With greater sophistication of internet use comes greater vulnerability to internet scams. In fact, annual fraud costs reached $32 billion in losses for American businesses in 2014 alone.1 When your business has been compromised by a scam, your whole workflow can be damaged. Business may stall. You can open yourself to both legal liability and targeted damage to your bottom line.
Being able to better identify and avoid business scams now can save you a struggle later. Below are four common scams, along with tips for spotting, avoiding, and recovering from them.
W-2 Phishing Scam
Tax season in 2016 alerted the IRS to a new scheme. Scammers posed as executives and emailed human resources and payroll officers at several companies to request their employees’ personal tax information.2 In fact, 2016 saw a 400% increase in W-2 phishing scams.3 The emails seem legitimate to the reader, but the scammer has linked the “Reply To” section to another email address than the purported sender.
To prevent these kinds of scams, you can first alert your staff to the existence of these emails. Encourage them to take a step back and think through the logic of any requests received; even when they come from supervisors or superiors, they may not always make sense, and employees should feel safe asking questions in those situations. Then, create protocol around protecting employee personal information.4 For example, some companies require human resources or payroll to confirm requests for personal information verbally with the requester before responding to the email. Others require that employees must send a new email with sensitive information attached, not reply to the original request.
Recovery from a W-2 phishing scam has multiple facets.5 Typically, these scammers will file fraudulent tax returns using the employee information. Of course, they act fast, so it’s important to alert those targeted as soon as you learn of the breach so they may contact the IRS. Following this, conduct an internal investigation to create better security measures like those above to protect your company against these threats.
According to The Better Business Bureau, overpayment scams began targeting small businesses more aggressively in summer of 2015.6 Here’s how it works: a remote client approaches a business, purchases a service or goods, and pays more than the agreed-upon fee.7 After the scammer has received the goods or services, when they “realize” they’ve overpaid, they ask for a refund of the excess. But because their account is fraudulent, businesses lose the money they were paid as well as the provided product or service. If they aren’t paying attention, it might just seem like they gave someone a refund. But if the “client” requests the business’ banking information to make a deposit, business accounts are often drained or overdrawn.
Here are three ways to avoid overpayment scams:
- For online payments, don’t allow payers to enter custom dollar amounts in the field.
- Ensure all checks are for the correct amount before depositing.
- Don’t give clients your bank account info.
Education of the entire team is key to protecting a small business from these digital threats.
If you’ve think you’ve been targeted by an overpayment scam, first alert your bank and make sure there’s been no unusual account activity. From there, conduct an internal investigation of the company procedures that led to the activity. As you wait out an internal investigation, take a similar approach as you would with W-2 phishing scams—implement consistent protocol for handling financial transactions and sensitive information.
Email Phishing Scams
Email phishing scams appear to be from someone you know within your business, but actually contain viruses and malware. Because small business owners think their size protects them, they are often targeted at disproportionately high rates. In fact, according to cyber security experts, one of the most dangerous phrases issued by small businesses is “it’ll never happen to us.”8 About 38% of email phishing scams target businesses with 250 employees or fewer, compared to 25% targeting businesses with over 2,500 employees.9
The red flags that can help you identify a phishing email vary. Commonly, subject lines will start with "RE:" so the recipient thinks it’s a reply to an email they sent previously. They might also read “fw: scanned document attached,” but the attachment is a ZIP file, not a PDF. Look for other small discrepancies like the name in the “From” section being different in the body of the email, or simple grammar errors and spelling mistakes that don’t read like the alleged sender.
Employee education is vital to prevent email phishing scams from damaging your business. Over the last few years alone, email phishing scams have become more sophisticated and harder to detect. Show your employees examples of phishing scam emails and encourage them to inform someone if they feel they’ve been targeted. This knowledge and open-door policy can help prevent one employee error from making you a victim of a phishing attack.
Office Supply Scam
Office supply scams typically target small businesses and not-for-profits.10 Usually, a scammer calls an organization claiming to have previously done business with them. Under the pretense of offering a free gift or sample of their merchandise, scammers try to get the contact information of an employee. If successful, they’ll use that employee information to create a fake invoice for office supplies which they send to the business. Often, the organization pays the invoice without considering it might be a scam, because supervisors assume this employee ordered the supplies themselves.
To prevent office supply scams, first inform employees that any unrequested merchandise sent from a vendor is technically a gift and a vendor can’t demand payment for gifted items, or even that you return the merchandise. This will prevent them from paying for the items themselves if contacted. From there, you can establish assigned buyers who handle all office purchases and verify both ends of the transaction before spending. These buyers should also be responsible for documenting all purchases to create a paper trail and diminish risk.
Because small business owners think their size protects them, they are often targeted by scams at disproportionately high rates.
If you have been targeted by an office supply scam, keep all documents pertaining to the transaction and turn them over to the Better Business Bureau and the FTC. You can also file a fraud report online at, http://www.ftc.gov/. Ultimately, early detection of scams can help keep your business safe. Education of the entire team is key to protecting a small business from these digital threats. Written policy and protocol can close the gaps in procedure that these scammers take advantage of. Train your team and take steps to increase your system security. That way, even when you can’t be there to verify a particular request yourself, you can trust your team to make the right call.