11 Scams That Prey on Small Businesses

11 scams that prey on small businesses

Even the savviest professional can fall victim to convincing business scams. Consider the following schemes your business may face.

1. Spear phishing

In phishing scams, swindlers use email messages to trick individuals into sharing confidential data or transferring money. Spear phishing takes things to a new level, personalizing attacks and directing them toward specific individuals or groups, often resulting in substantial financial rewards for the criminals. 

In a typical spear phishing situation, the perpetrators disguise themselves as someone familiar to the victim, such as a co-worker, boss or business partner, and ask for money or payment details. Scammers can also pretend to be vendors, suppliers or partner businesses — any entity that might seek payment from a business. 

Here’s an example: A scammer poses as a company CEO and emails an urgent money request to the finance team. An unsuspecting team member may transfer the money immediately and not realize they’ve been duped. 

Differentiating a sophisticated spear phishing email from a genuine message can be quite challenging. To help your business steer clear of spear phishing attacks, take the following measures: 

• Ensure staff members never fulfill money requests without confirming them. 
• Enact a standard verification process for monetary inquiries. 
• Warn your staff about scammers’ fear tactics and the sense of false urgency they’ll likely convey. 
• Instruct team members to check the details of a sender’s email, particularly if the message asks for private data or money. A spear phishing email often looks legitimate, but the sender’s details will often reveal a strange or unknown address. 

2. Fake invoicing

If a scammer gains access to an email account, they can intercept and edit incoming emails from companies you work with, like suppliers and vendors. Business coach Robin Waite described a common scam affecting businesses in the United Kingdom where hackers edit invoices from supply companies. “Typically, all they change is the bank details on the PDF document,” Waite explained. “The target then … unwittingly sends the payment to the criminals instead.” 

This scam can also occur through the mail. Scammers may send professional-looking invoices for supplies that were never delivered or request payment for services like web domain name charges. “Business owners should train anyone who opens the U.S. mail to not fall victim to fake invoices for internet domain renewals,” advised Jacob Ackerman, an engineer at Pure Storage. “Domains are purchased and renewed online. There are marketing companies who use the U.S. mail to send renewal notices for domains in hopes of getting that unknowing business to make a payment.”

3. Unsolicited services or products

Scammers often send products or provide services and then issue an invoice for an excessive amount of money. This scam is like fake invoicing, except small businesses may get a “product” from the criminal.

A typical example is fake phone book companies. Scammers call or email businesses and ask for basic information to update a phone book. After receiving the information, they send an invoice for a listing you never wanted or asked for.

“The companies attempt to use your verbal confirmation (if over the phone) or signature (if through mail) as proof [that it’s] OK to initiate a billed contract with their company,” explained Ben Huber, co-founder of DollarSprout. “In reality, you were duped into thinking your telephone number was listed free of charge.”

4. Fake SEO experts

Business owners understand the fierce competition for high search engine rankings. If you appear at the top of a Google search results page, potential customers can find you more easily. Genuine experts — and a little research on your own — can help you build an SEO strategy to drive web traffic to your site. However, fake “SEO experts” may try to entice you with a comprehensive proposal to boost your Google ranking for an exorbitant price. 

Ian Wright, the founder of Merchant Machine, cautioned business owners to watch out for this scheme. These SEO scammers often take your payment without doing any work — or worse, steal your payment information. Alternatively, they might do the work but continue billing you for a sustained period. If you try to halt the payments, they’ll threaten you with a negative SEO assault. 

When you receive a solicitation email from any company offering business services, it’s crucial to approach it with healthy skepticism and thoroughly research any potential vendor. 

5. Fake calls

Businesses often receive solicitation calls from other companies advertising or selling their services. However, some calls, especially those with automated voice recordings, are scams. These automated callers claim to work for companies like Google. Generally, they advertise services (including SEO services, as described above) and request payment or vital business information. These calls are almost always scams.

“Neither Google nor any reputable SEO agency on earth will robocall an office, yet [these scams] are extremely active,” explained Josh Loewen, co-founder of The Status Bureau. “The scam is to get you onto the phone, then pair you with an overseas salesperson that will guarantee you higher Google rankings.”

6. Stolen identity

You probably know that scammers can steal an individual’s identity, but did you know criminals can steal a company’s identity? In this scheme, scammers set up a fake website using an existing company’s name and address. Customers and vendors think the company is one they’ve worked with and trust and unknowingly switch to the clone business. 

When they end up not getting the product or service they were promised, the real company’s brand reputation may be tarnished and it may even face legal trouble. 

While you can’t entirely prevent someone from stealing your business’s identity, you can be vigilant about monitoring your company’s reputation and communicating with customers.

7. Fake charity solicitations

It’s quite common for genuine charitable groups to reach out to businesses for contributions. However, not every request is genuine. Unfortunately, dishonest individuals may pretend to represent charities, capitalizing on the goodwill of businesses willing to provide support. Be cautious and always verify the legitimacy of every request for donations. 

8. Office supply scams

Every office needs office supplies, making them a target for this scheme. Scammers call business owners and say they’re selling surplus merchandise at a reduced price, often due to an order cancellation. The business agrees to buy the supplies, but the supplies never materialize — and the business’s money disappears. The only way around this scam is to do your due diligence on any vendor you purchase from.

9. Vanity award scams

With this scam, your business receives an email congratulating it on winning some kind of award, along with a link to claim the award. Once you click the link, you will learn that to get the award, you must pay a fee that is often several hundred dollars. Be aware of vanity scams and understand that you’ll never have to pay for a true honor.

10. Overpayment scams

This hustle seems like a typical business relationship at first. However, the “customer” sends you a check for more than they owe you and asks you to wire the difference back to them. Then, the check bounces and you lose the money you wired and any of the check proceeds you spent. To avoid this scam, always know who you’re buying from and never accept an overpayment for products or services. If you accept checks, ensure they clear before delivering your product or service. 

11. Employee retention credit (ERC) scams

The ERC is a legitimate COVID-19-era tax credit designed to help eligible businesses that retained employees during the pandemic. Although the credit is no longer available for recently paid wages, businesses can still apply retroactively until April 2025 to benefit from paying qualified wages between March 13, 2020, and December 31, 2021.

However, unscrupulous individuals and organizations are attempting to deceive businesses into believing they are entitled to the credit when they do not meet the qualifications. These scammers use aggressive marketing campaigns, promising an easy application process and insisting that many businesses have missed out on money they’re owed.

These scams often involve significant upfront fees for “assistance” with applying for the credit while downplaying or ignoring its strict eligibility requirements. Businesses that improperly claim the ERC could face severe consequences, including audits, penalties and hefty repayment costs. It’s critical to consult with a qualified tax expert to ensure compliance with ERC regulations before applying.

Tips for avoiding business scams

Protect your business’s sensitive information, reputation and finances by implementing the following tips and best practices:

• Educate your team: Share this article with your employees so they know what scams to look for. Consider implementing a data loss prevention policy so everyone is aware of internal and external threats.
• Communicate about scams: Encourage employees to talk to each other when they discover a scam or encounter a suspect situation. Scammers often target more than one person in the organization and communication can stop their schemes before they gain traction.
• Set email protocols: Train employees never to send sensitive information via email.
• Verify receipt of goods and services: Have accounts payable staff review invoices closely and verify that the company received the products and services for which it’s being billed.
• Limit invoice approval: Limit invoice approval to a key individual or small accounting team and ensure there’s a clear approval process.
• Scrutinize payment methods: Avoid paying by wire, reloadable card or gift card, which are common ways for scammers to demand payment.
• Verify caller and emailer identity: Scammers sometimes clone the number that shows up on your caller ID, so they look like they’re calling from a legitimate company or government agency. They may also send emails from a domain that looks similar to one you trust. Instruct staff to be skeptical of all callers and emailers until verifying their identities. Consider setting up an identity and access control system to identify individuals.
• Set email behavior protocols: Instruct employees not to open attachments, click links or download files from unexpected emails. These links or files may be sources of ransomware, viruses or cyber extortion.
• Investigate partners and vendors: Before doing business with a company for the first time, search its name online with the words “scam” or “complaint.”
• Research charities: If a charity solicits your business, research it to ensure it’s legitimate.