Skip to main content

Recognizing common threats

Anna Dziurosz avatar
Written by Anna Dziurosz
Updated this week

Most fraud doesn’t happen through hacking — it happens through manipulation. Understanding the tactics used by fraudsters helps you and your team spot danger before it causes damage. Here are the top threats facing SMEs today and how to defend against them.


1. Phishing & Social Engineering

Social engineering is when fraudsters trick people — not systems. They impersonate trusted parties, create urgency, or use fake authority to get you to reveal sensitive information or take unsafe actions.

Phishing is the most common form of social engineering. It typically involves messages that look legitimate but are designed to steal your credentials, access sensitive systems, or push you into making unauthorized payments. These attacks often copy the tone, branding, or timing of real communications, which is why they can fool even careful employees.

Common types of phishing:

  • Email phishing:
    Fake emails from what looks like Moss, a colleague, or a supplier. Usually includes a link to a fake login page or malicious file.

  • Spear phishing:
    Targeted attacks that use real context — names, roles, or past conversations — to fool specific individuals (e.g. your CFO or AP lead).

  • Voice phishing (vishing):
    A caller pretends to be Moss, your bank, or your boss. They may ask for card details, passwords or authorisation codes or request a “test” payment.

  • SMS phishing (smishing):
    Text messages claiming to be from Moss or a supplier, asking you to click a link or confirm a payment.

  • AI-enhanced scams:

    Some attackers now use AI to write more convincing messages, fake voices, or generate deepfake images.

How to spot and avoid phishing:

  • Check the sender’s email address carefully — not just the display name.

  • Never share card details, passwords or authorisation codes via email, phone, or SMS.

  • Don’t click links in messages you weren’t expecting.

  • When in doubt, verify via a known, separate channel (e.g. call your CS Manager).

Want examples? See: What Moss Will Never Ask You


2. Fake Invoices & Supplier Scams

These scams target your accounts payable (AP) or finance team. The attacker may impersonate a known supplier and send a legitimate-looking invoice with new bank details.

What to look for:

  • A sudden request to update banking details

  • A message from a real supplier email domain — but with small changes (e.g. @supplier.co → @suppl1er.co)

  • Pressure to “urgently” process a payment

  • Invoices that look visually correct but contain hidden changes

How to prevent it:

  • Always verify changes to payment details through a second channel (e.g. call the supplier)

  • Use Moss’ approval flows to add a second set of eyes before payments go out

  • Restrict who can approve supplier changes in your ERP


3. Account Takeover & Credential Theft

This is when a fraudster gains access to a real Moss user account — often through phishing, credential stuffing, or remote access scams.

How it happens:

  • The attacker tricks a user into giving up a password and/or authorisation code

  • A shared or weak password is reused from another breach

  • The user unknowingly installs remote access software that gives the attacker full control

Signs of compromise:

  • New devices or logins showing up unexpectedly

  • Approvals or payments made without your knowledge

  • SMS or push notifications with authorisations for actions you didn’t request

  • A slow login process / session in a stable internet environment

How to protect yourself:

  • Never share the security details of your account with anyone. Moss will never ask for your password or authorisation codes

  • Never install remote access software or give others access to your device

  • Use the Moss Mobile App for two-factor authentication

  • Never reuse passwords across platforms

  • Regularly review your login and transaction history and remove unrecognized devices

  • Educate your team on the red flags covered above

If you see any of these signs, take action immediately. Follow these 5-steps


4. Using Your Moss Card Safely Online

Fraudsters often create fake online stores or spoofed checkout pages to steal card details. Before using your Moss card to pay online, keep the following in mind:

  • Verify the merchant: Look for contact details, company information, and independent reviews. Be cautious with stores you’ve never heard of, especially if the site feels rushed or low quality.

  • Watch for warning signs: Unrealistic discounts, poor grammar, broken links, or non-functional checkout flows can all be red flags.

  • Avoid saving card details: Don’t let browsers or unfamiliar sites store your card data.

  • Use spend controls: Create dedicated virtual cards with spend limits for one-time purchases or untested vendors.

  • When in doubt, ask: If a website seems suspicious, check with your finance team or admin before making a payment.

If something feels off, trust your instinct and freeze the card immediately via Moss if needed.

Did this answer your question?