Spotting Fintech Scams: Protecting Your Business and Card Accounts

Modern fintech platforms like Pleo, Revolut, and Starling have made business spending and personal banking faster than ever. Unfortunately, scammers have also sped up their efforts to target these accounts.

Because these apps are tied to direct credit lines and corporate cards, a single compromised account can lead to significant financial loss for a business.

Here is a guide on how to spot and avoid scams targeting modern finance and fintech apps.

Why Scammers Target Fintech

Traditional banks have decades of "security branding" that makes users cautious. In contrast, fintech apps often emphasize "frictionless" speed and ease of use. Scammers exploit this mindset by creating fake crises that require an "immediate, frictionless" solution.

The Most Common Fintech Scam Patterns

1. The "Security Alert" SMS (Smishing)

You receive a text claiming your corporate card has been "temporarily limited" or a "new login was detected from Hamburg, Germany." It provides a link to "Secure your account" or "Verify your identity."

The Red Flag: These links almost always lead to a phishing page designed to steal your login credentials and, more importantly, your Two-Factor Authentication (2FA) code.

2. The "Unauthorized Payment" Refund

An email or text warns of a large pending transaction (e.g., "A payment of £849 to Apple Store is pending"). It tells you to click a link if you didn't authorize the payment.

The Red Flag: This is a classic "reverse psychology" scam. By offering to "stop" a fake payment, the scammer gets you to hand over your real account access details.

3. The "Helpful" Support Call

You receive a phone call from someone claiming to be from the fintech's "Fraud Department." They may already know your name or the last four digits of your card (information they got from a previous data breach). They ask you to "confirm a code" sent to your phone or to move your money to a "safe account."

The Red Flag: No legitimate fintech company will ever ask you to move your money to a different account for security reasons, nor will they ask you to read back a security code over the phone.

4 Rules for Fintech Security

1. Trust the App, Not the Link

If you get a notification about your account, never click the link in the message. Instead, close the message and open the official app on your phone. If there is a real security issue, the app will notify you with a persistent alert or message once you are safely logged in.

2. Check the Sender Domain

Official emails from these companies will always come from their primary domain (e.g., `pleo.io`, `revolut.com`). Be wary of lookalikes like `pleo-security.com` or `revolut-verification.net`.

3. Never Share Your 2FA Code

Your Two-Factor Authentication code (usually a 6-digit number) is the last line of defense. Scammers need this to take over your account or authorize a large payment. Never type it into a website you reached via a link, and never share it with anyone over the phone.

4. Be Wary of Corporate Impersonation

If you use a corporate card like Pleo, scammers may pretend to be your company's "Admin" or "HR" asking you to re-verify your card details via a "new company portal." Always verify such requests through your internal company Slack, Teams, or email first.

Summary

Fintech apps are secure, but the human element remains the most common point of failure. By treating every urgent "Security Alert" with healthy skepticism and using the official app for all verifications, you can keep your (and your company's) money safe.