How to Prevent Phishing and Other Business Fraud

In 2023, phishing was the leading and second costliest fraud claim in FBI investigations, with almost $3 billion in losses.1 Phishing is a social engineering scam in which criminals use emails or texts that appear to be from legitimate sources to request personal, financial and/or login credentials with which to access accounts or demand payments. Phone calls (“vishing”) are also a common tactic of this type of external fraud. It’s imperative that corporations know how to prevent phishing.

How should you protect your organization from phishing and other business fraud?

Vigilance is the best fraud preventative. Criminals rely on distraction and deception to commit their schemes. However, early detection and decisive action help to avoid becoming a victim.

1. Recognize spoofed calls and web-based communication.

   “Spoofing” is just another tactic that fraudsters use to impersonate legitimate contacts while committing business fraud. It’s not phishing but can be used in phishing attacks. In this scheme, bad actors manipulate phone numbers, emails, websites, and networks to mimic genuine ones, hoping you will not notice the differences. Pay attention to details. Do not authorize payments, click embedded links or websites within an email, or provide any information that fraudsters can use to access or duplicate your accounts.
   
   If you don’t recognize a number in caller ID, don’t answer. If you do answer and are doubtful of the caller’s identity, hang up and call your financial institution immediately. Also contact targeted vendors or customers to verify communications if necessary.
   
   To ensure you aren’t engaging with a fake website type the address into the browser yourself. If you are unfamiliar with a site you would like to explore, take precautions before you browse.
   • Use a website checker like Google Safe Browsing to evaluate a site’s security status.
   • Carefully review the URL for misspellings, a suspicious extension and other flags that may indicate a fake site.
   • Look for a site seal that verifies its authenticity.
   • Check the site’s security information for TSL/SSL certificates. The organization validation (OV) and extended validation (EV) certificates ensure the business is registered and/or has the highest level of authentication, respectively. Fraudsters most often use domain validation (DV) certificates, which don’t require the same proof of ownership diligence, to create fake websites.
   • Be aware of icons that indicate various levels of security.
     • Padlocks confirm the site’s connection is hypertext protocol secure (HTTPS).
     • Info icons advise that a site doesn’t meet all the necessary standards for security. For instance, it might have HTTPS, but other elements could be unencrypted. Don’t provide sensitive information on these sites.
     • Triangles with exclamations warn that a site uses HTTP with plain text and isn’t secure. Don’t provide sensitive data or personal details.
     • “Not Secure” labels clearly indicate elevated risk levels. Avoid these sites.

2. Remember your financial institution will never call, email, or text you to ask for personal information.

   If you receive unsolicited or “urgent” communication requests for payment or to provide personal or account information or access, do not click on links or otherwise respond. Delete the email or text. If you receive a phone call with requests of this type, hang up. Immediately contact your financial institution directly, using an established phone number to inquire about the communication if your account was phished. Synovus clients can call bankers directly or 888-SYNOVUS (796-6887) to verify the authenticity of incoming calls or other attempted contacts, as well as learn how to prevent phishing and other business fraud.
   
   You should also report suspicious activity to your institution’s fraud department as well as the FBI.