You might think that since your business is small, it won’t be an attractive target for scammers. Sadly, the opposite is true. Small businesses are actually targeted more frequently than larger companies, often because they lack the resources (both money and people) that bigger operations can invest in fraud prevention and detection measures. Here are 5 common scams you need to be aware of, along with some actionable tips to keep your business safe.

1. The Phony Invoice Scam (AKA "We Sent You the Stuff, Now Pay!")

This is a classic, but it still fools plenty of business owners. You receive an invoice for goods or services you never ordered. It might be for office supplies, website services, or even directory listings. The invoice often looks official and might even threaten late fees.  Invoice fraud is a growing concern for small business owners. According to a 2024 study by the Association of Certified Fraud Examiners (ACFE), businesses lose about 5% of their revenue to fraud each year. There are a variety of these invoice scams:

• Fake Invoice Scam: Scammers send fake invoices that look real. If a company is swamped with invoices, the person handling payments might not check each one thoroughly. If there's poor communication between the work done and the invoicing process, there might be no way to verify if the invoicer actually performed the work. The business pays the invoice without realizing it's fake.

• Supplier Impersonation Scam: Scammers pretend to be a known supplier and send an invoice for payment. They might even hack into the supplier's email account to make the request seem genuine.

• Business Email Compromise (BEC): Hackers gain access to a business email account and use it to send fake payment instructions. They may instruct clients to redirect their payments to a different bank account belonging to the scammer.

• Overpayment Scam: A scammer sends a check for more than the amount owed and then asks for the difference to be refunded. The original check later bounces, leaving the business out of pocket. Sometimes, the scammer sends an invoice for a real service but tweaks it so the client ends up paying more. This might involve charging for services not provided or slightly inflating the costs.

• The Duplicate Invoice Scam: The scammer has done some work for the client but tries to get paid twice for the same job. For example, they might "accidentally" send the same invoice twice, hoping the client will pay both times.

Defense Strategy:

1. Implement a strict invoice approval process: Train your team to only pay invoices with a corresponding purchase order and verification from the person who ordered the goods/services.

   
   

2. Double-check everything: Before paying any invoice, confirm that you actually received the goods or services and that they were ordered.

   
   

3. Don't be pressured: If something feels off, investigate. Don't rush to pay just because of a threat.

2.  Phishing Scams

A phishing scam is an electronic message sent to you via email, text, or messaging app that’s “fishing” for information. It will ask you to do something, like login to an account or call someone who will then ask you for sensitive information. Once you’ve taken the bait, the bad actor on the other end will use that to defraud you. They can use your legitimate login credentials to access your real account or take the personal info you provided by phone to steal your identity, for example.

Defense Strategy: 

1. Learn how to identify phishing scams: the email has a generic greeting, the email says your account is on hold because of a billing problem, the email invites you to click on a link to update your payment details.

   
   

2. View the sender's real email address: double-click or tap the sender's name to view the real email address. (In Gmail, hover over the sender's name, which means to move your mouse over the text but don't click.) Make sure it matches the expected email address and has a legitimate domain after the @ symbol in the email address.

   
   

3. Flag external emails:  By recognizing quickly which emails are from non-internal senders, you can better spot potential phishing attempts.

   
   

4. Take advantage of anti-phishing protection offered by your email service provider.

   
   

5. Verify the request by reaching out through known channels.

3.  The Fake Directory Listing Scam (AKA "Get Listed...For a Price!")

You receive a phone call or email from someone claiming to be with Google, Yelp, or some other directory service. They insist you need to update or "verify" your listing, and they offer to do it for you… for a fee.  These services are often free or have very low-cost options. The scammer convinces you that you need their "premium" service to avoid being delisted or appearing lower in search results.

Defense Strategy:

1. Verify the source: Before providing any information or paying anything, contact the directory service directly through their official website or phone number. Don't rely on the information provided by the caller or emailer.

   
   

2. Know your listings: Familiarize yourself with the official policies of the directory services you use.

   
   

3. Resist the hard sell: Legitimate directory services don't typically use high-pressure sales tactics.

   
   

4. Do your own updates: Most directory services allow you to update your listing yourself for free.

4. The Tech Support Scam (AKA "Your Computer Has a Virus…Pay Us to Fix It!")

You receive an unsolicited call from someone claiming to be with Microsoft, Apple, or another tech company. They say your computer is infected with a virus and offer to "fix" it remotely… for a fee.  They often use fear tactics and technical jargon to confuse you. Once they gain access to your computer, they can install malware, steal sensitive information, or demand exorbitant fees.

Defense Strategy:

1. Never give unsolicited access: Legitimate tech companies will never call you out of the blue and ask for remote access to your computer.

   
   

2. Hang up!: Immediately end the call.

   
   

3. Contact your IT support: If you're concerned about a virus, contact your regular IT support provider or a reputable computer repair service.

   
   

4. Run a virus scan: Use a reputable antivirus program to scan your computer for malware.

5. Domain Registry and Renewal

Unless you register your business’ website and email domain name (e.g., yourbusinessname.com) privately, scammers can get your domain and contact details easily. One of the most common scams that results from this is getting emails from senders who claim that your domain, website, or email account is up for renewal, and that if you don’t pay up immediately, you’ll lose it.

Defense Strategy:

1. Opt for private domain registration (even if it costs a few dollars more), or choose a domain registrar that includes private domain registration for free.

   
   

2. Keep good records of where you purchased your domain, web hosting, and email services, including service providers and terms of service (e.g., expiration dates).

   
   

3. Set up automatic renewals and payments with your domain, website, and email hosting services.

Protecting Your Business is an Ongoing Process

Staying vigilant and educating your employees are crucial to protecting your small business from scams. In addition to the actions you can take to protect your small business from scams like these, take time to build processes and procedures for training your employees. The better you and your staff are at spotting fakes and scams, the better you will be able to safeguard your company against loss.