11 Scams That Prey on Small Businesses

11 scams that prey on small businesses

Even the savviest professional can fall victim to convincing business scams. Consider the following schemes your business may face.

1. Spear phishing

In phishing scams, swindlers use email messages to trick individuals into sharing confidential data or transferring money. Spear phishing takes things to a new level, personalizing attacks and directing them toward specific individuals or groups, often resulting in substantial financial rewards for the criminals. 

In a typical spear phishing situation, the perpetrators disguise themselves as someone familiar to the victim, such as a co-worker, boss or business partner, and ask for money or payment details. Scammers can also pretend to be vendors, suppliers or partner businesses — any entity that might seek payment from a business. 

Here’s an example: A scammer poses as a company CEO and emails an urgent wire transfer request to the accounting department. The email might reference recent company events or use insider terminology to appear legitimate. An unsuspecting team member may transfer the funds immediately without verification.

Differentiating a sophisticated spear phishing email from a genuine message can be quite challenging. To help your business steer clear of spear phishing attacks, take the following measures: 

• Ensure staff members never fulfill money requests without confirming them.
• Enact a standard verification process for monetary inquiries.
• Warn your staff about scammers’ fear tactics and the sense of false urgency they’ll likely convey.
• Instruct team members to check the details of a sender’s email, particularly if the message asks for private data or money. A spear phishing email often looks legitimate, but the sender’s details will often reveal a strange or unknown address.
• Implement multi-factor authentication on all company email accounts to prevent unauthorized access.

Protecting your company against spear phishing is critical. Business email compromise (BEC) accounted for nearly $2.8 billion in losses, making it the second-costliest cyber crime for companies in 2024.

2. Fake invoicing

If a scammer gains access to an email account, they can intercept and edit incoming emails from companies you work with, like suppliers and vendors. Business coach Robin Waite described a common scam affecting businesses in the United Kingdom where hackers edit invoices from supply companies. “Typically, all they change is the bank details on the PDF document,” Waite explained. “The target then … unwittingly sends the payment to the criminals instead.” 

This scam can also occur through the mail. Scammers may send professional-looking invoices for supplies that were never delivered or request payment for services like web domain name charges. “Business owners should train anyone who opens the U.S. mail to not fall victim to fake invoices for internet domain renewals,” advised Jacob Ackerman, an enterprise systems engineer at Pure Storage. “Domains are purchased and renewed online. There are marketing companies who use the U.S. mail to send renewal notices for domains in hopes of getting that unknowing business to make a payment.”

3. Unsolicited services or products

Scammers often send products or provide services and then issue an invoice for an excessive amount of money. This scam is like fake invoicing, except small businesses may get a “product” from the criminal.

A typical example involves directory listing services. Scammers contact businesses claiming to update their information for an online directory or business registry. After collecting basic details, they send an invoice for hundreds or thousands of dollars for a listing the business never authorized.

“The companies attempt to use your verbal confirmation (if over the phone) or signature (if through mail) as proof [that it’s] OK to initiate a billed contract with their company,” explained Ben Huber, co-founder of DollarSprout. “In reality, you were duped into thinking your telephone number was listed free of charge.”

4. Fake SEO experts

Business owners understand the fierce competition for high search engine rankings. If you appear at the top of a Google search results page, potential customers can find you more easily. Genuine experts — and a little research on your own — can help you build an SEO strategy to drive web traffic to your site. However, fake “SEO experts” may try to entice you with a comprehensive proposal to boost your Google ranking for an exorbitant price. 

Ian Wright, the founder of Merchant Machine, cautioned business owners to watch out for this scheme. These SEO scammers often take your payment without doing any work — or worse, steal your payment information. Alternatively, they might do the work but continue billing you for a sustained period. If you try to halt the payments, they’ll threaten you with a negative SEO assault. 

When evaluating SEO services, legitimate providers will offer transparent reporting, realistic timelines for results (typically three to six months), and clear contracts with cancellation terms. Be wary of anyone promising instant results or guaranteed number one rankings.

5. Fake calls

Businesses often receive solicitation calls from other companies advertising or selling their services. However, some calls, especially those with automated voice recordings, are scams. These automated callers claim to work for companies like Google. Generally, they advertise services (including SEO services, as described above) and request payment or vital business information. These calls are almost always scams.

“Neither Google nor any reputable SEO agency on earth will robocall an office, yet [these scams] are extremely active,” explained Josh Loewen, co-founder of The Status Bureau. “The scam is to get you onto the phone, then pair you with an overseas salesperson that will guarantee you higher Google rankings.”

Businesses should register their phone numbers on the National Do Not Call Registry and report suspicious calls to the Federal Trade Commission (FTC).

6. Stolen identity

You probably know that scammers can steal an individual’s identity, but did you know criminals can steal a company’s identity? In this scheme, scammers set up a fake website using an existing company’s name and address. Customers and vendors think the company is one they’ve worked with and trust and unknowingly switch to the clone business. 

When they end up not getting the product or service they were promised, the real company’s brand reputation may be tarnished and it may even face legal trouble. 

While you can’t entirely prevent someone from stealing your business’s identity, you can set up Google Alerts for your company name, regularly monitor new domain registrations similar to yours, and maintain active profiles on major business directories to establish your legitimate presence.

7. Fake charity solicitations

It’s quite common for genuine charitable groups to reach out to businesses for contributions. However, not every request is genuine. Unfortunately, dishonest individuals may pretend to represent charities, capitalizing on the goodwill of businesses willing to provide support. Be cautious and always verify the legitimacy of every request for donations. 

8. Office supply scams

Every office needs office supplies, making them a target for this scheme. Scammers call business owners and say they’re selling surplus merchandise at a reduced price, often due to an order cancellation. The business agrees to buy the supplies, but the supplies never materialize — and the business’s money disappears. To protect yourself, only purchase from established vendors with verifiable business addresses and never pay via wire transfer or gift cards for office supplies.

9. Vanity award scams

With this scam, your business receives an email congratulating it on winning some kind of award, along with a link to claim the award. Once you click the link, you will learn that to get the award, you must pay a fee that is often several hundred dollars. These fake awards often have names similar to legitimate business honors but require “processing fees,” “trophy costs,” or “ceremony attendance fees.” Genuine business awards never require payment to receive recognition.

10. Overpayment scams

This hustle seems like a typical business relationship at first. However, the “customer” sends you a check for more than they owe you and asks you to wire the difference back to them. Then, the check bounces and you lose the money you wired and any of the check proceeds you spent. To avoid this scam, always know who you’re buying from and never accept an overpayment for products or services. If you accept checks, ensure they clear before delivering your product or service. 

11. Employee retention credit (ERC) scams

The ERC was a legitimate COVID-19-era tax credit designed to help eligible businesses that retained employees during the pandemic. Although the credit is no longer available for new claims, unscrupulous individuals and organizations are attempting to deceive businesses into believing they are still entitled to the credit. These scammers use aggressive marketing campaigns, promising an easy application process and insisting that many businesses have missed out on money they’re owed.

Tips for avoiding business scams

Protect your business’s sensitive information, reputation and finances by implementing the following tips and best practices:

• Educate your team: Conduct quarterly security awareness training sessions covering the latest scam tactics. Consider implementing a data loss prevention policy so everyone is aware of internal and external threats.
• Communicate about scams: Encourage employees to talk to each other when they discover a scam or encounter a suspect situation. Scammers often target more than one person in the organization and communication can stop their schemes before they gain traction.
• Set email protocols: Train employees never to send sensitive information via email.
• Verify receipt of goods and services: Have accounts payable staff review invoices closely and verify that the company received the products and services for which it’s being billed.
• Limit invoice approval: Limit invoice approval to a key individual or small accounting team and ensure there’s a clear approval process.
• Scrutinize payment methods: Avoid paying by wire, reloadable card or gift card, which are common ways for scammers to demand payment.
• Verify caller and emailer identity: Scammers sometimes clone the number that shows up on your caller ID, so they look like they’re calling from a legitimate company or government agency. They may also send emails from a domain that looks similar to one you trust. Instruct staff to be skeptical of all callers and emailers until verifying their identities. Consider setting up an identity and access control system to identify individuals.
• Set email behavior protocols: Instruct employees not to open attachments, click links or download files from unexpected emails. These links or files may be sources of ransomware, viruses or cyber extortion.
• Investigate partners and vendors: Before doing business with a company for the first time, search its name online with the words “scam” or “complaint.”
• Research charities: If a charity solicits your business, research it to ensure it’s legitimate.
• Report suspected scams: Report business scams to the FTC at ReportFraud.ftc.gov and the FBI’s Internet Crime Complaint Center at ic3.gov to help protect other businesses.

Source interviews were conducted for a previous version of this article.