Consultation: How to...

16.02.2023

HOW TO PROTECT OURSELVES FROM FINANCIAL SCAMS

Enormous losses are incurred by companies all over the world that fall victim to financial fraud with a changed International Bank Account Number (IBAN). The organized criminal groups that replace this number are on one continent, the victims - on another, the contractors - on a third, warn cyber police officers in an interview with BTA.

Unfortunately, Bulgarian companies are not an exception, and law enforcement officials dealing with cybercrimes indicate that the attacked part with thousands and even millions of euros, and countering this type of crime is very difficult.

According to a victim, the actual damage figures are even higher because victims don't always complain for a variety of reasons, including because they don't think they can recover their losses. Before that happens, however, awareness can be raised for prevention.

The scheme is not complicated - by means of "phishing" e-mail hackers begin to monitor the business correspondence of a given company with its counterparties from all over the world. When a payment is discussed, hackers intercept the messages and change the bank account number, then the money goes to them.

If your counterparty requests a change of bank account, make sure that the email is genuine, advises Tsveta Ilieva, Head of Department at the Association of Banks in Bulgaria. In an interview with BTA, she commented on the main frauds and how companies can take measures against them.

Check the IBAN on which you send money and always access your electronic banking from the official page of your bank, the expert also advises.

The full text of the interview follows:

- What are fake IBAN scams and how do they work?

- These scams aim to transfer an amount owed to a foreign bank account that is controlled by the criminals, instead of the real one. Most often, they target companies because of the high-value transfers they perform, not so much individuals.

Fraud can be carried out in a variety of ways, with criminals becoming increasingly inventive. For example, pretending to be a supplier or creditor, over the phone or email, trying to trick you into paying an upcoming invoice to a bank account they control. Or pretend to be a company you actually have a relationship with and under the pretext that their bank account has changed, or that they temporarily don't have access to your regular account, get you to transfer money to another account, or ask you to change bank details for future invoices.

A sense of urgency, of urgency, is usually created so as not to give you time to think and check whether in reality things are the way they are presented to you. Often times, fraudsters operate before weekends, holidays, when employees are in a hurry to do their work and their vigilance is reduced. A combination of approaches can also be used - phone call, email, letter, etc.

Sometimes criminals pose as executives in the organization and try to trick employees into paying a fake invoice or making an unauthorized transfer from the company's business account.

Another way of IBAN fraud is through fake bank websites that mimic the authentic bank page and emails that invite you to open such fake sites and make transactions through them. You can become a victim of fraud if you use a fake link to access your online banking, rather than the official link that accesses your bank's banking.

The fake site looks very similar to your bank's page, with the same name, colors and logo, it completely copies the real e-banking page, but it is controlled by criminals who monitor your actions in real time and divert the funds to their bank accounts that translate. It is very difficult for people to imagine that while they are on the screen in front of their computer, at the same time, on another screen, criminals are watching and controlling their every step and at the last moment diverting money to their accounts. But the rapid pace at which every activity is digitized, including banking, creates the conditions for new types of fraud and, accordingly, requires new ways to protect ourselves.

That is why it is very important not to use random links and advertising banners on the Internet to access your banking, but always manually enter the address of your bank's web page in your browser, as well as carefully check the IBAN, that is, the number of the account you are transferring money to when your bank sends you a confirmation message for the transfer you are making.

Another common way criminals can gain access to your bank accounts and control the transfers you make is by having malware installed on your computer, which allows fraudsters to access your online banking. This is most often done through the so-called phishing emails impersonating legitimate companies, through which fraudsters aim to gain access to sensitive personal and banking data. They usually ask you to "verify", "update" or "activate" your account, change or confirm your details and passwords, open links and applications, install software on your computer and mobile phone, under the pretext that if you don't doing so will restrict your access to a service or increase your security.

Many people are deceived because they are afraid of becoming a victim of fraud, and ironically, in doing so, they themselves open the door to criminals and give them access to their bank accounts, believing that what they are doing is for them good. The victim persuasion mechanism is similar to how, until recently, people threw money and valuables from their balconies, believing they were helping the police catch criminals. It is important not to give in to such requests, not to provide by phone, email and SMS any passwords or one-time codes that you receive. Your bank will never ask you for such information.

If we can make a comparison with the analog scams we witnessed years ago, giving your details on the Internet is equivalent to a stranger stopping you on the street and asking to make a copy of your ID or bank card. You wouldn't let him do that, would you? So why do we tend to enter our data all over the internet?

- How could businesses and individuals recognize and protect themselves from this type of fraud?

- If you find yourself in such a situation where you are asked to change bank details for invoices due, it is best that you personally contact or meet, if possible, the representatives of the company with whom you usually work and you know. Do it through the channels you normally use to contact them - phone, email - to check if they really contacted you or if you were the victim of a scam. Check any requests that appear to be from your creditors, especially if they are for changes to their bank details for future invoices. Do not use the contact details from the letter/fax/email requesting the change. Instead, use those from previous correspondence or from the company's official web page.

Instruct employees responsible for paying invoices to always check them for irregularities. Conduct staff training to recognize the most common types of cyber fraud and ensure your employees are informed and aware of these types of fraud and how to avoid them. Create single points of contact with companies to whom you make regular payments. For payments above a certain threshold, create a procedure to confirm the correct bank account and recipient, for example, a video call or other secure contact with the company. When the invoice is paid, send an email to inform the recipient.

Do not respond to suspicious e-mails and do not perform the actions that are described in the e-mail - do not open links and attachments, do not install applications and under no circumstances enter your personal and bank data and especially passwords and access codes.

Do not provide your details either by email or by phone. If they call you on the phone and pretend to be a bank or other company, hang up and contact the company on their official contact details to check if they really wanted you. Be especially suspicious of calls from overseas numbers.

If in doubt, contact your bank and forward the suspicious email to them. Be cautious and suspicious of e-mails written with spelling mistakes and those that require you to take urgent, immediate action. Your bank will never send you such an email, nor will it ask you to enter your personal details and passwords, sensitive information, bank details and credit and debit card details.

It is extremely important when making a bank transfer via e- and mobile banking that you compare the IBAN number, not just the amount, on the confirmation sent to you by the bank. Often times, fraudsters, in order to fool their victims, make an irregular transfer from their accounts at the same time and for the same amount, but to a different bank account. Always check the account number you entered, but which you subsequently received via a bank token to confirm the transaction.

If you suspect that you have been a victim of fraud, immediately stop transferring money and contact your bank and the police immediately.

- What would you advise citizens and companies about their safety on the Internet?

- The types of fraud in the Internet space are the most diverse and criminals are becoming more inventive, adapting their methods to the new realities. But there are a few basic rules, and if you follow them, you minimize the possibility of becoming a victim of fraud.

Always access your bank's e-banking from the official website and never from Internet links and advertising banners. They lead to fake pages imitating the real ones and are controlled by fraudsters.

Be suspicious of emails and phone calls from people pretending to be your bank, and those who, for one reason or another, want access to your details. In case you receive such an email, do not perform the actions described in it, do not enter your data or open any links.

If you receive a suspicious work email or phone call, always notify the company's IT department.

Be wary of unsolicited offers by email or phone.

Avoid sharing sensitive information on social media, including information about an employer.

Be suspicious of contacts from dating sites. Do not provide data or send money.

Do not provide your bank account or make money transfers for another person, as this may constitute money laundering and is a crime.

Be suspicious of tempting offers promising safe investments, guaranteed returns and big profits, for example, investment offers or cryptocurrency trading offers. If something is too good to be true, it is most likely just a scam.

On the page of the Association of Banks in Bulgaria, as well as on the banks' web pages, you can find more information about the most common types of fraud, how to recognize them and how to protect yourself from them: https://abanksb.bg/press/ecsm-2021-cyber-scams/   

If in doubt, contact your bank immediately.