Running a small business is tough enough at the best of times. From managing cashflow to chasing unpaid invoices, keeping on top of changing rules and regulations to attracting and keeping the right staff – small business owners have to put in a big shift simply to keep everything going. Add in a pandemic that caused significant disruptions over the past two years and many businesses are facing extraordinary stress. What they don’t need on top of all that are scammers trying to rip them off through fake invoices, phishing scams email scams or even ransomware. So how can you protect your business against scammers? And what do you do if you find yourself in the awful situation where you realise: my business has been scammed? Let’s explore some common scams targeting businesses and what you can do to protect yourself.
Common Scams Targeting Businesses
Apart from general scams such as online shopping or investment fraud, there are a range of schemes specifically targeting businesses. Common ones include phishing scams, fake invoices, and malware/ ransomware attacks. Let’s look at these in turn so you don’t end up saying: help, my business has been scammed.
Phishing scams generally impersonate a trusted person, company or entity and aim to gather confidential information for fraudulent purposes. They appear legitimate but are vehicles for scammers to capture valuable data like credit card numbers, passwords, and bank information. It works in the following way. You may receive an email which appears to come from your bank or the tax office. It may claim that you are being audited or that your online account has been compromised, requiring immediate action. The email looks legitimate and contains a button to regain control of your account. Clicking on it takes you to a website that is an exact copy of your internet banking login page. However, if you enter your username and password, it’s not your bank but the scammers that now have this information. Before you know it, you’ll find yourself saying: oh no, my business has been scammed!
Other variations of this scam are whaling or spear phishing schemes. These differ from ordinary phishing scams in that the scammers target specific people like executive officers or senior managers. Using a subtly faked, familiar-looking email address, the email demands ‘urgent action’ on a customer complaint or legal subpoena. Like other phishing scams, it includes links to a fake but legitimate-looking website and then proceed to extract confidential information. Alternatively, it might ask you to download an apparently genuine attachment, which turns out to be malware/ransomware (see below). In either case, following the instructions will have you in a bind and calling for help: my business has been scammed!
Malware & Ransomware Attacks
Ransomware attacks are another key trick in the scammers’ arsenal are malware and ransomware attacks. For this, scammers will use fake emails or use fake websites to trick you into downloading malicious software. Once installed, malware allows scammers to access sensitive files or secretly record what you’re doing, such as entering banking passwords. They will then use that information to make fraudulent transactions in your name or identify vital data for phishing scams. Indeed, they might even open bank accounts, take out loans or carry out illegal business activity in your name! By contrast, ransomware works by locking your computer and holding it ‘hostage’ until you pay a ‘ransom’ to release it. Not only do you lose your ransom money, but there is no guarantee the scammers will actually unlock your computer. Beware of these attacks, so you don’t end up saying: help, my business has been scammed!
Fake Invoice Scams
Fake Invoices are one of the most common types of frauds that leaves business owners saying: my business has been scammed! It is not very difficult for scammers to obtain some general information about one company supplying products to another company. They may gather this data through phishing scams, viruses or hacking of the company’s systems. Unfortunately, scammers now have knowledge about upcoming due invoices and the name and email address of the responsible accounts person. Having this information allows them to launch a sophisticated fake invoice scam. Generally, the offenders send an email to an individual within a company impersonating a legitimate business contact of the company. To understand their modus operandi, let’s take the example of a construction company normally using another business for part of their services, such as installing blinds and curtains.
First, the scammers impersonate the supplier (blinds and curtains business) and inform the construction company of a changed bank account. Next, they simply ask for future invoices to be paid into the company’s new bank account. Of course, the email wasn’t sent from the real supplier. The supplier hasn’t changed bank accounts and has no idea that their client is paying fake invoices into a scammer-controlled account. Only once their invoices are overdue do they contact the business and follow up. At that point, the construction company would likely tell them that they already paid the invoice. It’s just that, as per their request by email, they have updated the payment details in their system. While the scammers have made off with their loot, the supplier and the construction business slowly realise what’s going on. Both of them say: what, my business has been scammed?
But how do scammers impersonate legitimate companies?
Commonly, scammers have figured out the correct email address and name of the supplier’s actual accounts person. Then they impersonate that person by registering a domain which appears to be very similar. For example, if the supplier’s email address is firstname.lastname@example.org, the scammers may register the domain and email address, email@example.com. The scammers own the new domain, which looks almost identical except for a missing s. Obviously, the construction company is not going to closely examine the details of every single email address they receive. Thus, they falsely believe they are communicating with their normal supplier. Scammers will go as far as mimicking the real company’s email signature. This includes putting in links to the correct website and adding the company’s correct telephone number. The email looks exactly as it usually would, with only one minuscule difference, making it hard to spot and avoid saying: my business has been scammed!
Protect Your Business Against Scammers
You don’t ever want to find yourself in a situation where you realise: my business has been scammed! Fortunately, there are a lot of things you can do to protect your business against scammers. When receiving any communication purported to come from your bank, make sure you don’t click on any links or buttons. Instead, go directly to your bank’s internet banking login page, as you normally would. Likewise, make sure to use anti-virus protection and be careful when any website is prompting you to download unknown software. Finally, make sure that your filing, purchasing, and accounting systems are well-organised. That means limiting the number of people with the authority to buy/order, calling any suppliers whose bank details appear to have changed and, if anything feels suspicious, independently verifying the business’s details.
How can Cybertrace help?
Even with the best preparation, you can still find yourself saying: help, my business has been scammed! Fortunately, that doesn’t have to be the end of it. As one of the most experienced cyber fraud investigators in Australia, Cybertrace is here to help. Our experienced analysts have access to a whole range of sophisticated investigative tools and techniques to identify who scammed you. Armed with our expert reporting, you will be able to engage the police or your lawyer to recover your funds. Beyond fraud investigations, we can also help with identifying any online harassment or underhanded anonymous reviewers trashing your business’s reputation. Contact the experts at Cybertrace today to discuss how we can help.