Phishing: how to detect and avoid online fraud

They say that imitation is the sincerest form of flattery. But criminals trying to impersonate Qonto staff members and scam our clients is not only unflattering but unacceptable.

Your account security is our first priority. We’re fighting against these attacks on multiple fronts, thanks to a dedicated team of IT security experts and trained customer service agents that prevent and shut down fraud. Immediately.

This article will break down a phishing attack – the most common type of online fraud – to help you identify if it’s happening to you. We’ll also give you some advice on what to do to prevent it from happening to you and your company.

Phishing is a type of social engineering attack used to steal someone’s data, including login credentials, credit card numbers, and other sensitive information.

It’s often disguised as an email or SMS sent from a legitimate source. The message will pressure the person reading the email to take immediate action and enter personal information on a fake website which looks identical to the legitimate one.

Phishing attacks are generally part of “campaigns”. This means that scammers use the same email template and send it out to masses of people. Classic phishing is the general, mass-mailed type, where the criminal sends an email pretending to be someone else and tries to trick the recipient into handing over sensitive information.

For instance, you may receive an email that looks like it comes from Qonto telling you there’s a problem with your account and you need to update your details by following a link.

Attackers put a lot of effort into designing these emails and making sure that both the link and the website they direct you to closely resemble the Qonto app. Don’t forget, once they have access to an account, they can make transfers and order virtual cards to make online purchases.

“Vishing” (or voice phishing) is a form of phishing using telephone calls. The approach is the same: to come across as legitimate in order to get the victim to part with sensitive information. For example, the criminal will call a victim and pretend to be a Qonto representative, telling them they have a payment pending or that their account’s been breached. Then, having laid the groundwork and created a seemingly critical situation, they’ll play on the victim’s sense of urgency and ask for all their sensitive data to verify their identity.

Clone phishing is a particularly sophisticated attack which involves intercepting genuine emails between an organization and their customer. Criminals clone a legitimate email from a trusted source and reply with what seems to be a continuation of a previous conversation. Of course, the victim doesn’t suspect a thing, but the scammer’s email actually contains a malicious link designed to trick you into entering your banking details.

Practice caution when you’re asked to give sensitive information over the phone or online.

Here are a few tips to help you prevent phishing attacks:

• Never use the same password on different websites and accounts.
• Create strong and complex passwords, especially for your bank account.
• You can use secure tools to generate and manage complex passwords, such as 1password. 
• If you’re on the wrong website or a fraudulent website, your password manager won’t automatically fill in the password, so you should be suspicious.

You can also monitor login activity on your account from the Qonto app. Bear in mind that when you use one of Qonto’s 80+ integrations to make your financial admin easier, you’re giving access to secure APIs, which establish an automatic connection between the apps and your account. While you did not directly create that connection, you did give the tool access to your account.

As you now know, there are plenty of phish in the sea! Which is why we’ve set up alerts to detect anomalies and our products contain multiple layers of security features to prevent any type of account takeover.

• We automatically suspend any account showing suspicious patterns of behavior (e.g., logging in from an unknown device, abnormal transfer amounts, unusual activity).
• We protect all sensitive operations using two-factor authentication.
• We rely on data-driven algorithms to block high-risk operations.

Despite all the features we have developed, if you think you have been a victim of online fraud, please click this link to find out what to do.

Phishing is a very popular technique for fraudsters, and we can’t stress enough how important it is to be aware of it.

So, remain vigilant, be cautious – and keep these tips in mind to avoid taking the bait and getting “hooked”.