Even though companies are constantly improving their security solutions, it is often forgotten that people remain the weakest link. Marko Kiisa, the Head of SME Financing at LHV, shares practical advice on how companies can stay secure at a time when different types of fraud are becoming increasingly common.
Today, criminals focus not only on technical systems but also on situations where people can be unintentionally misled. In a recent press release, Eesti Pank noted that fraudsters are increasingly targeting private individuals with a connection to companies. This can enable them to gain access to both personal and company bank accounts, for example, through an accountant or the entrepreneur themselves.
As a result, active and engaged individuals can become attractive targets, as their calm everyday routines or, conversely, their very busy lifestyles may create moments where extra caution is needed. Cybercriminals are no longer only interested in large corporations with multimillion-euro turnovers. Anyone can be affected, regardless of industry or the size of the organisation.
Recent cases clearly point to a shift in how fraudsters operate: instead of so-called cold calls, they increasingly rely on more targeted approaches. Before contacting a potential victim, they carry out thorough background research, gathering as much information as possible about the person’s work, habits, and social circle from public sources and social media. This information is then used to create a believable story that includes details designed to build trust.
The following examples of common fraud schemes demonstrates just how thoughtfully and strategically criminals can operate.
Example 1
Recently, a company fell victim to BEC fraud (business email compromise), also known as email fraud. The company had been actively exchanging emails with a long-term partner regarding the purchase of high-value goods. An invoice was received, but the seller’s bank account number differed from that used previously. As there were no clearly defined internal procedures for such situations, the company’s accountant paid the invoice as usual. It later emerged that the invoice was fraudulent, with EUR 15,000 having been transferred to scammers.
This example highlights the importance of verifying changes to a partner’s bank details through more than one channel.
Example 2
A member of a company’s management board became involved in a scam call made in the name of the Health Insurance Fund. During an initial phone call, supposedly to confirm a doctor’s appointment, the caller managed to obtain the person’s PIN1. As the fraudsters had learned during their background research that the individual was elderly and had obtained their personal identification code from public sources, they were able to reasonably assume that a recent doctor’s visit had taken place. This made their story feel convincing to the victim. Shortly afterwards, a caller posing as a bank employee contacted the victim, explaining that the previous call had been fraudulent and that several actions now needed to be confirmed with PIN2 to ensure account security. This gave the criminals access to the victim’s bank account, from which transfers were then made.
Such schemes are often targeted at people connected to companies. These individuals may have higher payment limits and access to multiple accounts, which makes additional vigilance especially important.
Example 3
A member of a company’s management board received a call from someone claiming to be from Elektrilevi. The caller stated that their electricity meter needed to be replaced. As the caller knew both the person’s name and address, the situation seemed legitimate. This was followed by another call, this time from the ‘bank’, expressing concern about suspicious transactions on the account. A third call then came from the police, who claimed that a dishonest bank employee had leaked customer data and that a covert investigation was under way, meaning the person should not discuss the situation with relatives or the bank. During this call, the victim was asked to confirm a new Smart-ID code on the scammers’ device. They were told that this was necessary to secure the bank account and to allow the police to provide effective assistance.
By using a multi-step approach, criminals take advantage of time pressure, stress, and people’s natural trust in authority. In such circumstances, even individuals who are usually very careful can find the situation to be challenging.
Based on these examples, here are four practical recommendations that every entrepreneur may find useful.
- Help employees recognise common fraud schemes.
Awareness is one of the strongest forms of protection. Introduce employees to the three main methods used by criminals: phishing (digital scams, usually via email and links), smishing (SMS-based scams that direct recipients to fake links or request information), and vishing (phone scams where callers pose as representatives of official institutions). Emphasise the importance of never confirming actions requested over the phone using Smart-ID, particularly when if the caller is applying pressure or presenting themselves as an authority figure. Even actions taken as a private individual can sometimes have implications for the company. - Establish clear payment approval processes.
Consider from which amount onwards the four-eyes principle should apply when approving payments. In addition, implement a double approval process for payments and define clear rules for sharing payment instructions (for example, not accepting payment details over the phone, verifying information via multiple channels, and not releasing goods based solely on PDF documents). Clear processes make it easier for employees to act with confidence and accuracy. - Take care of your own digital security.
Personal habits play an important role in company security. Use multi-factor authentication, choose strong passwords, and update them regularly. Avoid carrying out sensitive actions on public internet networks. These simple steps help protect access to company email accounts and reduce the risk of misuse in your name. - Be mindful of how much personal information is publicly available.
Take a moment to consider how much information about you can be found online. For example, is your home address listed as the company’s location in the commercial register when this is not necessary? How easy is it to identify individuals associated with your company? The less personal information that is publicly available, the harder it is for scammers to create convincing stories, and the less likely it is that you or your employees will be targeted.
Secure entrepreneurship is the result of informed and conscious choices. Even in a fast-paced working environment, it is worth pausing for a moment: if something feels unusual, paying extra attention is always a good idea.
While it may feel difficult to completely avoid fraud in today’s environment, every entrepreneur can take cost-effective steps to make scammers’ work significantly harder. By staying informed, supporting employees, and keeping processes well thought out, the risk of fraud can be reduced considerably.
