Brazilian entrepreneurs must not only pay attention to the management of their businesses, but also double their attention to protect them from scams. Anyone who thinks that threats only target large companies is mistaken. A survey carried out by the cybersecurity company Kaspersky shows that, in 2023 alone, 192 million attempted attacks against small and medium-sized companies in Brazil were blocked — the equivalent of 365 attacks per minute. Not even individual microentrepreneurs (MEIs) escape the traps.
With the deadline for submitting the Simples Nacional Annual Declaration (DASN-SIMEI) coming to an end on May 31, Sebrae Rio warns that threats against MEIs are intensifying, with criminals simulating official communications to induce improper payments or to steal data. Messages arrive via email, SMS and even WhatsApp.
— Pay attention to suspicious emails or messages that request personal data and avoid clicking on unknown links — says Pedro Ferreira, analyst at Sebrae Rio.
Continues after advertising
Scammers often adopt an alarmist tone, with messages such as “your CNPJ has been suspended” or “deadline for regularization”, directing victims to fake websites. The objective is to receive payments or steal data. It is important to know that the Ministry of Finance and the Federal Revenue Service do not send charges for links or request data via messages.
Furthermore, the State of Rio had, for the first time in history, more than 10 thousand companies opened in a single month: March 2026. The entry of new businesses into the market, added to the complexity of the tax system, increases the opportunities for cybercriminals to try to make more victims.
AI enhances risk
Roberto Rebouças, general manager of Kaspersky in Brazil, explains that threats are more sophisticated and becoming increasingly personalized with the use of artificial intelligence.
— Criminals use AI to create fake emails and messages that are almost indistinguishable from legitimate ones, automate the search for vulnerabilities and develop malicious code that adapts to avoid detection — he says.
Fernando Zamai, Cybersecurity leader at Cisco Brazil, remembers that small businesses face additional challenges, such as limited budget and lack of specialized protection resources:
— Furthermore, hybrid work, the use of personal devices and the consumption of unsanctioned cloud applications make control difficult and increase risks considerably, making small businesses increasingly frequent targets for cyber attacks.
Continues after advertising
Know the scams
Phishing e smishing empresarial
Sending messages via email and SMS that simulate legitimate communications — such as invoices, bills, charges or notices from suppliers, banks and service platforms —, almost always with a sense of urgency. The objective is to trick the victim into clicking on links that lead to fake websites, providing credentials, authentication codes and financial data, or even installing malicious applications disguised as legitimate tools.
Ransomware
Continues after advertising
In this type of cyberattack, initial access may occur through a supposed invoice or supplier document, for example, which, when opened or downloaded, installs a malicious program capable of blocking or encrypting company systems and files, demanding the payment of a ransom to restore access.
Sending messages via WhatsApp
Through the messaging application, criminals pose as a legitimate contact — such as a customer, partner, bank or even technical support — to request links, attachments or bank details.
Continues after advertising
Banking ‘malware’ and trojans hidden in pirated applications
Especially on Windows or Android systems, fake applications or pirated programs downloaded by the victim install trojans, which are virus programs that intercept transactions or capture passwords, causing losses.
Attacks via unprotected devices
Continues after advertising
Criminals take advantage of unsecured connections, such as public Wi-Fi networks, and the use of personal devices at work to intercept data and credentials.
False bill and invoice collection
Fake emails from suppliers or services with billing or links that induce the payment of fraudulent invoices. Generally, the messages have a tone of urgency and also a threat of penalties, such as “the deadline for making payment ends today” or “your CNPJ will be canceled if you don’t pay”.
How to protect yourself
Pay attention to bills – Do not pay bills received by email without checking the origin of the charge.
Be careful with links – Do not click on links sent via email or WhatsApp by unknown senders. If it is supposed to be contact from an acquaintance, confirm its authenticity first.
Security – Never provide personal or banking details via unverified connection, email or link.
Official information – Always seek official channels for government information and services to check requests.
Training and awareness – Train employees to recognize phishing attempts and other frauds.
Integrated security – Adopt platforms that unify networking and security, making it easier to operate, adopt, detect and respond to threats.
Software updates – Keep all systems updated to fix known vulnerabilities.
Identity and device management – Control and protect who can access applications and the network, especially in hybrid environments. Adopt multiple identification factors.
Backups – Have up-to-date and securely stored backups to ensure business continuity in the event of an attack or data loss.
