Categories
Fraud targeting businesses: how to protect your data and finances
Attempts to defraud businesses are increasing and becoming more sophisticated - from emails from external and internal sources to fraudulent SMS, fake calls or imitation registers. We've put together a glossary of the most common terms associated with fraudulent behaviour and explain how to spot fraud and protect your data and finances.
Online scams and fraudulent phone calls
Phishing, smishing, quishing and vishing - while it may seem like we've randomly combined letters from the English alphabet, these are actually the most common types of online scams. Their principle is similar. However, if you understand what they mean and how they differ, you can better avoid them.
Phishing
Everyone has encountered phishing in the form of a scam email. These emails can come from external sources as well as from within the company.
In this case, the attacker who sends you the fraudulent email pretends to be:
- An authority expecting your response - typically an office, ministry, police or customs,
- A business or supplier partner - who among us hasn't received a fake request for payment of an invoice or a link to track a shipment,
- A client - a common form is a fake enquiry or request for help with a claim.
The attacker's goal is usually to obtain sensitive data from you or to get you to click on a link that takes you to a fraudulent site (which of course looks credible) or to download a corrupted file or entire software.
In the case of internal fraud within a company, the attacker usually targets top management or, conversely, impersonates the company's CEO or director of sales or finance. He demands payment of an important invoice overdue or an urgent transfer of money within the company. And he or she relies on the fact that when the employee sees an email from a supervisor he or she often doesn't even know personally, he or she will comply with the request without much scrutiny.
Fraudulent messages also target social media. This example shows an effort to steal a company Facebook page.
Smishing
Smishing is a combination of the words SMS and phishing. The principle is the same as above, but the fraudster is trying to attack you via a message sent to your mobile phone. It prompts you to fill in important information such as the CVV code from your credit card to complete an online payment or to activate a mobile key to log into your bank. All of this, of course, is to lure payment or login details from you that he wouldn't otherwise have access to - which he can then use to steal money from your card or even your entire account.
Similarly, these messages often contain fraudulent links to either log into your account, track a shipment, request an overpayment, or download an app update to your phone.
For example, this is what a fraudulent text message for tax returns looked like, sent out by scammers purporting to be from the Internal Revenue Service. The real web address of the My Taxes portal is https://adisspr.mfcr.cz/. At first glance, the message looks really plausible.
TIP: The introduction of a single gov.cz portal for individual ministries and state institutions is aimed not only at greater user-friendliness but also at greater cyber security. This allows you to see real-life examples of fraudulent messages across government departments and better verify their credibility.
Quishing
Quishing is an even more sophisticated scam because it hides fraudulent links in a QR code. While you can see the URL in an email or SMS and can tell if it leads to the recipient's real website, the situation is more complicated with a QR code. Moreover, QR codes are very popular nowadays because of their simplicity and straightforwardness, so they can often pretend to be a pro-client move to facilitate the action you want.
Vishing
Vishing is the newest form of fraud where the initiator does not send you a message but calls you personally. Here again, they most often pose as an authority (for example, your bank or even the Czech National Bank or the police).
The calls usually have the same goal - to tell you that your bank account has been hacked and that the money needs to be transferred to another account immediately until the cyber attack is resolved. Here again, the attacker is trying to find out your bank login details or take you to (their) fake website that mimics the official bank website or app as closely as possible.
Beware that the number of the caller in this case may look like the real phone number of the institution the attacker is pretending to be (so-called spoofing).
Typical warning signs of online fraud
When you learn to spot scams, it's much easier to successfully defend yourself against them. The following five warning signs will help you do this:
- 1
Unknown recipient
Instead of using the official phone number of the institution (e.g. a client line), the attacker uses a random number that cannot be traced or verified. The exception to this is the masking of the phone number in the vishing described above. In the case of emails, the sender's address typically does not match the company it claims to be or appears different overall.
- 2
Bad English
The message contains grammatical errors, typos, poor grammar or conjugations. The report does not come across as professional or human, rather machine-like.
- 3
Urgence
The less time you have to examine the content of the message and its details, the more likely you are to make a mistake. That's why a typical warning sign to spot fraudsters is their desire to raise an urgent issue that requires immediate resolution.
- 4
Specific content
You can also rely on your own judgment and practice. Have you received an email from a supervisor or business partner that sounds completely different than usual? It's possible that someone within your company or supply chain has also been hacked and their real details are now available to the attacker.
- 5
Suspicious link
If the link in the message is shortened and doesn't lead to the sender's official website, you don't know what's really underneath. Beware, attackers can spoof addresses very plausibly or use the aforementioned QR code that masks the link.
How to defend yourself against online attacks
If you receive a message that looks suspicious in any way, the golden rule is: don't react. Any contact with the scammer can only make it easier for them to get their way. It's in your best interest to say NO 3 times:
- Don't reply to the message.
- Do not click on links or QR codes.
- Never give out your credit card, bank account or receipt details.
What you can do instead:
- If you are unsure about anything, contact the company or sender yourself (you already have the contact in your address book or can find it yourself on the official website).
- Take the time to check the warning signs of fraudulent messages and verify the information from your own sources (e.g. log in to your bank yourself in the usual way).
- If you have suffered damage, contact the official authorities - the bank, the Data Protection Authority, the Police and the like.
TIP: Not all shortened links are automatically fraudulent. For example, the popular bit.ly or goo.gl are commonly found in marketing communications. Do not click on them in any other kind of message.
Offline scams on businesses
The offline world is not exempt from scams either. Fake official letters or invitations to register in registers, directories and business directories most often target budding entrepreneurs who have just set up a company or business. They do not yet have much experience and act in good faith in order to have the administration related to the business in order.
In the Czech Republic we have two official registers for entrepreneurs: the Trade Register and the Commercial Register. Registration in the other register is therefore purely voluntary and at the level of paid promotion, not a legal requirement.
Beware if you receive a letter with a bill for paid registration in, for example:
- Chamber of Trades,
- Czech Chamber of Tradesmen,
- European Register,
- Central Register of Companies,
- Register of Commerce and Trades,
- Business Register, etc.
Certainty in business
Fingers crossed that you can avoid fraud. And if you need help with your business, contact the professionals. We can help you set up your business properly, register it with the Commercial Register or even set up a virtual office - we have long experience and all-round expertise. We will handle the necessary administration for you and you can concentrate on developing your business.
Write to us and we’ll get back
to you within 24 hours.