Learn how to recognise common online scams and how you can protect your small business against them in this guest feature from Take Five to Stop Fraud.
Everyone thinks their business is relatively scam-proof and that they’d be able to spot a fraudulent approach from a mile away, but the truth is criminals are increasingly using sophisticated techniques to trick people into revealing their business’s financial information.
Whether you’re in the throes of coming up with an idea for your next business venture or just establishing your company, the impact of fraud and scams can be hugely detrimental and many firms may struggle to recover from the financial and reputational damage it can cause.
Business owners and senior managers are often unaware of the fraud risks and methods used to target them, while criminals can be convincing enough that staff let their guard down, which can result in a significant loss of money in very little time.
By following the advice of the Take Five to Stop Fraud campaign, your organisation can better protect itself from fraud and scams.
Four common types of online scams
1. Impersonation scams
What is an impersonation scam?
Criminals are experts at impersonating organisations such as government departments, sending seemingly genuine emails that utilise official branding and logos to trick your business into parting with money or financial information.
This could include fake emails offering you a “tax refund” or “government grant” or asking you to provide your firm’s bank details to “your bank”. Clicking on links contained in emails and texts will lead to cloned websites designed to obtain your business’s information.
Often these scams begin with a call, email or text message that appears to be from a trusted organisation. Criminals use a tactic called spoofing to make their call or text message appear genuine by cloning the number or sender ID which the organisation uses.
The shift to remote working has also provided criminals with an opportunity to impersonate IT departments or software providers. They often persuade you to download software onto your computer and trick you into revealing your financial information by claiming to offer technical support.
How to spot an impersonation scam
It can be difficult to tell the difference between a genuine email and one that’s a scam.
There are a few signs to look out for:
- You receive a call, text or email out of the blue with an urgent request to make payment or requesting your business’ financial information. You’re asked to act immediately, sometimes with the claim that “payments need to be verified” or to claim “a pending tax refund”
- The caller may ask you to download software onto your computer
- The sender’s email address domain is different to that of the genuine organisation
How to protect your business
- Avoid clicking on any links or attachments within emails or texts, unless you are sure they are from genuine, trusted companies and you are expecting them
- Contact your business’s bank or trusted organisations directly using a known email or phone number
- HMRC will never notify your business about tax refunds, penalties or ask for your firm’s personal or financial information through emails, texts or phone calls
- Don’t give anyone remote access to your computer following a cold call or an unsolicited text or email
2. Invoice and mandate scams
What is an invoice and mandate scam?
Criminals can also masquerade as your regular suppliers, persuading you to change bank details, so payments are instead sent to an account controlled by them. These scams often involve email interception where they gain access to your supplier’s email account or spoof their emails.
Criminals will carry out extensive research to ascertain who your suppliers are and when regular payments are due. The fraud is often only discovered when the legitimate supplier of the product or service chases for non-payment. At that point recovery of the funds from the fraudulent account is very difficult.
How to spot an invoice and mandate scam
These scams often use a multitude of channels such as phone, letter, or email which appear to be professional and seemingly genuine.
What to look out for:
- You receive a request out of the blue to change the bank details of an existing supplier
- You receive more frequent than usual or duplicate invoices for a product or service
- There’s a sense of urgency to the request for payment
- The sender’s email address is slightly different from that of the genuine supplier’s address
How to protect your business
- Implement due diligence checks when changing supplier payment details, if not in place already. This could be through internal controls to independently authenticate unusual emails
- Confirm supplier bank details directly with suppliers using their established on-file details before any payments are made. Make sure you don’t step outside your usual payment method even if it’s urgent
- When paying a supplier for the first time, transfer a small amount first and check that the payment has been received directly by the company
- Be careful with the type of information you share online about your business
3. CEO scams
What is a CEO scam?
As the name suggests, this scam involves spoof emails that appear to be from a senior manager or the boss of a business, requesting urgent payment or for the bank account details for a contract or supplier to be amended.
Criminals often target businesses over several months, researching the employees responsible for authorising payments and the names of those in senior positions using information found on company websites or social media.
How to spot a CEO scam
In the heat of the moment, it can be easy to lower your guard and act immediately on requests received, especially when it comes from someone senior.
What to look out for:
- You’re asked to urgently process an out of the ordinary payment by your CEO, a boss or a senior manager
- The language used in the email isn’t consistent with that of the genuine sender
- You’re asked to change the bank details of an existing supplier on your system
How to protect your business
- Confirm urgent payment requests directly with the sender in person or over the phone
- Ensure employees feel comfortable approaching senior staff to verify payment requests and are aware of the types of requests they should be expecting. Having a process in place to ensure dual authorisation is vital
- Make sure all staff check for irregularities before processing payments and changing bank details
4. Investment scams
What is an investment scam?
Criminals are increasingly using adverts promoted on search engines and social media to trick businesses into parting with their money by offering investment opportunities that guarantee stronger rates of return and minimal risk.
Cloned websites that impersonate genuine investment firms and fake comparison sites are used by criminals to lead you to believe that you are in contact with a reputable organisation.
Criminals may even send official-looking documentation to add a layer of authenticity to their scam, as well as paying out returns in order to encourage and convince businesses that their investment is genuine and to invest larger amounts.
How to spot an investment scam
It’s understandable how these schemes can reel us in, but it’s important to remember that if it sounds too good to be true, it usually is.
A few signs to look out for:
- When using search engines to look for investment opportunities, you may be directed to a cloned or comparison website that has a contact me form which requires your personal information. These investment opportunities may also be promoted through social media
- Your business is contacted out of the blue by phone, email or social media platform about an investment opportunity
- You are pressurised into making a decision with no time to consider the investment or do any research into the organisation providing you with the offer
- You are offered a high return on your investment with what appears to be little to no risk
- You are told the investment opportunity is exclusive to you and your business
How to protect your business
- Be cautious of unsolicited approaches presenting your business with exclusive investment opportunities or online opportunities advertised through search engines
- Check the Financial Conduct Authority’s register for regulated firms, individuals and bodies. Ensure you only use the contact details listed on the Register to confirm you’re dealing with the genuine firm
- Be vigilant of fake adverts that lead to websites that may not be genuine when using search engines for investment opportunities
- Perform brand impersonation checks to ensure that domains similar to that of your business are not being misused elsewhere by criminals for fraudulent purposes
- Collaborate with peer institutions and other industries to share intelligence and agree upon mitigating action
How can I report fraud and scams?
Reporting fraud and scams is essential to stopping criminals and protecting others. You should forward scam emails to [email protected] and scam texts to 7726. If a scam text claims to be from your bank, then you should also report it to them.
If you receive a suspicious email purporting to be from HMRC, ensure you forward it to [email protected] and texts to 60599.
Take Five to Stop Fraud
You can protect your business from fraud and scams by taking a few precautions, such as implementing internal controls when it comes to making payments and always contacting organisations or your bank directly using a known email or phone number rather than clicking on a link or using the number given to you in a text or email.
It’s human nature to trust, but it’s important to know that it’s okay to challenge requests to make an urgent payment, or for your business’s personal or financial information.
Stop: If you receive a request to make an urgent payment, change supplier bank details or provide financial information, take a moment to stop and think.
Challenge: Could it be fake? Verify all payments and supplier details directly with the company on a known phone number or in person first.
Protect: Contact your business’s bank immediately if you think you’ve been scammed and report it to Action Fraud.
We hope the advice and guidance provided will enable your business to implement the appropriate controls, but most importantly help to educate your staff on the warning signs of fraud and scams.
Remember, if you believe your business has fallen for a scam, contact the bank immediately on a number you know to be correct, such as the one listed on the back of your businesses’ bank card, on a statement or their website.
You should also report it to Action Fraud on 0300 123 2040 or via actionfraud.police.uk. If you are in Scotland, please report to Police Scotland directly by calling 101 or Advice Direct Scotland on 0808 164 6400.
The information in this guide is for general guidance about cyber security good practice only and is not legal advice.
We have tried to ensure that this guidance is accurate and relevant as at April 2021. However, Nominet UK does not accept liability for any loss, damage or inconvenience arising as a consequence of any use of or failure to use any information contained in this guidance.
Sarah Sinden is an experienced Economic Crime professional, having worked in various roles to combat fraud for over 20 years. Sarah currently leads the industry Economic Crime fraud prevention education and awareness activities at UK Finance and is responsible for the development management of the Take Five to Stop Fraud awareness and behaviour change campaign as well as Don’t be Fooled – the money mules campaign, both of which were – and continue to be - aired on national television, radio, and featured high profile press campaigns.Read full profile