What Type of Scams Should You Guard Against? Part 1: Business Case Studies

 

When you’re a small business owner, as if you don’t already have enough to worry about, crooks have become a lot more sophisticated in trying to scam you out of your hard-earned money.

Many scams fall into the same overall types of scams. According to a recent Better Business Bureau survey, the six most common of these that small businesses need to protect against are:

• Imposters posing as a bank or credit card company and pretending to verify account information but with the actual intent of gaining access to a business’s accounts.
• Scammers pretending to represent various government agencies who threaten to impose fines or take similar enforcement actions if a business does not pay fees or taxes.
• Fraudsters who offer businesses increased visibility through advertising, advanced search engine techniques, and business directories.
• Sending a business an invoice for services never rendered or trying to induce a business to pay for products it never ordered or received.
• Paying for goods and services with fraudulent checks from non-existent accounts.
• Scams involving tech support or ransomware demands.

Spotting a scammer

Although every scam and every scammer are unique, most all share the same general characteristics. Here are some red flags to look for:

• They pretend to be someone you trust, either in the guise of a company, person, or government agency.
• They create a sense of urgency by setting a short deadline to respond.
• They use fear and intimidation, pressuring you to send a payment before you can check out their claims.
• They use wire transfers, gift cards, or other untraceable payment methods.

Business Case Studies

It’s impossible to list even a small fraction of all the scams targeting businesses today. However, the following case studies will give you an idea of some of the tactics scammers use.

Business email compromise (BEC)

This is sometimes referred to as CEO fraud. Losses are estimated at more than $5 billion globally, and that figure continues to rise as scammers refine their already sophisticated tactics.

BEC involves a crook gaining access to a business owner’s corporate email account. The scammer then spoofs the owner’s identity to defraud the company. Favorite targets include companies that often conduct business with overseas suppliers of who routinely transfer money through wire transfers.

This form of transferring money is especially vulnerable because legitimate wire transfer requests are often urgent, and in most cases, the resulting wire transfer will be processed immediately. Companies that work using this model often don’t take the time to sign forms or wait for callbacks to confirm the transfers, creating further exposure.

It’s estimated that about 40% of all business victims of BEC are small or medium-sized businesses.

BEC remains an ongoing problem despite the requirements that banks are required to implement enhanced security measures to verify transfers.

An example of how BEC can happen

In 2018, an authorized wire transfer originator for a non-profit business client of First Business Bank made a wire request transfer of $28,626 to a person at Wells Fargo Bank. First Business Bank verified the documentation and initiated an authentication process to verify the legitimacy of the request. Later that day, the non-profit’s Executive Director contacted the bank to report the wire request was fraudulent and that it should not have been approved.

The Executive Director had approved the request, which he thought was from a colleague who was also an authorized account representative. But upon closer inspection of the request, it was determined the request was a fraud.

WannaCry ransomware attack

In 2017, the WannaCry ransomware cryptoworm hacked into computers running the Microsoft Windows operating system. It encrypted data and demanded Bitcoin ransom payments. Although the attack stopped when Microsoft issued an emergency patch in just a few days, it was estimated to have infected more than 200,000 computers in 150 countries.

Losses ranged from hundreds of millions of dollars into the billions of dollars. In late 2017, the United States, U.K., and Australia formally accused North Korea of being behind the attack.

Petya cyber-attack

Also, in 2017, The Petya ransomware attack took place. The software took over computers and demanded $300 in bitcoin. It also exploited Microsoft operating systems, specifically something known as the EternalBlue vulnerability. It appears to have started through a software update mechanism for companies working with the Ukrainian government.

It affected banks, power utilities, and even the radiation monitoring system at Chernobyl had to be taken offline. Ultimately, Petya caused serious disruptions at companies throughout the United States and Europe.

The IRS W-2 phishing scam

In recent years, phishing scammers have sent out fake emails that look like they are being sent from various businesses and corporations. These emails request personal information of employees under the guise of obtaining important tax and compliance information.

This scam requires that bad guys know who has access to W-2s in your business who has the authority to ask for this information.

In one year alone, this scam impacted more than 120,000 employees at 100 different businesses in the United States.

The phony Amazon attack

Under this scam, hackers send out what appears to be legitimate deals to businesses and consumers who are Amazon customers. When a recipient attempts to purchase the deal, the transaction is not completed. Instead, customers are redirected to a page to input data that can be stolen and used by hackers.

A variation of this is a scammer who will send out an email appearing to be from FedEx or USPS with the subject line “Shipping Information.” When a recipient opens a link in the email, they are directed to a page that downloads a virus on to the person’s computer, which can then be held for ransom.

The non-profit filed an incident report with the Internet Crime Complaint Center, worked with law enforcement, and contacted the beneficiary bank, among other actions.

Chipotle data breach

The vast majority of 2,000+ Chipotle employees were hit by a data breach that occurred when Eastern European hackers sent emails to staff that turned out to contain malware.

For three weeks, this malware allowed the hackers to gain access to each store’s POS system and access customers’ “track data,” which includes credit or debit card numbers, expiration dates, and verification codes that are stored on a card’s magnetic strip. The breach affected restaurants in 47 states.

Shell companies are often inside jobs

A shell company exists only on paper. It provides no goods or services. It is also one of the easiest ways for an employee to execute a fake invoicing scam.

The employee will set up a company in a friend’s or relative’s name, and then invoice their own company as a means of collecting payments. Most of the time, the employee will have some level of knowledge on how invoices are processed, or they may even be the employee doing the actual processing. That means they know what dollar amounts to stay under to avoid detection, making it easy to scam an employer for years.

Lawyers are not immune

Believe it or not, attorneys are often victims of business scammers. It happens in a couple of different ways.

A lawyer may be contacted by a “client” claiming a business owes them money and that if the lawyer collects this money, they’ll earn a fee. The lawyer reaches out to the “debtor” who sends a fake check to the law firm to pay the debt. The firm deposits the money, and the client directs the lawyer to deduct their fee and wire the balance to an account, which turns out to be untraceable or in another country.

Similarly, attorneys in divorce settlements may receive a supposed settlement, which is actually a fake check. They deposit the money, distribute the funds, and then find out from the bank that the check is a fake, leaving them on the hook if they’ve already sent out money to a client.

The overpayment scam

In this type of scam, a “vendor” or customer may contact a business, purchase a product or service, and then send a payment in for more than the amount they should have paid. Fraudsters then ask the business to wire them a refund using a wire transfer or other similar means.

This type of fraud is also prevalent on Craigslist for people who are selling big-ticket items like cars or boats.

A few more “inside job” hits…

From CFO Daily, here are some brief real-life examples of how employees scammed businesses:

• An IKEA employee mastered the company’s phone and mail order system and issued himself $400,000 in refunds for purchases made by customers in a single year.
• A Calgary Transit employee swiped almost $375,000 by pocketing about $200 a day in coins while he was a fare counter.
• A U.S. postal worker in Washington, D.C. took the agency for $40,000 by claiming he was stuck in jury duty for a case that lasted 144 days.
• A former embezzler turned theft prevention specialist put his talents to use by scamming Block Communications out of more than $1.1 million for a firm he was supposedly trying to protect.
• The FBI caught a former Quest Diagnostics manager who stole more than $1.2 million through false expenses using fake companies and invoices. His reward was five years in prison.

By better educating yourself as a business owner, you can harden your business against scammers, hackers, and fraudsters. Your business’s very survival may depend on how well you proactively fend off attacks from criminals looking to take advantage of you.