Some of these scams have been around for a long time, but bear repeating. Here, courtesy of AARP, are some of the most common ploys targeting small- and medium-sized businesses:
- Phishing emails: Schemers will take names and titles of executives from LinkedIn or corporate websites to spoof internal messages where they pose as the CEO or COO and email instructions to pay a vendor or a bill. The unsuspecting subordinate follows the instructions, but unwittingly sends corporate money to a scammer-run account. Other similar cons involve the scammer instructing employees to update their log-in credentials, giving the criminals access to internal servers.
- False claims that website is deactivated. In this scam, the con artist will send a letter or an email to a business claiming that their website address, social media accounts or other online presence is about to be “deactivated,” and requesting updated log-in credentials. The credentials would then be used to access the website and install malware on the site. This spreads like a virus, infecting the sites of others who trust your reputation and visit your site.
- Advertising scheme. Be cautious of any company or person claiming that for a hefty fee, they can ensure better placement of your business in Google searches. No third-party vendor can guarantee keyword-placement results.
- Phony invoices. Some businesses will receive fake invoices demanding payment for products or services they never ordered nor received. Often the amounts allegedly due are small enough not to raise suspicion, according to the Better Business Bureau, leading many business owners to pay. See below for a related scam.
- Better Business Bureau cons: This scam is particularly odious in that the con artist exploits a business owner’s need to maintain a strong reputation, especially in the age of omnipresent social media. The scammer will send the business owner an email alleging to be with the Better Business Bureau, with a subject line such as “Complaint from your customers.” When the worried business owner clicks on the attached link for “more details,” malware is unleashed that provides the cybercriminals with remote access to company files. In a related scam, people alleging to be employees of the BBB will call businesses and ask them to “update” their business and personal information – often for a fee – which is then used to obtain information for other scams, such as the phishing scams identified above.
- Supply swindles. This happens when a mischievous delivery person arrives unexpectedly with a cash-on-delivery package of office supplies. Front-desk employees may assume the delivery is expected by a coworker (fraudsters can get names easily enough), but the boxes may be filled with junk or be empty, according to the Federal Trade Commission. Other times, companies are phoned in advance to learn what brand of supplies or equipment they use, and in a follow-up call, self-described suppliers offer bargain prices on surplus merchandise that’s paid for in advance but never delivered.
- Directory scams. Claiming to be from the Yellow Pages or an online phone directory, the scammers will ask businesses to confirm their address and phone number (or for online directories, request search-term keywords to use on search engines). Assuming they are simply updating an existing listing, employees provide this seemingly innocent information. But then, the company is billed hundreds of dollars for allegedly provided listing services or may be sent “solicitation” paperwork that may be interpreted as a bona fide invoice.
Many of these scams target a company’s network through email and website schemes. Being aware and cautious of what is being transmitted through your business is the best prevention against a cyberattack.
The following are just a few tips for protecting your business from these types of scams:
- Be aware of any emails that demand immediate action or seem extremely urgent. Creating a sense of urgency is designed so that you might do something that normally bypasses your normal procedures.
- Examine the sender’s address when receiving questionable email communication. Usually the con artists will use an address that is similar to a legitimate company or organization’s domain name – even one that resembles your own -but there is usually a misspelling, an extra or missing punctuation mark, the use of a public email, like Gmail or Yahoo, or other subtle differences that can go overlooked.
- Check the timing of the email. If you receive an email that would normally be sent during business hours but was sent at an unusual time, like 3 a.m., it is likely a scam.
- Don’t ever click on links included in the body of suspicious or questionable emails or open attachments. If in doubt, place a phone call to the person who supposedly sent the email just to verify it is legitimate.
- Establish email safety protocols with your employees and review them on a regular basis.
As always, please contact if you have any questions.