EDP Portugal has confirmed a troubling escalation in fraud tactics targeting electricity customers, with scammers now deploying personalized data—including names, addresses, tax identification numbers (NIF), and even the unique Código do Ponto de Entrega (CPE)—to mimic legitimate billing communications and trick residents into making fraudulent payments.
The Portugal-based utility giant received more than 3,000 fraud reports in the first half of this year alone, marking a 4% rise compared to the same period last year. But raw numbers tell only part of the story: the nature of these attacks has fundamentally changed, shifting from mass-sent generic messages to highly targeted phishing emails that appear disturbingly authentic.
Why This Matters
• Your correct personal details no longer guarantee legitimacy. Scammers are embedding real customer information—NIF, CPE codes, home addresses—into fake invoices.
• New payment references are the trap. Fraudsters generate fake Multibanco entities that look official but funnel money directly to criminals.
• Débito direto eliminates this risk entirely. EDP Portugal is urging customers to switch to direct debit to sidestep fraudulent payment schemes.
• Official payment entities are fixed. Residential customers must only use entities 20174 and 23013; business accounts use 12223 and 21196.
How Fraudsters Obtained Your Data
The million-euro question: where did criminals source this level of detail? EDP Portugal has launched an internal investigation but acknowledged that the information likely came from multiple digital platforms where consumers themselves voluntarily shared data. Security experts warn that the proliferation of online portals, comparison sites, and third-party service apps has created a sprawling ecosystem where personal information—once entered—can be harvested through data breaches, social engineering, or outright data trading on underground forums.
The CPE code, a unique identifier tied to each electricity installation, is particularly valuable to scammers. It appears on official invoices and is occasionally requested by legitimate third-party energy brokers, making it a prime target for phishing operations. Once obtained, it becomes a powerful credential to forge convincing fake bills.
According to broader European fraud research, 28% of Portuguese companies recently reported fraud incidents, with digital payment fraud and cyberattacks ranking among the most common. The energy sector, classified as critical infrastructure under EU cybersecurity directives, has become a high-value target precisely because customer trust in utility providers runs deep—and scammers exploit that trust ruthlessly.
What the New Scam Emails Look Like
Unlike earlier waves of generic SMS messages warning of "urgent unpaid bills," the current phishing campaign against EDP Portugal customers is marked by surgical precision. Recipients open emails that:
• Display their full legal name and registered address.
• Reference their exact NIF and CPE installation code.
• Mimic the visual identity of EDP Comercial down to logos, fonts, and layout.
• Include attachments that appear to be PDF invoices but may contain malicious links or request payment via non-standard Multibanco entities.
The sophistication extends to language. These are not the clumsy, misspelled messages of years past. Criminals now deploy AI-assisted copywriting to replicate the formal, bureaucratic tone of official Portuguese utility correspondence. One emerging technique, dubbed "ghost phishing" by cybersecurity researchers, involves embedding malicious code that remains invisible until decoded in the victim's browser, bypassing traditional email security filters.
What This Means for Residents
EDP Portugal has issued a detailed playbook for customers to protect themselves, emphasizing that the burden of verification now rests squarely on the consumer:
Never trust the sender field alone. Authentic EDP emails originate exclusively from @cliente.edp.pt, @edp.pt, or @edp.com. Any variation—even subtle ones like "edp-comercial.pt" or "edp.info"—is fraudulent.
Legitimate invoices are always PDF attachments. The Portugal Revenue Department and EDP Comercial confirmed that official billing emails contain the invoice as an attached PDF file. If the email directs you to click a link to "view your bill online," it is a scam.
Reject any request for sensitive credentials. EDP Portugal will never ask for bank account details, passwords, online banking credentials, or your CPE code via email or SMS. Period.
Verify Multibanco payment entities manually. Cross-check any payment reference against the official list: 20174 and 23013 for households; 12223 and 21196 for business customers. Any other entity number is fraudulent. In partnership with SIBS, the entity managing Portugal's Multibanco network, EDP has accelerated the process of identifying and blocking fake references, but new ones emerge daily.
Beware of artificial urgency. Scam messages frequently threaten immediate disconnection of electricity service or legal action unless payment is made within hours. Authentic billing from EDP Comercial follows a regulated disconnection process with multiple written notices and a mandatory grace period.
The Safest Payment Method
EDP Portugal is actively promoting débito direto (direct debit) as the single most effective defense against Multibanco phishing. By automating invoice payment directly from a verified bank account, customers eliminate any interaction with payment references—real or fake. The utility estimates that direct debit adoption could reduce fraud exposure for residential customers by more than 80%, as scammers lose the ability to insert fraudulent payment steps into the billing cycle.
For those hesitant to surrender payment control, the company suggests setting up billing alerts via the official EDP Online portal or mobile app, which provides real-time notifications of new invoices and payment due dates, allowing customers to cross-check any email or SMS they receive against verified account data.
Why Fraud Reports Are Rising (And That's Not All Bad)
The 4% uptick in reported fraud attempts is being interpreted by EDP Portugal as a double-edged indicator. On one hand, it confirms that scammers are intensifying operations and refining tactics. On the other, it suggests that customer vigilance is improving—more residents are recognizing suspicious communications and reporting them before falling victim.
The utility has invested heavily in public awareness campaigns over the past 18 months, distributing fraud alerts through social media, bill inserts, and partnerships with consumer protection organizations. Employees at EDP Comercial customer service centers now receive quarterly anti-fraud training to better assist callers who suspect scam activity.
This aligns with broader European cybersecurity strategy. Under the EU NIS Directive (Network and Information Security) and the General Data Protection Regulation (GDPR), energy operators classified as critical infrastructure must implement rigorous data protection protocols and report security incidents. EDP Portugal is also deploying AI-powered anomaly detection systems that flag unusual account access patterns or payment requests inconsistent with a customer's billing history, adding another layer of defense.
What Happens If You've Already Paid
If you've transferred funds to a fraudulent Multibanco reference, immediate action is critical:
Contact your bank within 24 hours to report the unauthorized transaction and request a reversal or investigation.
File a formal complaint with the Portugal Royal Police (PSP) or Guarda Nacional Republicana (GNR) via their cybercrime units.
Notify EDP Portugal directly through official channels (+351 800 506 506 for residential clients) to flag the fraudulent reference and assist the SIBS blocking process.
Change your online banking credentials if you disclosed any login information during the scam interaction.
While banks are under no legal obligation to refund losses from voluntary payments to fraudulent accounts, rapid reporting increases the chance that funds can be frozen before withdrawal. SIBS has enhanced its fraud detection algorithms to flag newly generated Multibanco entities that receive abnormally high volumes of small payments—a signature of phishing campaigns—but the window for intervention is narrow.
The Road Ahead
EDP Portugal is exploring additional safeguards, including two-factor authentication (2FA) for payment confirmations and blockchain-based invoice verification systems that would allow customers to cryptographically verify the authenticity of any billing document. The company is also lobbying for stricter regulatory oversight of third-party energy comparison platforms, which critics argue are insufficiently transparent about how they store and share customer CPE codes and contract data.
For now, the message to Portugal's electricity customers is clear: trust nothing at face value, verify everything through official channels, and when in doubt, let the utility come to you—not the other way around.