Phishing: how to detect and avoid online fraud

They say that imitation is the sincerest form of flattery. But in 2025, criminals using AI-driven phishing and deepfake voice scams to impersonate Qonto staff members is not only unflattering - it’s a serious threat.

Your account security is our top priority. That’s why we’ve invested in cutting-edge technology, including AI-powered fraud detection, biometric authentication, and real-time alerts, to protect you from evolving phishing attacks.

This article will break down the latest phishing tactics, from QR code scams to social media impersonation. We’ll also give you some advice on what to do to prevent it from happening to you and your company.

Phishing is a type of social engineering attack used to steal sensitive data like login credentials, credit card numbers, or business account details. While traditionally disguised as emails or SMS messages from trusted sources, modern phishing attacks have evolved to exploit AI-generated content, QR codes, and even social media platforms.

These messages pressure recipients to act immediately—clicking malicious links, downloading infected files, or entering personal details on fake websites designed to mimic legitimate ones like Qonto’s app. In 2025, phishing increasingly targets mobile users through malicious browser extensions or fake app notifications, making vigilance more critical than ever.

Phishing attacks are often part of coordinated “campaigns” targeting masses of people, but criminals now use AI to personalize scams at scale. Below are the most prevalent types in 2025:

Scammers send mass emails or SMS messages impersonating trusted organizations like Qonto. For example, you might receive a message claiming there’s an “urgent issue” with your account, urging you to click a link to “verify your details”. These links lead to counterfeit websites that mirror Qonto’s login page, designed to steal your credentials.

Vishing uses phone calls to trick victims into sharing sensitive data. A criminal might pose as a Qonto support agent, claiming your account has been “breached” and urging you to “confirm your identity” by sharing passwords or PINs.

In clone phishing, attackers intercept legitimate emails between you and a trusted organization (e.g., a Qonto transaction confirmation), then “clone” the email and reply with a malicious link. The message appears to continue the original conversation, tricking victims into entering banking details on a fake page.

Scammers impersonate Qonto or your contacts on platforms like LinkedIn, WhatsApp, or X. They might send fake promotional offers (“Get a 10% cashback with Qonto!”) or urgent requests (“Help! I need to transfer funds ASAP!”).

Attackers send emails or posters with QR codes labeled “Scan to access your Qonto account” or “Claim a reward.” Scanning the code redirects you to a phishing site or auto-downloads malware.

While phishing tactics evolve, so do we. Qonto’s security features include:

• AI-powered fraud detection to flag suspicious login attempts.
• Biometric authentication to block unauthorized access, even if passwords are stolen.
• 3D Secure (3DS2) for transaction approvals via one-time codes or facial recognition.

Staying safe from phishing requires a mix of caution, technology, and awareness.

Here’s how to protect yourself and your business:

1. Lock Down Your Logins

• Ditch passwords where possible: Use Qonto’s biometric authentication (fingerprint or facial recognition) to eliminate password theft risks.
• When passwords are needed:
  • Create 12+ character passwords with numbers, symbols, and mixed cases.
  • Never reuse passwords across accounts—credential stuffing attacks exploit this.
  • Use a password manager (e.g., 1Password, Dashlane) to generate and store unique passwords.
  • Pro Tip: If your password manager doesn’t auto-fill on a site, it might be fake! Close the page and log in directly via the Qonto app.

2. Verify Requests Rigorously

• QR codes: Never scan codes from unsolicited emails or posters. Always log in manually to your Qonto account.
• Urgent calls/messages: Hang up and contact Qonto directly via the app or official website if someone pressures you to share data.
• Deepfake red flags: Watch for slight voice glitches or unnatural phrasing in calls. Verify requests through a separate channel.

3. Monitor and Manage Access

• Check login activity in your Qonto app to spot unauthorized access.
• Review third-party integrations (e.g., accounting tools) regularly. While Qonto’s secure APIs protect these connections, revoke access for apps you no longer use.

4. Leverage AI Defenses

• Install AI-driven security apps (e.g., Norton 360 with GenAI) to block phishing sites and fake apps.
• Enable Qonto’s real-time transaction alerts to catch suspicious activity instantly.

With phishing attacks growing more sophisticated, we’ve built multi-layered defenses to protect you. Here are a few examples:

1. AI-powered fraud detection

Our systems analyze millions of data points to flag anomalies like:

• Logins from unrecognized devices or locations.
• Unusual transfer amounts or recipient patterns.
• Suspicious API activity from third-party tools.

2. Advanced authentication

• Biometric login: Replace passwords with fingerprint or facial scans.
• 3D Secure (3DS2): Approve payments with one-time codes or biometrics.
• Device binding: Only pre-approved devices can access your account.

3. Proactive protections

• Auto-suspend risky activity: Accounts with suspicious behavior are temporarily frozen until verified.
• TÜV SÜD-certified encryption: Your data is shielded with bank-grade security.
• 24/7 human oversight: Our fraud team monitors threats around the clock.

4. Transparent control

• Customizable permissions: Limit employee access to sensitive features.
• Instant card freezing: Block lost or stolen cards directly in the app.

By combining smart habits with Qonto’s cutting-edge security, you can avoid the bait and keep your business safe from phishing hooks.