit a "yes" response to seemingly innocuous questions, or even remains silent waiting for you to greet them with that word, and then hangs up immediately. INCIBE emphasizes that this is a variant of vishing and that, in addition to seeking your recorded "yes," They try to gain your trust and extract other key information. to complete the fraud.

How they operate: step by step the most common scam

The most common scenarios follow a clear pattern. Understanding it will help you detect the trap in time and end the call without making their job easier. These are the steps that are repeated most frequently: as explained by the Police and INCIBE:

1. Initial call and capture of the "yes"They call you from an unknown number, and if you answer with "yes?", no one might respond or they might hang up after a few seconds. In that time, they may have already recorded your affirmative answer. Another variation is that you say "yes" during the first few seconds while asking who it is, and that's when they take the opportunity to record their audio clip. That fragment is the raw material of deception..
2. Dialogue and trick questionsWhen conversation does occur, they impersonate bank staff, a well-known company, or a technical serviceThey ask questions designed to elicit affirmative responses: "Are you authorizing this transaction?", "Do you agree to receive updates?", "Have you recently requested a change?". They weave their message so that you say "yes" more than once and, incidentally, They'll start extracting personal information from you..
3. Recording of the statementEverything is recorded. With that audio, they try to fabricate evidence or generate voice clips that they then mix together as if they were authorization. Although it seems simple, the real goal is usually something else: create the feeling that you have accepted something and use that pressure in a second call.
4. Use of recording and second callHere's the important trick: often the next step isn't to authorize anything with your voice, but to call you back and tell you that, according to their "records," you agreed to a subscription or transaction. They offer to "help" you cancel it, and in that process, They ask you for confidential information (account, ID, codes, etc.). This is the critical moment when they steal the information that's truly useful for scamming you.

There is also a version with automatic voiceover, similar to the fake router replacement scamYou receive a message notifying you of a supposed subscription to a premium service or an imminent charge, and the message hangs up. If you call back to cancel, They guide you through sharing sensitive data Under the pretext of halting the proceedings. It's the same goal by a different means.

Is it possible to authorize transactions using only your voice?

It's important to clarify a key point here. The Bank of Spain has stated that there are no systems that allow banking transactions to be authorized solely with voice commands; additional information is always required. In other words, a single recording of your "yes" is not enough on its own to make transfers or purchase financial products. The scammers need more pieces of the puzzle.

Why, then, do they insist so much on capturing that "yes"? Because they use it as psychological leverage. With that clip and a well-crafted script, they try to convince you that you're accepting something, to pressure you with urgency, and thus obtain what's truly valuable: your personal data, verification codes, account numbers or confirmations that, this time, will allow them to operate.

This distinction is important: simply answering "yes" is usually not enough to empty an account or sign a contract in your name, but it is the first step in a chain of deceptions (the infamous double call) that ends in data theft. Therefore, although the technical risk of a single "yes" is limited, We must not let our guard down or fall into the second act of the scam..

Clear signs that you might be facing a scam

There are recurring patterns that, if you recognize them, will help you cut your losses. Pay attention to these warning signs: all of them described by the official sources themselves.:

• Extreme urgency or threatsThey pressure you to act now or "you'll lose money." This haste is deliberate, designed to prevent you from thinking.
• Request for confidential dataThey ask for passwords, verification codes, card numbers, IBANs, or other sensitive personal information. None of this should be shared over the phone with anyone you cannot verify.
• Unknown or international number and lack of clear identification. If they don't provide detailed information and you can't confirm who's on the other end, be suspicious.
• Unbelievable promises such as unexpected prizes, inheritances, or "guaranteed" investments. These are classic lures to lower your defenses.
• Use of the name of institutions (police, bank, tax office) to intimidate you and force payments or the transfer of information. The goal is for you to obey out of fear.

What to do if you suspect the call is fraudulent

If you have a nagging feeling or you've already said "yes" without thinking, don't worry: you still have time to break the chain and protect yourself. Apply these measures, which They coincide with the recommendations of the Police, the Bank of Spain and INCIBE:

• Do not give personal information Neither financial information. Not passwords, codes, account details, or documents.
• Hang up immediately If you have any doubts, don't continue the conversation. It's better to seem abrupt than to be the victim of a scam.
• block the number from your mobile to prevent new calls from the same source.
• Report the attempt to the relevant authorities and official reporting platforms. The more information they gather, the better they can prevent new cases.
• Check it out for yourselfIf they claim to be from a bank or company, find their official phone number on their website and call them yourself. Do not use links or numbers given to you by the supposed agent.
• Don't call back to the suspicious number. Many scams rely on that return to extract your data under the guise of canceling a non-existent charge.
• Monitor your accounts and cards for a few days. If you see any unusual activity, notify the bank immediately.
• Change passwords and PINs that may have been compromisedIt uses robust and unique combinations for each service.
• Save evidence (numbers, recordings, SMS, emails). These will be useful when filing a complaint and for any subsequent claims.
• Use egosurfing and activate alerts with your name in search engines. If inappropriate information about you appears, you'll be able to react sooner.
• Consider using apps call blocking that filter high-risk numbers or known blacklists.

Everyday prevention: small habits that make a difference

Your first line of defense is you, and even small changes in how you hold your phone can significantly reduce your exposure. Try these guidelines and make them a routine, because they're simple and they work. The key is not to make things easy from the very first second:

• Avoid greeting with "yes" When you answer the phone, opt for "Hello," "Who is this?" or "Hello." This protects you from manipulable audio clips.
• Ask for full identification And write down the name, department, and reason for the call. If they hesitate or contradict themselves, that's a bad sign.
• Don't share sensitive data By phone. If anything needs to be verified, call the entity's official number afterward.
• Be wary of hidden or international numbers If you're not expecting any action, it's best not to reply.
• Update passwords Update important information regularly and avoid repeating it across services. This is a safety net in case any data is leaked.

The double call: the real risk is in the second phase

Several expert sources have highlighted a crucial point to keep in mind: often the danger isn't the recording itself, but what comes after. After getting your "yes," they call you back to inform you of a "problem" that needs immediate resolution (an activated subscription, a questionable payment) and offer to handle it right away. In this context of urgency, they manage to get you to provide credit card numbers, SMS codes, or personal information. That second call is where the fraud is completed..

Therefore, even those who consider the technical risk of a single "yes" to be limited insist on the crucial point: if you receive a second call with that script, hang up and contact the bank yourself through official channels. And remember, as the Bank of Spain itself explains, Voice-only banking transactions are not authorizedIf someone uses that excuse, you're dealing with a complete deception.

Social engineering: how they manipulate you into "confirming"

Criminals exploit biases and emotions: fear, urgency, a desire to cooperate. They present a scenario where it seems easier to say "yes" than to question. Innocent questions, well-known brand names, a professional tone… everything is designed to… to lower your guard and accept small premises that open the door to bigger demands. Recognizing the tactic helps you avoid falling into their trap.

Another common tactic is to cite basic facts (sometimes obtained from leaks or social media) to gain credibility. If you hear your name and a truthful detail, you're more likely to respond automatically. Keep your distance: Even if they get one piece of information right, always verify it through an official channel. before doing or saying anything important.

Variants you should know

Besides the most common script, other versions are circulating that all aim for the same goal: access to your information. Take note of these tactics. all documented by the authorities:

• Voiceover about subscriptionsA robot informs you of a charge or premium service and hangs up. When you call back, they start asking for information "to cancel."
• Awards and inheritancesThey tell you that you've won something or that you're entitled to a certain amount, but first you must "verify" your identity. That verification is, in reality, the collection of your personal data.
• Guaranteed investmentsThey offer impossible returns and demand quick confirmations. When they pressure you urgently, it's time to cut ties.
• Alleged security agentsThey impersonate the police, the tax authorities, or your bank to intimidate you and force payments. A legitimate institution doesn't operate this way over the phone.

If you have already said "yes": immediate action

If you were unlucky enough to answer "yes" and you think they might try something, calmly follow these steps. It's not the end of the world, but it's wise to be proactive. Prioritize the following and You will prevent the threat from becoming fraud.:

• Hang up and don't speak again. With that number. Don't let them drag you into a second conversation.
• Check your online banking And if you see anything suspicious, notify the bank immediately. The sooner, the better.
• Update passwords and PIN of critical accounts. Increases security in case any data was exposed.
• Activate alerts with your name to detect mentions of personal data on the internet and act in time.
• Gather evidence of the call and inform the Security Forces and Corps, providing everything you have.

Institutional context and awareness campaigns

Warnings about this scam are part of ongoing awareness efforts. Public bodies have disseminated guides and recommendations as part of official initiatives, including programs supported by the Recovery Plan and European Next Generation funds, with the aim of strengthening the cybersecurity culture among citizens.

It's advisable to rely on these official sources and be wary of viral chains or unfounded alarmist messages. If you have any doubts, consult the official publications directly. applies its verified guidelines, which include both warning signs and practical responses.

Good practices on the phone: personal protocol

Establishing your own protocol makes all the difference. Before speaking, decide what you will and won't do on the phone with strangers. For example: I don't confirm personal information, I don't dictate verification codes, I don't authorize changes to my accounts, and I don't follow technical instructions on incoming calls. This mental notebook helps you avoid hasty decisions. under pressure.

If you receive a call from a legitimate company, thank them for their assistance, hang up, and call the official number listed on their website to verify. It's a simple step that negates the scammer's main advantage: be the one who initiates the conversation and controls the script.

Finally, educate those around you (family, older people, colleagues) on these guidelines. Phone scammers persist because it works on those who are unprepared. The more people who know the method, the better. It will be less profitable for them to insist.

Greeting someone with a simple "yes" can be the start of a script designed to confuse you, but it doesn't have to end badly if you use common sense: avoid using that affirmation as a greeting, be suspicious of any urgency, don't share personal information, and always verify things yourself. Among the warning signs, action steps, and preventative habits we've reviewed, You have everything you need to cut these calls off in their tracks. and protect your information.