Phishing

Phishing is a type of social engineering (psychological manipulation of people into performing actions) where an attacker sends a fraudulent message designed to trick the victim into revealing sensitive information or to deploy malware (e.g. ransomware) on the victim's computer. It is often carried out through the creation of a fraudulent website, e‑mail or text message appearing to represent a legitimate business.

Scammers create a false sense of security in their targets by spoofing or replicating the familiar, trusted logos of real companies, or they pretend to be a friend or family member of the victim. Fraudsters often attempt to persuade the victim that they need personal information urgently or else the victim will experience severe consequences, such as their accounts being frozen or funds being lost. 

A classic example of phishing begins with the setting‑up of a website that looks like that of a major bank. The fraudster who created the site then sends out a large number of e‑mails that claim to be from the bank, requesting that the recipients enter their personal banking information (e.g. Internet bank usernames and PIN codes) on the website in order to perform the task stated in the e‑mail. Once the fraudster gets hold of this personal information, they try to access the victim's bank account.

What to look out for

The first thing to ask yourself is whether you were expecting the e‑mail or message In question. Fraudsters using social engineering send you unexpected e‑mails so as to make you curious or scare you. This may include invitations to partake of services you have never heard of or the sender referring to a topic you know nothing about. Curiosity is one of the most powerful emotions that social engineers abuse. By presenting something as interesting or mysterious, the attacker seeks to get you to perform the action they want you to take. 

E‑mail is one of the most widely used tools in phishing. A classic tactic of attackers is to promise you rich rewards. Remember that if you receive an e‑mail with an offer that seems too good to be true, it usually is. In addition, social engineers will try to make you feel like you have to hurry, because that is when you make rash decisions. Emphasising a looming deadline creates a sense of urgency, increasing the possibility that you will fall into the trap.

When you receive an e‑mail it is always useful to follow these steps:

  1. Check the sender’s e‑mail address (which might contain minor differences to the actual address). 
  2. Don’t be influenced by colour schemes or logos: social engineers use recognisable brands to gain your trust. 
  3. Hover over any links (to reveal the full URL) to find out where they are directing you to.

Also be wary of exceptionally good deals or offers, unusual senders, hyperlinks, incorrect spelling and immediate pop‑ups. Always log in to a website directly rather than clicking on links in an e‑mail. Remember – it’s smarter to think things through before you take any action.

Fraudulent telephone calls (vishing)

Recently, a growing trend has been fraudulent cases, and in particular fraudulent calls, in which scammers seek to obtain data and money from people through a variety of schemes. 

Here is an example of a typical fraudulent call: A customer is contacted by someone who claims to be calling from their bank's security department to inform them that there is a problem with the customer's account. Alternatively, the customer is asked if they just made a payment. The caller then says that likely access to the customer's account has leaked, but the payment made can be suspended if the customer gives the caller their details, including those of their bank card, and confirms the required actions using Smart ID or Mobile ID. If the customer discloses their details and confirms the actions, this in fact gives the fraudsters access to their funds. 

In the case of fraudulent calls, any caller who asks for bank card details or access to a bank account is an immediate red flag. Often such callers pass themselves off as bank employees, specialists or security department staff, refer to a problem related to the customer and immediately offer a solution for which the customer must do something or authenticate themselves. Fraudsters seek to confuse people using smooth arguments and justifications. They may be pleasant and friendly, but if necessary they can be relentless and try in every way to place pressure on the victim to grant them access to their bank account. In most cases, such calls are not made in the local language, and the callers try to come up with excuses for not speaking it. 

Fraudulent call detection starts by looking at the caller's phone number: you should be careful about calls coming from abroad and numbers that start with unusual sequences of digits. You should also be careful on calls where you need to make quick decisions. It is important you know that your bank never calls its customer to ask for their account or payment card details, such as the card number and CVV code on the back of the card. Nor are customers ever asked to access their Internet bank. 

If you have any doubts about whether the caller is a genuine bank employee, the best solution is to end the call immediately and then call the bank yourself on a publicly available number, which you will find on the bank's website. Under no circumstances should you call back on the number from which the call originated. 

If you have been the victim of fraud and have transferred money to fraudsters or lost money from your account, you should notify the bank and the police as soon as possible.

Smishing

Smishing is a variant of a phishing attack which is carried out via mobile text messaging (the name deriving from the terms ‘SMS’ and ‘phishing’). As a type of phishing, smishing aims to deceive victims into handing over sensitive information to a fraudster. Smishing can also involve malware or links to fraudulent websites, and this type of fraud is not limited to text messages: it can also occur on mobile messaging apps.

An example of smishing is when a person receives an unexpected SMS stating that unusual transactions have been noted in their bank account. To check and then authorise or cancel them, they are told to log in to their bank via the fraudulent link provided. When the person clicks on the link, it forwards them to what appears to be their bank’s log‑in screen (which looks identical) and enters their log‑in details. However, in doing so, the person gives these details to the fraudsters, granting them access to their actual bank account. 

Nowadays, fraudsters can mimic actual websites to the point that they look exactly like the real and trusted site, and forward people to them using text messages. These messages often contain a link, and like other phishing attacks they encourage the recipient to take immediate action – for example, in order to claim a prize or confirm or reschedule a delivery – or state that there are problems with their online banking account or similar.

In reality, the aim of smishing is to get the person to use the link provided to enter their personal or banking details. Smishing texts share some characteristics with phishing e‑mails: they normally come with a sense of urgency and contain a link (even if the link appears legitimate) and a request for personal information. 

Fraudsters try to make their messages seem as believable as possible, which is why so many people fall victim to such schemes. Sometimes smishing messages can be hard to identify, but be on the alert for poorly written messages or messages that contain grammatical errors. In addition, be on the lookout for unusual numbers from which such messages originate, although in this regard there are also fraudsters with more advanced tools and methods who can make it look like the SMS originated from the correct sender. The best way to protect yourself if you receive an unusual SMS is not to click on the link, but to go to the site directly from your browser. 

Investment fraud

Investment fraud is a term covering a variety of disinformation that scammers use to cause investors to make investment decisions regarding products that are worthless or don’t even exist. Such fraud can include different asset classes (stocks, options, cryptocurrency, etc.) and fraudsters use false information and fabricated opportunities to convince people to transfer their money to them. 

A typical example of investment fraud is as follows: A person is contacted out of the blue by someone offering the services of a new investment platform on which you can trade with anything and everything and be guaranteed excellent returns. The person contacted has always wanted to try out investing, and without thinking or doing any research about the platform they decide to set up an account on it and even transfer funds there. At first they see that their investments are earning them a profit and that they have made significant gains. They then make further deposits and their profits keep rising. At one point they try withdrawing some of the money that has accumulated in their account only to find that they are unable to do so: the investment platform was a scam and there are no real funds behind their profits. They have lost all of their initial investment.

When it comes to investment fraud there are certain things to look out for. 

  • Receiving unexpected offers that promise unusually high rates of return or quick profit should always set off alarm bells. 
  • Fraudulent investment opportunities are usually marketed as time‑sensitive in order to pressure victims into acting. 
  • Fraudsters tend to lean on people’s fear of missing out to get them to act on their emotions. 
  • Such opportunities can also be presented as personal offers that should not be mentioned or discussed with others. 

It is advisable to always ask for more information and to research the company or product that you plan on investing in. Unsolicited phone calls or random ads should always be treated with scepticism. If you are uncertain about the product or if you don’t fully understand it, you are strongly advised not to proceed with the investment until you are certain that the company through which you are investing is legitimate and you understand and accept all of the risks that come with it. 

If you have been the victim of investment fraud and lost money on fraudulent investment opportunities, you should notify your bank and the police as soon as possible.

Romance fraud

Nowadays many people use online dating apps and sites to meet new people. However, instead of finding romance, some people stumble across fraudsters who try to trick them into sending them money. In the case of romance fraud, fake profiles on dating sites are created by fraudsters and people are contacted via social media platforms such as Tinder and Facebook.
Fraudsters look to start online affairs with their intended targets with the aim of befriending them and gaining their trust so that one day they can come up with a story to ask for money from their victims. Such scams can continue for a long time, even years. 

Here is an example: Marie signed up for an online dating service and was contacted by Bob, who claimed to be an American officer stationed in Iraq. They seemed to get along well, messaged each other for quite some time and eventually began planning a road trip in Europe for the summer Bob’s tour would end and he would be able to meet up with her. Bob told Marie that he would transfer 5000 euros to her to cover the costs of the trip, and sent her a statement of the transaction via e‑mail, telling her that the money would reach her with a slight delay due to his bank’s slow transaction processing. The next day Bob suddenly asked Marie to transfer 4000 euros back to him because he needed to loan it to a friend who was in dire need. Since he had already made the transfer to her, he didn’t have the money anymore. Marie transferred the money to him while waiting for his to arrive, but it never did. Marie contacted her bank, and it turned out that Bob’s statement was fake. On top of losing her money, Marie never heard from him again. 

What to look out for
Fraudsters often say they are living or travelling outside of the country. For example, scammers might say they are working in the military, that they are doctors or similar. Romance fraudsters tend to ask their targets for money to cover: 

  • travel expenses (e.g. plane tickets); 
  • medical expenses (e.g. surgery); 
  • customs fees in order to retrieve something; or 
  • gambling debts.

In addition, fraudsters can ask people not to transfer money directly but to pay using gift cards from vendors like Amazon, Google Play or Steam.

If you suspect romance fraud, then the best thing to do is to stop communicating with the person immediately. Bear in mind that scammers play on your feelings so as to lessen your ability to think rationally. You can also search online for the type of job the person claims to have to see whether other people have been told similar stories. Also, you can do a reverse image search of the person’s profile picture to see if it is associated with another name or any details that don’t match up. 

Remember – never send money to someone you haven’t met in person.

Payment diversion fraud

In the case of payment diversion, fraudsters compile fake invoices or fake payment requests and forward them to organisations with the aim of defrauding them.

An example is as follows: A car dealer fell victim to payment diversion fraud that took place over the course of several years. The accountant systematically paid altered supplier invoices, with funds being diverted to the fraudster. Total damages were in the millions of euros and the fraud was uncovered during a routine audit – a supplier check showed that the supplier had not provided any services to the dealer for five years. In the end, some of the funds were recovered but the dealer still suffered considerable financial losses. 

What to look out for

When letters or e‑mails are sent to a company, they may include logos that can be found online. These letters or e‑mails often contain false contact details to ensure that calls or e‑mails sent to confirm the changes are received by the fraudsters rather than the genuine business. Furthermore, the letters or e‑mails may sometimes contain grammatical mistakes, and the address of the recipient bank is often a location which has no apparent links to the payee. 

How to avoid it

  • Firstly, train your staff who handle payments so that they are informed about fraudulent schemes. 
  • Before any payment is made to a supplier or a business partner’s new bank account, telephone them to confirm the changes to their bank details. 
  • Perform periodic reviews of changes to a supplier’s bank details. 

Fake CEO fraud

In initiating this type of fraud, the perpetrators select their victim and conduct research about their company – any and all information that can be obtained from corporate websites and employees’ social network pages. Posts that involve information about the company can be exploited by fraudsters, for example to pinpoint when a senior manager will be unavailable or have only restricted access to their computer or telephone. Once the person they plan to impersonate has been identified, the fraudsters research the company’s sector, contacts, partners, common transactions, news of possible mergers and more. 

The fake director then contacts an employee who has access to company accounts to ask them to urgently transfer money to an account number that is not normally used. The fraudsters know who to contact thanks to the employee’s digital footprint: they either call or send an e‑mail to the employee who has permission to perform transactions or access sensitive information. The e‑mail is usually sent from a domain very similar to the original so that it is familiar to the employee. The signature is usually omitted, or a signature very similar to the original is used. After receiving such an e‑mail, the employee may do what is requested of them without questioning it due to the urgent nature of the message and because of the trust that exists between people working in the same company. In addition, by repeating several times that something is confidential, employees tend not to share it with their colleagues out of fear of repercussions. 

The account numbers the fraudsters use tend to be in countries that have different economic policies from those In Europe. Differing legislation combined with the time difference and language barriers make cancelling the transfers or tracking the money a difficult or even impossible task.

An example of fake CEO fraud is this: An employee who regularly performs payments receives an e‑mail from the fraudster impersonating their CEO stating that an unpaid invoice has been issued by their partner company and that the invoice must be paid immediately. The e‑mail even has a large image of the CEO attached to it. The employee knows that it is public information that the issuer of the bill is their company’s closest partner, so without giving it further thought the employee pays the bill. Later they find out that not only was the CEO on vacation that week, but that the money went to fraudsters and that there is no way of reclaiming it.

What to look out for

Such e‑mails tend to include the following: 

  • a brief introduction explaining that what follows is a very urgent and confidential matter that cannot be discussed with colleagues or superiors; 
  • body text requesting sensitive information or asking the employee to perform a bank transaction involving a large amount of money to an unusual account number; and 
  • in closing, a reminder of how important the confidentiality and urgency of the transaction are. In addition, the e‑mail may contain promises of rewards for the employee if they carry out the task quickly and according to the instructions provided. 

Promises of reward made by third parties

This is a scheme in which a person is randomly contacted, generally in the form of an e‑mail, and asked for help in transferring a sum of money. In return, the sender offers a part of the sum as a reward – usually a large amount, sometimes up to several million euros or dollars depending on the case. The fraudsters ask the person to send money to cover some of the initial costs in connection with the transfer. However, if the money is sent, the fraudsters will either disappear immediately or seek to obtain further money with claims of ongoing problems with the transfer. 

The most widely known examples of such fraud are the so‑called ‘letters from Nigeria’: “Hello dear friend! I am dr Musa, a Nigerian prince and I have a practical proposal to share a 10‑million‑dollar inheritance with me. To get 50% of it you only need to confirm your bank statements by sending me a small fee on 100 dollars to the following account…” If a person who receives such a letter decides to transfer money to this ‘prince’, then the money will be lost and there will be no reward of five million dollars or otherwise. 

Such fraud is based on the assumption that the reward offered will be attractive enough to compel the recipient of the message to take the risk of sending a small amount of money (compared to the reward) to a total stranger. The reasons given for the transfer differ, but include accounts being frozen and initial funds being needed to access the money and the writer having gained a vast inheritance but initial funds being needed to access it. In such cases it is important to remember that if anything sounds too good to be true, it usually is. Such fraud persists because some people are taken in by promises of large rewards and fall victim to these schemes. 

How to respond

  • If you receive such a proposal it is best to ignore and delete it immediately. 
  • You should never transfer money to a total stranger in hopes that you will be rewarded for it. 
  • If you are unsure about the transaction you are about to make, talk over the details with your bank before making any hasty decisions. 

Fake shop fraud (online shopping scams)

This involves fraudsters pretending to be legitimate online sellers, using either a fake website or a fabricated ad on a genuine retailer’s site. While many online sellers are legitimate, fraudsters exploit the anonymity of the Internet to defraud unsuspecting people. They set up fake retailer websites that look like genuine online stores. They may use imitated webpage designs, copied logos and domain names similar to those of authentic retailers. Many fraudulent websites can offer expensive items for sale at very low prices, such as clothing brands, jewellery and electronics. Sometimes it is even possible that you will receive the item you paid for, but it will be a cheap replica of the thing you thought you purchased. However, in most cases you will receive nothing at all.

There are many warning signs that a seller is fake:

  • A product is advertised at a remarkably low price that sounds too good to be true. 
  • The store is very new and selling products at very low prices. Information about delivery options and policies is nowhere to be found on the site or is very limited in nature.  
  • The supposed online retailer does not provide adequate information about privacy, terms and conditions of use, dispute resolution or contact details. 
  • The seller accepts only a few and not very well known payment methods. 

To avoid losing your money to a fake online store, the first thing you should do is find out exactly who you are dealing with and decide whether you can trust them. Doing research on the retailer is important, and anything negative you discover about them should make you cautious about purchasing things from them. In addition, you can check whether the website has a refund or returns policy – better online shopping sites have detailed complaints handling processes in case something goes wrong. 

When making online payments, only pay for items using secure payment services and think twice before agreeing to use cryptocurrency as a payment method. Avoid agreeing to any arrangements with strangers that require advance payment via a 3D secure card transaction, pre‑loaded cards or cryptocurrency. It is extremely rare to recover money sent this way. Remember never to send money or give credit card or online account details to anyone you don’t know or trust.