Fraud Prevention & Vulnerability Disclosure

Protecting Yourself Online: Canto’s Fraud Prevention Guidance

Canto is committed to protecting our customers and their data. We offer secure SaaS-based digital asset management solutions, and we take fraud prevention seriously. Cybercriminals frequently attempt to deceive individuals by impersonating legitimate vendor personnel. These tactics may appear through websites, emails, text messages, phone calls, social media, and other communication platforms. Such fraudulent schemes are constantly evolving and often rely on false pretenses to trick victims into revealing personal information.

To help safeguard your interactions, please review the following security guidance.

Common Types of Fraudulent Activity

Phishing via Email or SMS: Cybercriminals may send emails or text messages that appear to come from a trusted source. These messages often prompt you to click on a link, download an attachment, or provide personal information. Their goal is to gain access to sensitive data such as login credentials or other PI.

Vishing (Voice Phishing): Vishing involves fraudulent phone calls where the caller impersonates a Canto representative. These calls are designed to extract personal information—such as usernames, passwords, or email addresses—which may then be used for further social engineering attacks.

Job Offer and Social Media Scams: Scammers may impersonate Canto or other companies on websites or social media platforms, targeting job seekers through fake posts or advertisements. These scams may include false job offers or requests for payment during the hiring process.

Fraudulent Mobile Apps: Cybercriminals may create fake mobile apps that claim to be official Canto applications. These apps are designed to steal personal information or login credentials. Always verify the legitimacy of any app before downloading.

Best Practices

To ensure a secure experience with Canto’s SaaS platform, it is important to follow these best practices.

1. Always verify that you are interacting with an official Canto website or email account. Your specific tenant information is provided to you at the time of onboarding and should be bookmarked for future reference. Canto’s marketing pages operate under canto.com and canto.com/de.
2. Carefully review emails before taking any action. Look out for typos, unfamiliar links or attachments, and requests that seem urgent or unusual. Do not click on suspicious links or provide personal information unless you are certain of the sender’s identity.
3. Never share your password or login credentials. Canto’s platforms are private and accessible only through secure login procedures. Canto will never ask for your credentials outside of our secure login portals.
4. Only download content or applications from verified sources. Avoid suspicious pop-ups and untrusted software that may compromise your device or data.
5. Treat unexpected emails, texts, or calls with caution, especially those requesting personal information. Canto personnel will never contact you directly without a pre-scheduled call.
6. If you receive a phone call requesting personal information, do not provide it. Scammers may impersonate vendors, companies, or government agencies. If in doubt, hang up and verify the organization’s contact details independently before responding.
7. Canto does not recruit via social media or conduct interviews through text or messaging apps. All legitimate job opportunities are listed on our careers page hero.

How to Report Fraud

If you think you may have been a victim of internet crime or are aware of potentially fraudulent activity, please contact your local authorities and consider also filing a report with these government entities:

• The FBI Internet Crime Complaint Center (IC3)
• The Federal Trade Commission
• The U.S. Postal Service (for crimes involving U.S. Mail)

For more general guidance on avoiding internet crimes, visit the FBI webpages on common fraud schemes and recent e-scams at https://www.fbi.gov/scams-safety/fraud/internet_fraud and https://www.fbi.gov/scams-safety/e-scams, and the U.S. Securities and Exchange Commission webpage on avoiding fraud at https://investor.gov/investing-basics/avoiding-fraud.

Canto is not responsible for the content of third-party links and provides links to these resources for your informational purposes only.

How to Report Vulnerabilities

We encourage security researchers to report any vulnerabilities they discover. Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any supporting evidence (e.g., screenshots, logs)

Reports can be submitted via email to security@canto.com.

Canto Commitment

Upon receiving a vulnerability report, we commit to:

• Acknowledge receipt of the report within 72 hours
• Provide an initial assessment of the report within five business days
• Keep the reporter informed of the progress and status of the vulnerability
• Work to remediate the vulnerability in a timely manner

Safe Harbor

We believe in ethical security research and will not take legal action against individuals who:

1. Engage in testing within the scope of this policy
2. Avoid privacy violations, destruction of data, and interruption or degradation of our services
3. Provide us with a reasonable amount of time to resolve the issue before disclosing it to others