Phishing, spoofing, fake bank advisor, fake courier – discover these various types of fraud in this article and the precautions to take to protect yourself.
Firstly, whether through email, SMS, or phone, Qonto will never request your confidential information such as:
-
Your password,
-
Your login credentials,
-
Your payment card number.
We will never ask you to make a transfer to secure your funds. If a third party asks you to approve a transfer through Strong Authentication to cancel a fraudulent operation, it is a scam: this method aims only to approve outgoing transactions. Similarly, we will never ask you to hand over your payment card to a third party, such as a courier, to 'secure' your Qonto account.
Qonto will contact you exclusively through the email address you use to log in to your account, never on your personal email address. If in doubt, prefer using the in-app chat from the Qonto application.
Can a fraudster call me with a phone number identical to Qonto's?
Yes, it's possible. A fraudster can modify their phone ID to make it appear as Qonto on the victim's phone during the call. This is known as spoofing.
It's not an intrusion into your phone line but rather an impersonation of a phone number. The same applies to emails.
-
What is this method?
Spoofing is a fraudulent technique where a fraudster alters their identifiers to pose as a legitimate institution.
It is used in attempts of social engineering fraud, especially in cases of fake bank advisor scams. In the case of Qonto, the fraudster poses as one of our agents to a client.
By displaying our phone number during the call, the fraudster increases the chances of gaining the victim's trust and persuading them to perform a fraudulent operation, allowing the fraudster to extract money or take control of the Qonto account.
How to verify if the person on the phone is a genuine Qonto advisor?
No Qonto employee will ask you for confidential information or to perform operations. If this happens or if in doubt, hang up and contact us directly through the chat from your account.
The fake bank advisor scam is a form of social engineering. This method involves manipulating a client to gain their trust, obtain confidential information, or induce them to carry out fraudulent operations.
In the case of Qonto, the fraudster contacts the client, usually by phone, pretending to be a Qonto agent. They then attempt to extract money or take control of the target's account.
This method relies on three pillars:
-
Impersonating the identity of a legitimate institution
-
Creating a sense of urgency
-
Establishing a trusting relationship with the victim
What are these three pillars in detail?
Impersonating the identity of a legitimate institution
The fraudster presents themselves as an employee of Qonto. Their speech is polished and professional. They borrow from the vocabulary of real bank advisors and mimic seemingly legitimate protocols.
They may also modify their phone ID to make 'Qonto' appear on the victim's phone during the call (spoofing). It's not an intrusion into your phone line but an impersonation of the phone number. The same applies to emails.
Creating a sense of urgency
The fraudster immediately seeks to establish a sense of urgency with the victim to minimize questions about their legitimacy.
They may claim to have identified fraudulent transactions on your account and ask you to perform certain operations to "secure" your account.
They emphasize the need to act quickly, even if it involves bypassing basic security rules. They may also ask you to keep it quiet and not disclose your interactions with them.
Gaining your trust
The fraudster desperately seeks to gain the victim's trust to get them to perform the desired actions.
To do this, they rely on information that you consider confidential and unique. In reality, most of this information is easily accessible:
-
Your personal information (name, first name, and phone number) can be collected on social networks.
-
The first six digits of your bank card are common to all cards.
-
You may have shared your IBAN with a service provider, and it could have been subject to a data leak.
-
It's highly likely to find certain very popular merchants such as Amazon, Fnac, or eBay among the latest transactions you made.
💡 It's also possible that the fraudster initially obtained your sensitive information through phishing.
What are the typical requests of fraudsters in this case?
With Strong Authentication now mandatory for Qonto accounts, the fake bank advisor needs the client to perform or approve certain operations themselves.
The fraudster may ask you to:
-
Change your password, either using a temporary password they provided or by asking you to share the new password with them.
-
Change the phone number linked to your account.
-
Authorize new connections to your account through Strong Authentication.
-
Add a new member or administrator to your account.
-
Approve new beneficiaries, card transactions, and/or transfers through strong authentication.
This list is not exhaustive.
By performing these actions and approving them through Strong Authentication, you involuntarily participate in the fraud, allowing the fraudster to empty your account or take control of it.
💡 Recently, the fake bank advisor scam is often accompanied by a fake courier scam. After warning the client of a supposed fraud attempt on their account, the fraudster informs the victim that a courier will be dispatched to retrieve the payment card to replace it and secure the account.
Qonto will never ask you to hand over your payment card to a third party.
This email seems to come from Qonto, how can I ensure its authenticity?
Phishing, or spoofing, involves sending deceptive emails in which the fraudster poses as Qonto. In other cases, they use SMS, and this is referred to as smishing.
The fraudster aims to obtain personal information about the victim, either to impersonate them or to encourage them to take specific actions, such as sharing passwords or making fraudulent payments.
What is this method?
A common example is sending a message containing a link to malicious software designed to collect sensitive data once installed on the victim's device.
The fraudster can also encourage the victim to access their bank account or make an online transaction by mimicking a trusted site. The link actually redirects to a fraudulent site that collects personal information (such as bank account number, credit card details, security codes, etc.) and allows the fraudster to use them to steal money.
Subsequently, the obtained data can be used in social engineering fraud activities, reinforcing the credibility of the attack to take control of the victim's account or persuade them to validate banking operations.
How to guard against it?
Here are some best practices to follow to protect your Qonto account from phishing:
-
Direct Access to Your Account Save the site "app.qonto.com" in your bookmarks. We encourage you to use this shortcut to access the Qonto application. This avoids clicking on any potential links included in a fraudulent email. Download the official Qonto application available on mobile from the app store.
-
Password Manager Use this tool to store your Qonto password. The password manager detects phishing sites and will only suggest autofilling your credentials on the genuine Qonto site.
-
Suspicious Link in an Email If a link invites you to view a transaction or perform a sensitive operation, for example, do not click on it. Instead, log in to your Qonto application independently on your computer or phone. This allows you to have better control over the authentication process. In case of doubt, use the chat from your Qonto account to secure exchanges.
-
Pre-Recorded Banking Information Avoid saving your credentials and payment information online. If you choose to do so, only save them on trustworthy and secure sites (look for the padlock symbol on the left of the URL, connection in https).
What to do if someone has used my identity to open a Qonto account?
We implement stringent checks during the creation of a new Qonto account, in compliance with current legislation.
However, if you suspect that someone has opened a Qonto account using your identity or that of your company, follow these steps:
-
Promptly file a complaint with the relevant authorities so that you can provide us with the official report during our communication;
-
Prepare a copy of your identification document and a Kbis (French business registration document) dated within the last 3 months for your company;
-
Transmit these documents to us by email or through the chat so that we can take appropriate measures.