de en
Back to the overview page
12/13/2024
Key Topics Digitalization

Professionally and privately: how to protect yourself against internet fraud

Christmas is just around the corner - especially now, the convenience and wide selection of countless online shops are being used to buy gifts for our loved ones. Unfortunately, there are more and more fake providers on the internet, which are not always recognisable at first glance. In the worst cases, fraudsters are paid a lot of money, but the goods are never dispatched. Good to know: These can be independent websites, but also providers on established sales platforms such as Amazon or eBay.

To make your Christmas shopping a little safer, we have put together how you can recognise fraudulent shops on the internet and what you can do if you have fallen victim despite all your caution.

Illegal activities with serious consequences are not only taking place in our private lives, but also increasingly in our professional lives. In the second part of the article, our experts explain which damage scenarios are circulating and categorise them for you in legal and insurance terms.
 

What are fake shops?

Fake shops are difficult to recognise at first glance, partly because they are sometimes deceptively genuine copies of real websites.

The providers often advertise bargains and require payment in advance. However, the promised goods never reach the consumer. According to the consumer advice centre, fraudulent traders even feign delivery problems and put off those affected in order to prevent them from taking further action.  
 

What options do you have if you have already fallen victim to a fraudster?

If you have made a payment, contact your bank immediately, which can stop the payment depending on the time of day and day of the week. On average, the payment can be stopped within a few hours, sometimes just a few seconds. If you have paid by direct debit, the bank can recover the money up to eight weeks after collection. You should also save all receipts relating to your online order. This includes, for example, the purchase contract and order confirmation as well as a screenshot of the offer. 

In legal terms, the entire situation is clearly a scam. Victims can have the documents checked by the consumer advice centre and file a criminal complaint with the police.
 

Prevention: You can check online shops here

The consumer advice centre offers a tool for increased protection when shopping online: With the fake shop finder, you can easily check the URL of a website. After entering the web address in the mask, the tool assesses the online shop, lists technical features that indicate fake shops and provides information about existing reviews in well-known portals.

You can use the tool here


Online fraud also takes place in the workplace

However, the number of cases of fraud is not only increasing at Christmas time in a private context, but also in everyday working life.

Sandra Dammalacks, Head of Financial Lines and Cyber at deas, describes a common scenario: ‘In email spoofing, third parties fraudulently fake emails from known contractual partners, customers or colleagues. At first glance, it is not recognisable that it is not the person identified, as the typeface and other details are professionally falsified, for example.’ The perpetrators suggest, for example, that the bank details have changed and no longer correspond to the original details. It is not uncommon for the ‘new’ bank details to be a foreign IBAN. In good faith that the change is correct, the accounting staff take the bank details into account and pay the invoice amount to the supposedly genuine bank account. The fraud is often only discovered later when the contractual partner contacts them, reminds them of the outstanding invoice and insists that the claim be settled.

Efforts to recover the money paid to the wrong bank account via a bank recall are often unsuccessful: due to the time that has elapsed and the well-planned offence, the money has usually already been forwarded and cannot be accessed. Criminal proceedings often come to nothing, as the perpetrators usually operate from abroad.
 

Legal assessment and categorisation of the insurance cover

From a legal point of view, the question of whether the payment to the wrong bank account has released a company from its original payment obligation can be answered quite clearly. Alexander Bayer, fully qualified lawyer and Financial Lines Legal Protection Team Leader at the Ecclesia Group, explains: ‘If it is clear that the access is solely attributable to the area of responsibility of a company, the original claim of the genuine contractual partner continues to exist. In other words, the contractual partner does not have to accept responsibility for the incorrect payment and you have to pay him - again. This can be different if the perpetrators have penetrated your contractual partner's IT system and thus gained knowledge of the claim.’ Proving this is often extremely difficult in practice. It always comes down to the question of whose area of responsibility the perpetrators' intrusion lies in.

In principle, such cases are covered by fidelity insurance, insofar as there is appropriate cover and so-called fraudulent damage caused by third parties is also insured.
 

How can such damage be avoided?

Alexander Beyer: "Ideally, there should be no claims at all. Unfortunately, we are increasingly noticing in claims practice that the perpetrators are acting more and more professionally, making it more and more difficult for the victims to recognise the deception.’ The first cases were still characterised by messages in broken German and with obviously different email addresses, but now the deceptions can only be detected with extreme vigilance. 

What can you do to avoid damage? Firstly, you should always pay increased attention to payment transactions. We suggest that you draw up instructions on how to proceed in the event of a change of bank details and what steps to take. Foreign bank details in particular should always be seen as a clear warning sign unless money is regularly paid abroad. We strongly recommend that several people are always involved in payment transactions - keyword: dual control principle.  

Experience has shown that the most effective way to avoid becoming a victim of fraud is to contact the contractual partner by telephone. Asking by e-mail is usually completely unsuitable, as the perpetrators track your e-mail correspondence, intercept the e-mail and reply to it. 
 

Further damage scenarios: Supposed IT helpdesk and deepfakes

Abdullah Keser, cyber expert at deas, reports: “Currently, employees in companies are increasingly receiving fake team calls from the supposed IT helpdesk. The perpetrators are trying to gain access to the IT system. It is important here not to share any personal information - such as passwords - with third parties and not to authorise access to the network (for example by requesting the installation of software). If an IT employee actually asks for passwords, do not provide any information and contact your IT department independently.” Increased awareness within the workforce is also required here. The expert also recommends: “It should be checked whether the company's security settings need to be more strictly regulated. This includes, for example, ensuring that screen sharing via Teams with external dialogue partners is not technically possible. Alternatively, Teams communication with external contacts could be completely restricted.” 

Deepfakes are particularly critical: In calls or video calls, the voices and faces of board members and managing directors are faked or replicated 1:1 by AI and payment orders are triggered in the accounting department. It is crucial that it is verified that it is a payment order from the actual person before payments are made. If transfers are made without a written instruction, solely on the basis of the deepfake call, there is likely to be no insurance cover under either fidelity insurance or cyber insurance, as these each require a written instruction. 
 

Conclusion

What can you take away? There should always be a heightened level of vigilance in all payment transactions - whether private or corporate. In order to avoid or detect errors in a professional context, it is advisable to sensitise employees through suitable training measures and to set up a four-eyes principle that must not be deviated from. If there are discrepancies with regard to the payment of invoices, such as changes to bank details, the contractual partner should always be contacted by telephone and the accuracy of the information verified. When shopping online, always pay attention to the authenticity of the site and, if in doubt, check it carefully before finalising a purchase.

If you have any questions on this topic, please do not hesitate to contact us.