Cybercriminals often target people with identity theft scams, credit card fraud and myriad other schemes designed to steal their money. However, small businesses are also at risk of scammers and hackers, and the repercussions of cybercrime could cripple or destroy your company.
Scammers are growing more sophisticated in their business attacks, often sending convincing emails or messages to siphon vital information. It’s crucial for small business owners to be aware of potential cyber attacks and train their teams to stay vigilant.
We’ll look at 10 common scams that prey on small businesses and share tips for steering clear of business scams.
Cyber insurance can protect your business if it becomes the victim of a scam, data breach or other type of cybercrime.
10 scams that prey on small businesses
Even the savviest professional can fall victim to convincing business scams. Here are 10 cyber risks to watch for.
1. Spear phishing
Phishing is a common scam where fraudsters email people and trick them into revealing sensitive information or sending money. Spear phishing ups the ante with highly targeted attacks on specific individuals or groups – often leading to massive payouts.
In a spear-phishing scheme, a hacker may pose as a colleague, boss, partner business, or friend requesting money or payment information. It’s often incredibly difficult to differentiate a spear-phishing attack from standard email correspondence.
For example, a fraudster may pose as a company CEO urgently requesting money from the accounting department via email. If the accounting department doesn’t double-check the sender information to verify the email originator, they may immediately perform the requested money transfer without realizing they’re being scammed. Unfortunately, this scam goes undetected in many companies until it’s too late and the money is long gone.
Hackers may also pose as suppliers, vendors or partner companies – anyone who might legitimately ask for payment.
To avoid falling victim to spear-phishing attacks, train your team never to grant unverified money requests. Many scams try to scare employees or create a false sense of urgency, so it’s crucial to have a standard authorization system in place for money requests.
Additionally, always analyze email sender information, particularly if the email asks for sensitive information or funds. A spear-phishing email may appear to be from a legitimate source, but if you click on the sender information, you’ll likely see a strange or unfamiliar address.
2. Fake invoicing
If a scammer gains access to an email account, they can intercept and edit incoming emails from companies you work with, like suppliers and vendors. Business coach Robin Waite described a common scam affecting businesses in the U.K. where hackers edit invoices from supply companies.
“Typically, all they change is the bank details on the PDF document,” Waite said. “The target then … unwittingly sends the payment to the criminals instead.” This scam can also occur through the mail. Scammers may send invoices for supplies that were never delivered, or they may even request money for web domain name charges.
“Business owners should train anyone who opens the U.S. mail to not fall victim to fake invoices for internet domain renewals,” said Jacob Ackerman, an engineer at Pure Storage. “Domains are purchased and renewed online. There are marketing companies who use the U.S. mail to send renewal notices for domains in hopes of getting that unknowing business to make a payment.”
Antivirus software is a fundamental first line of defense against cyberthreats. Check out our reviews of the best antivirus and internet security software to find a solution your small business can easily implement.
3. Unsolicited services or products
Scammers often send products or provide services and then issue an invoice for an inordinate amount of money. This scam is like fake invoicing, except small businesses may be getting a “product” from the criminal.
A typical example is fake phone book companies. Scammers will call or email businesses and ask for basic information to update a phone book. After receiving the info, they’ll send an invoice along.
“The companies attempt to use your verbal confirmation – if over phone – or signature – if through mail – as proof [that it’s] OK to initiate a billed contract with their company,” said Ben Huber, co-founder of DollarSprout. “In reality, you were duped into thinking your telephone number was listed free of charge.”
4. Fake SEO experts
As a small business owner, you know what it’s like to vie for attention on search engines like Google. The higher your Google ranking, the easier it is for customers to find and spend money at your business. Legitimate SEO consultants can share SEO tools to help you build digital marketing strategies to improve your business’s online presence. These consultants or digital marketing agencies won’t send you an email requesting payment out of the blue.
One budding scam is when an “SEO expert” reaches out to a small business with a detailed plan for increasing its Google rank – for a fee, of course.
“More often than not, it will be a full-blown scam, either just taking payment and not doing the work – and possibly stealing your payment details – or doing the work and continuing to charge you for months or years down the line,” said Ian Wright, founder of Merchant Machine. “Then, when you try to stop paying, they’ll threaten you with a negative SEO attack.”
If you receive an email from a company soliciting any service, you should be very skeptical.
Clearly outline your IT department’s role in cybersecurity, empowering it to be proactive about security measures like secure passwords, ongoing training and vulnerability scans
5. Fake calls
Businesses often receive solicitation calls from other companies trying to advertise or sell their services. However, some calls, especially those with automated voice recordings, are scams. These automated callers claim to work for companies like Google. Generally, they’re advertising services and requesting payment or vital business information. These calls are almost always a scam.
“Neither Google nor any reputable SEO agency on earth will robocall an office, yet [these scams] are extremely active,” said Josh Loewen, co-founder of The Status Bureau. “The scam is to get you onto the phone, then pair you with an overseas salesperson that will guarantee you higher Google rankings.”
6. Stolen identity
You probably know that scammers can steal an individual’s identity, but did you know criminals can steal a company’s identity? In this scheme, scammers set up a fake website using an existing company’s name and address. Customers and vendors think the company is one they’ve worked with and trust and unknowingly switch to the clone business.
When they end up not getting the product or service they were promised, the actual company’s reputation is tarnished, and your company may even get into legal trouble.
7. Fake charity solicitations
While it’s normal for legitimate charitable organizations to contact businesses for donations, not all such solicitations are legitimate. Criminals sometimes pose as charities and take advantage of businesses that want to give back.
8. Office supply scams
Every office needs office supplies, making them a target for this scheme. Scammers call business owners saying they’re selling business surplus merchandise at a reduced price, often due to an order cancellation. The business agrees to buy the supplies, but they never materialize – and their money disappears.
9. Vanity award scams
With this scam, your business receives an email congratulating it on winning some kind of award along with a link to claim the award. Once you click the link, you find out that to get the award, you must pay a fee that is often several hundred dollars.
10. Overpayment scams
This hustle seems like a normal business relationship at first. However, the “customer” sends you a check for more than they owe you and asks you to wire the difference back to them. Then, the check bounces, and you are out the money you wired plus any of the check proceeds that you spent.
If you’re wondering if you’re at risk of cybersecurity threats, conduct a cybersecurity risk assessment to see how vulnerable or protected your business is.
Tips for avoiding business scams
Protect your business’s sensitive information, reputation and finances by implementing these tips and best practices:
- Educate your team. Share this article with your employees so they know what to look for. Consider implementing a data loss prevention policy so that everyone is aware of internal and external threats.
- Communicate about scams. Encourage employees to talk to each other when they discover a scam. Scammers often target more than one person in the organization.
- Set email protocols. Train employees never to send sensitive information via email.
- Verify receipt of goods and services. Have accounts payable staff review invoices closely and verify that the company received the products and services for which it’s being billed.
- Limit invoice approval. Limit invoice approval to a key individual or small accounting team, and ensure there’s a clear approval process.
- Scrutinize payment methods. Avoid paying by wire, reloadable card or gift card, which are common ways for scammers to demand payment.
- Verify caller and emailer identity. Scammers sometimes clone the number that shows up on your caller ID, so they look like they’re calling from a legitimate company or government agency. They may also send emails from a domain that looks similar to one you trust. Instruct staff to be skeptical of all callers and emailers until verifying their identities. Consider setting up an identity and access control system to identify individuals.
- Set email behavior protocols. Instruct employees not to open attachments, click links or download files from unexpected emails. These links or files may be sources of ransomware, viruses or cyber extortion.
- Investigate partners and vendors. Before doing business with a company for the first time, search the company’s name online with the word “scam” or “complaint.”
- Research charities. If a charity solicits your business, research it to be sure it’s legitimate. You can do this at websites like Charity Navigator or Give.org.
Matt D’Angelo contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.