Skip to main content
Home In The Know Business
Business

From email fraud to phishing scams: How could fraudsters target your small business?

Published on

Your business may be small, but fraud can cost you big.

The cost to businesses can depend on what kind of security incident theyโ€™ve succumbed to, but the consequences can be serious: For 41 per cent of small businesses that had suffered a cyber attack, for example, the cost was at least $100,000, according to a survey of Canadian businesses that The Insurance Bureau of Canada conducted in August 2023. Fifty-three per cent of Canadian companies surveyed in February 2024 by KPMG said they lost between one and five per cent of their profits to fraud over the previous 12 months, and seven per cent suffered losses above five per cent.

If you want to protect your business from setbacks like these, itโ€™s critical to think about proactive steps โ€” like training your staff to recognize fraud attempts, and opting for payment methods that can help prevent your business from being exposed to unnecessary risk.

To help you renew your focus on fraud prevention, below are six examples of common scams that target Canadian small- and medium-sized businesses. Underneath each type of scam, click to reveal some ways to help avoid falling victim. What steps do you need to take to protect your business? Keep reading to find out.

1. Email account takeover

Many email accounts are compromised without the owner knowing it. That means fraudsters have stolen the password, and they can log in and lay in wait for messages that would be lucrative to intercept โ€” like a notification of a money transfer, which they may try to divert into their own accounts.

  • Click to find out how to guard your business against email interception fraud

    To help prevent email account takeover, change your email passwords regularly (every few months is recommended) and use multi-factor authentication for your accounts. Try to observe if there are any missing emails or problems with your email account. It’s possible that email forwarding has been configured without your awareness, causing your emails to be redirected to another account โ€” so check your mail forwarding settings every once in a while.

     

    For added security around money transfers, set up Interac e-Transfer Autodeposit. It can help you avoid the risk of having your funds intercepted and diverted by fraudsters through your email accounts, because the funds are directly deposited into your bank account with no additional steps.

     

    If you donโ€™t have Interac e-Transfer Autodeposit set up, always protect your transactions with strong security questions and answers that canโ€™t easily be guessed or found โ€“ and make sure you share them via a safe channel (in other words, a channel thatโ€™s different from the one you send the transfer on).

2. Phishing scams

โ€œPhishingโ€ refers to messages that try to trick the recipient into providing sensitive information that can be used for fraudulent purposes. For example, the fraudster sends you a link in an email that looks like it comes from your financial institution, and it sends you to what looks like a login page for their online banking service. If you enter your account login and password, youโ€™re actually handing it over to the fraudster.

  • Click to find out how to guard your business against phishing

    Whenever a message appears to be from your financial institution, stop and scrutinize it carefully โ€” look for URLs in the email address that donโ€™t match the official one. Fraudsters try to make their messages look legitimate by using company logos and colours, but they often make mistakes, leading to telltale signs of fraud โ€” like errors or strange typos in the text of an email notification. Another common error in phishing emails is the โ€œ$โ€ sign appearing after the amount, instead of before it.

     

    When you receive an unsolicited email, avoid clicking any links. If youโ€™re in doubt about its authenticity, get in touch with the organization in question (like your bank or credit union). Donโ€™t reply to the email; use another channel to get in touch (the phone, for example) and ask them whether there is indeed a message for you or an action you need to take.

3. Chargeback fraud (including โ€œfriendly fraudโ€)

Chargeback fraud happens when a cardholder identifies a genuine credit card purchase as fraudulent and disputes it, resulting in a refund (in other words, a chargeback for the merchant) โ€” for a service or item that they actually did purchase.

Sometimes an honest mistake is involved โ€” for example, a parent disputes a charge when their child made the purchase without telling them. In these cases, chargeback fraud is called โ€œfriendly fraud.โ€ A mistake can also happen if the customer doesnโ€™t recognize your businessโ€™s name (or forgets about the purchase) when they look at their credit card statement, and disputes what they think is a fraudulent charge.

  • Click to find out how to guard your business against chargeback fraud

    Purchases made with stolen cards can result in chargebacks down the line, when cardholders report the fraudulent purchases. Avoid risky transactions, like taking credit card information over the phone, because it can be difficult to confirm whoโ€™s actually on the other end of the line. Other scenarios that can hint at a stolen card being used are shopping sprees, and sales from customers who provide a few different declined account numbers before finding one that works.

     

    As for preventing friendly fraud, make sure your business name as it appears in credit card transactions is one that customers would recognize โ€” so that they donโ€™t mistakenly dispute a charge for something they purchased.

     

    In the bigger picture, why not avoid chargebacks altogether by encouraging customers to use a payment method that doesnโ€™t involve any, like Interac Debit?

4. Business Email Compromise

In a special twist on phishing, scammers pretend to be a colleague of the target and tell them to do something that would harm the business โ€” like sending money to the fraudsters. Canadian businesses reported $26-million worth of financial damage to the RCMP due to business e-mail compromise in 2020.

To lend an air of authority to the request, scammers often create a fake email account to impersonate the companyโ€™s leader (or they get access to the real account), so they can pretend to be the boss. This is called a โ€œCEO scam.โ€

In another variation on the business email compromise scam, the fraudster poses as an employee who wants to change their direct deposit payment information. If successful, the fraudster tricks the company into depositing the funds into an account they control.

  • Click to find out how to guard your business against business email compromise , including CEO scams

    Ensure your computer systems are secure, keep antivirus software up to date, and encourage all employees to use strong passwords to protect their email accounts from hackers. Make it a policy that employees must double-check that all major transactions are genuinely authorized, using a different channel from the original communication. (For example, by asking their manager face-to-face.)

     

    Take special care to ensure that you, as the business owner, and/or any other company leaders, have multi-factor authentication protecting your inboxes (as everyone in your organization should). That will make it more difficult for people to hack into your account and impersonate you.

5. Cheque fraud

This is an older form of fraud that businesses are unfortunately still dealing with. Cheque fraud comes in a few different forms. Counterfeit cheques are made to look like real bank cheques. Theyโ€™re often convincing facsimiles, but some of the small details may be wrong. If you deposit them, they wonโ€™t clear, meaning you wonโ€™t receive the funds. Forged cheques are legitimate cheques that have been stolen, and are signed by the fraudster rather than the true account holder.

There are also overpayment scams, in which the fraudster posing as a customer writes a (counterfeit or forged) cheque for more than what he owes (sometimes under the guise of โ€œpaying up frontโ€), and then requests payment for the difference. When the cheque finally bounces, the business loses the funds.

Note that fraudsters can use money orders and bank drafts to attempt similar scams.

  • Click to find out how to guard your business against cheque fraud

    If you do accept cheques as payment, itโ€™s best to do so only with customers you know well. Youโ€™ll also ideally be able to wait for the cheque to clear before you do any work or hand over any merchandise.

     

    When youโ€™re holding the cheque, look for signs of counterfeiting, like a lack of watermarks or other security features.

     

    If your business issues cheques, look at your banking account daily to make sure there arenโ€™t unauthorized outgoing payments. If so, it could be a sign that your cheques have been stolen.

     

    Of course, the simplest way to avoid cheque fraud is to not accept cheques in the first place. Make it your companyโ€™s policy to send and receive money more securely by using a digital service like Interac e-Transfer for Business.

6. Phony invoices and payment change schemes

This scam is straightforward but it sometimes works: Fraudsters will send fake invoices to companies hoping they wonโ€™t realize the trick and will simply pay them.

A variation on the scheme involves fraudsters pretending to be existing vendors, claiming that their account information has changed โ€” they ask you to send money to their new account (which, of course, is actually the fraudsterโ€™s account).

  • Click to find out how to guard your business against phony invoices and payment change schemes

    To help ensure youโ€™re only paying genuine invoices, train employees to only pay invoices they expect, which they can confirm are for genuine services and merchandise. Ideally they will only pay invoices from people and entities theyโ€™re familiar with.

     

    Employee training should also include knowing what to do when a request or invoice comes from a new email address or phone number (employees should confirm the validity of the request through another channel, like the phone). When unsure, employees in accounts payable should check a transaction with their superiors.

     

    A tip for when youโ€™re using Interac e-Transfer Autodeposit to send money: The recipientโ€™s legal name will appear on the confirmation screen (the last step before sending funds). This gives you an opportunity to confirm their identity.

Thereโ€™s lots more to learn about security for your small business at From Dollar One, a knowledge and resource hub for Canadian entrepreneurs.

  • Legal information

    This article offers general information only and is not intended as financial, legal or other professional advice. While information presented is believed to be factual and current, its accuracy is not guaranteed and it should not be regarded as a complete analysis of the subject matter discussed. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Interac Corp.

Related Articles