top of page
Search

Don’t get scammed!



Every year, Estonian individuals and businesses lose millions of euros due to cybercrime. Cybercrimes are mostly carried out for financial gain, but the motives can also include political reasons, hacktivism, revenge, or insider attacks. Fraud accounts for the largest share of cyber incidents. To avoid becoming a victim of fraud, learn to recognize different scam schemes! (https://www.itvaatlik.ee/en/common-scams/)


There’s not a day without a headline about companies and individuals losing thousands of their finances to fraudsters. The wave of nationwide scamming got massive several years ago when investing in cryptocurrency became popular, and has evolved ever since. Known names, both local and international (banks, utility companies, courier companies, even Police) are being used to earn peoples trust and once the connection has been established, people are tricked to give access to their computers or enter their PIN codes (which enable fraudsters to access bank accounts and empty them).


Looks legit, but what are the giveaways? Besides no valid contracts to the company, senders use 20 year old name (EMT) of the company that's now called TELIA.



What should  you, a foreign entrepreneur with an Estonian ID code, who’s also an e-resident, look out for?


Before getting to the types of frauds some basic rules -


RULE No. 1 – never reveal your PIN1 and PIN2 via phone callNot to the Police, not to the tax office, not to your agent, not to the courier delivering important mail. This is your personal information meant to be known and used just by you.

RULE No. 2 - never enter your PIN and especially PIN2 unless you have not started the authorization of a transaction yourself.

 

As an entrepreneur, scammers have several ways to target you and your finances -


·      By calling you and presenting themselves as representatives of trusted (state) institutions

·      Phishing – usually attempts to get sensitive data via e-mail, which are often masked as correspondence from an institution (Police, Tax Office, financial institution) asking you to verify something by clicking on a link.

·      Investment fraud – too good to be true offerings

·      Credit card frauds – make sure the site you are making a purchase on is trustworthy.

·      Business frauds - there are quite a few ways to part you and your funds. Never rush or allow to be rushed by others and always double check if you feel so!


Phone Scams


In a high-trust society like Estonia, scammers often exploit our national confidence in public institutions. Be extremely wary of unexpected calls from individuals claiming to represent a bank, the Police (PPA), the Tax and Customs Board (MTA), courier or utility companies.

The goal of these "social engineering" attacks is to build rapid rapport or induce panic, convincing you to "collaborate" in an urgent investigation or security fix.


How to Verify a Caller

If you receive a suspicious or high-pressure call from an official-sounding source, follow this protocol:

  • The Call-Back Rule: Ask for the caller’s name and their official department. Hang up and find the organization’s general contact number via their official website or a trusted search engine.

  • Never Blindly Trust Caller ID: Technology allows scammers to "spoof" numbers, making it look like the Police or your bank is calling when they aren't.

  • The PIN Secret: Never enter your Smart-ID or Mobile-ID PINs unless you initiated the login or transaction. Estonian institutions will never ask you to authenticate a session they started as scammers do. The usual trick is to present oneself as a DHL courier confirming an address. Upon ending the call, the repeat the address, wish you a good day and tell you to confirm all by entering PIN2 to the pop up window (sometimes they don’t even tell you that, the official and legit pop up will just appear). Do not enter anything, as they just want to confirm an activity. Let’s say for signing a loan on your or your companies name.

  • No Remote Access: Under no circumstances should you download software (like AnyDesk or TeamViewer) that gives a stranger control over your computer. No legitimate Estonian agency will ever request this.


Remember: Real officials will never be offended if you choose to hang up and call them back through an official channel to verify their identity. It’s the professional thing to do.

 

Phishing


Phishing is a deceptive technique designed to steal your credentials or financial information. Be particularly alert when receiving messages requesting a KYC data update, notification of a missed parcel (e.g., from DHL or UPS), or any alert regarding your online accounts.

As highlighted by the experts at IT-vaatlik (IT-Cautious):

"Since phishing can reach you through numerous channels, it is vital to recognize the underlying patterns. Criminals constantly pivot to new platforms, but their core strategy remains the same."


The Anatomy of a Phishing Attempt

To successfully deceive you, attackers typically employ the following three-step strategy:


  1. Impersonation: Scammers pose as a trusted entity—such as a bank, a service provider, or a government authority—to lower your guard.

  2. Emotional Triggers: Messages are crafted to bypass your rational thinking by inducing anxiety, fear, curiosity, or greed. By creating a sense of "artificial urgency" (e.g., "Your account will be suspended in 2 hours"), they hope you will act before you think.

  3. The Hook: The message will include a call to action, usually a link (often masked by a URL shortener like bit.ly) or a QR code. These lead to fraudulent websites designed to harvest your login details or payment information.



    Do you notice anything unusual in this e-mail, sent by a known and loved Estonian financial institution?


Stay One Step Ahead

If a message claims there is "suspicious activity" on your account, do not click the link provided. Instead, open a new browser tab and log in directly through the official website or use the provider’s official app. If the alert is real, you will find it in your secure notification center there.


Investment Fraud


It’s rare to find an inbox or a call log these days that hasn't been targeted by "once-in-a-lifetime" investment opportunities. Scammers use a multi-channel approach—combining cold calls, persuasive emails, and sleek social media ads—to promise unrealistic Returns on Investment (ROI).

The golden rule of finance remains your best defense: If an offer sounds too good to be true, it almost certainly is.High returns without high risk simply do not exist in legitimate markets.


Protecting Your Capital


  • Ignore the Pressure: Scammers often use "limited-time" windows to force you into a quick decision. Legitimate investment platforms don't use high-pressure sales tactics.

  • Stick to the Proven: The safest path is to use established, regulated investment platforms. Avoid "boutique" or "exclusive" sites that you haven't thoroughly vetted.

  • Verify Compatibility: If you are looking for a new platform and aren't sure where to start, reach out! We can recommend trustworthy, e-resident-compatible solutions that are proven and secure.


Red Flag: If a "broker" asks you to send funds via crypto, wire transfer to a personal account, or through an obscure third-party app, terminate the conversation immediately


Bank Card & E-Commerce Fraud


Card scams are one of the oldest tricks in the book, yet they continue to evolve. While many of us have developed a "sixth sense" for these traps, scammers are increasingly using clone sites—fraudulent storefronts that look identical to legitimate brands but operate under a slightly altered web address.

The most reliable red flag is often the price. If a high-end item normally retailing for $400 is listed for $50, it is almost certainly a scam. This applies to both personal shopping and business expenses, such as renewing software subscriptions, purchasing hardware, or ordering office supplies from unfamiliar vendors.


Pro-Tips for Secure Purchasing


  • The Reality Check: If a deal feels too good to be true, it is. Legitimate retailers rarely slash prices by 80% or 90%unless they are going out of business.

  • Audit the URL: Before entering payment details, double-check the address bar for extra characters, misspellings, or unusual domain extensions (e.g., .net-shop.com instead of .com).

  • Use Virtual Cards: For online transactions, use a virtual card with a custom spending limit. This keeps your primary business or personal account isolated from potential breaches.


Expert Tip: Only transfer the exact amount needed for the purchase to your virtual card right before you checkout. This leaves a "zero balance" for any hacker who might try to use the card details later.


Business scams


Business scams are becoming increasingly sophisticated, often targeting a company's financial reserves through psychological manipulation. The most prevalent methods include:


  • CEO Fraud (Executive Impersonation)

  • Account Detail Alteration

  • Invoice Fraud


Understanding CEO Fraud

In a CEO Scam, an employee (often in finance) receives an urgent request—supposedly from the CEO—to authorize a priority wire transfer. While traditionally sent via email, scammers now use AI-generated voice messages or "deepfake" calls to add credibility.

Since many of our clients manage their own funds, this specific risk is lower if your accountant lacks direct account access. However, it is vital to establish a "Call-Back Protocol": agree that any unusual or urgent financial request must be verified through a secondary, known phone line before any action is taken.


Invoice & Account Scams

These tactics are typically the "second stage" of a successful phishing attack. Once a scammer gains access to a company’s email threads, they can easily intercept conversations and swap legitimate invoices for fraudulent ones containing their own bank details.


How to Protect Your Business:


  • Secondary Verification: If a vendor claims their banking details have changed, never hit "Reply." Instead, call a trusted contact at that company using a number from their official website.

  • Monitor Sender Identity: Be wary of subtle changes in email addresses (e.g., name@company-ltd.com instead of name@company.com).

  • Verify Out-of-Band: Always confirm "new" corporate details through a separate communication channel.


Fraudsters are constantly refining their tactics to stay ahead of the curve. Often, we feel a "gut instinct" that something is off—perhaps the request feels oddly urgent or out of character—yet scammers are experts at making the extraordinary seem routine.

Never hesitate to trust your intuition. Taking a moment to pause and verify a request isn't a sign of paranoia; it’s a necessary precaution. It is always better to prioritize your security than to act on a suspicious request out of politeness or haste.


Tips for Staying Sharp


  • The "Pause" Rule: If a message demands immediate action, wait five minutes. Scammers rely on manufactured panic to bypass your logic.

  • Independent Verification: Instead of clicking a link, go directly to the official website or app to check your account status.

  • Silence the Guilt: You are never "rude" for questioning an unusual request, even if it appears to come from a known contact.


Stay safe!


 
 
 

Comments

annual report for Estonian company
accounting for e-residents

BRISQ SME OÜ      -     e-mail:hello@brisq.ee      -     ph: +372 5646 4466     -      licence: FIU 000363

© 2025 by BRISQ SME OÜ

bottom of page