5 common online scams targeting small businesses

Phil Kendall

Oct 2021 ⋅ 10 min read

It’s hard to imagine running a business without the help of the internet.

From social media, to online advertising, to digital storefronts, the internet is integral to pretty much every element of doing business today.

Unfortunately, the fact that businesses are so reliant on the web can also leave them open to a variety of sophisticated scams and sneaky tricks designed to steal their owners’ hard-earned money.

In this blog, we’ll discuss five common online scams targeting small businesses, show you how to spot them, and provide tips for protecting your business in the event that you're ever targeted.

The scam

An increasingly common scam targeting small businesses especially involves stock images and their copyright.

It usually goes something like this:

  1. You receive an email from someone purporting to be either the owner of an image that you’ve used on your website, or a site that manages copyrights on behalf of photographers and graphic designers. More sophisticated scammers will even link to a business website that, on the surface, looks to be the real deal but probably only contains a few pages of content.
  2. The sender tells you that you’ve used an image without permission and/or the required attribution. The approach these scammers take can vary wildly: in some instances, the tone of email will be absolutely furious; in others it will be curiously upbeat and cordial.
  3. The sender then tells you that it’s too late to remove the image (the damage has already been done!) and that payment must be made. The email will usually invite you to click a link to access their site to make a payment, or to download a document attached — purportedly containing payment information.

The goal with this scam is to either obtain payment from unwitting business owners or to infect their computers with malicious software that will enable scammers to lock or control it remotely, holding it — and all your files — to ransom.

How to prevent it

As with all emails, you should never click on a link or download attachments unless you’re confident of the sender and their intentions.

If someone contacts you claiming to own an image that you’ve used, by all means check out their credentials (always search via your web browser; don’t follow the links they provide), and double-check that any images you’ve used are your own or free to use.

If you’re confident that your images are your own, then mark the email as spam using your email provider’s reporting tools, block the sender to (hopefully) prevent them from contacting you again, and delete the email.

Don’t be tempted to reply to the email, even to give the sender a piece of your mind. Any amount of engagement will result in your email address being automatically flagged as active and draw the scammers’ attention.

You should also make sure other members of your team know about the scam attempt, since scammers tend to target multiple business inboxes at once.

N.B. It’s worth mentioning that genuine photographers and copyright holders will sometimes reach out to businesses in the event that their images are used without permission (in which case, we’d recommend visiting the Intellectual Property Office in the UK or US Copyright Office to check the validity of the claim).

If you own the images on your website or have sourced them from a reputable stock image site, however, then emails asking for payment should be ignored.

2. Fake awards scam (AKA vanity awards)

The scam

Picture the scene: you’re hard at work, striving to make your small business a success.

Then, suddenly, you receive an email.

Dear [your name],
It’s my pleasure to inform you that you have been selected as a nominee for the “New Face” award in the 2022 Hospitality & Accommodation Recognition Awards.

Your business was selected above more than 300 others, and was identified by our independent nominations panel as a frontrunner in our industry.

Please visit our website to claim your spot at our virtual ceremony and to read more about the HARA.
If you have any difficulty opening this link, you can alternatively paste the following URL into your web browser:
Congratulations again on your nomination. We look forward to seeing you at the ceremony.
Nik G. Edwards
Event Manager at HARA

Sadly, this may not be quite as good news as it seems...

While it’s not impossible for your business to be the recipient of an award (and well done if you are!) fake business award scams are becoming increasingly common.

Usually containing links or containing malware disguised as legitimate attachments, the purpose of these emails is to infect the recipient’s computer in order to steal data or charge a fee for it to be unlocked.

Other emails of this kind attempt to gain payment from the recipient by asking them to purchase tickets or cover admin costs of award ceremonies that never actually take place.

How to prevent it

Preying on newer businesses especially, emails of this kind are designed to lure their recipients in with flattery, hoping that, in their excitement, they’ll drop their guard just long enough to be duped.

Some fake awards emails are easy to spot, but others will make use of publicly available information — for instance, your industry, location, or even data gathered from sites like Companies House — to make them seem more legitimate.

They may even list some local competitors who (would you believe it!) have also been nominated.

Common red flags to look out for:

  • You were nominated for an award without your knowledge.
  • The email, or further correspondence, asks you to cover costs upfront.
  • Emails that contain unique ‘codes’ to enter into a website to claim an award.

The first thing to say is that we’d recommend against downloading any sort of email attachment unless you’re confident in both its content and sender.

Secondly, even if the email seems legitimate, we’d advise thoroughly researching the awarding body to see whether they’re known scammers.

Try to find out about the people behind the awards. Which companies are involved? Who are their board members? If they’re legitimate, you’ll be able to find plenty about them and be able to trace the organisations and people behind them to actual, physical addresses.

It’s also worth looking for evidence of any past awards ceremonies. Who were the winners? What kind of engagement did the last batch of awards get online?

It's worth mentioning that not all awarding bodies asking for payment in order to be considered for an award are fake (these organisations do have costs to cover after all). Sadly, however, there are others that take advantage of this fact, so be sure to do your homework before you hand over a penny.

3. Overpayments scam

The scam

Increasingly common are scams which involve a fake customer placing an order, making the payment via cheque or banker’s draft, then getting in touch to:

a) amend their order (usually to be much smaller)
b) cancel their order entirely, or
c) point out an “error” in their order, resulting in them being overcharged.

The customer then asks for the “overpaid” amount to be refunded as quickly as possible — which usually means by electronic payment (because what business owner wants to upset a customer during their first ever experience with them?).

A few days later, the business owner inevitably discovers that the original cheque for the order has bounced, meaning that they’ve “refunded” money that never belonged to the customer in the first place.

How to prevent it

The customer always comes first, but beware that you don’t give them something they’re not actually entitled to.

Telltale signs of overpayment scams include:

  • Brand new customers who place abnormally large orders, then request changes.
  • Customers who put undue pressure on the business to make the refund immediately.
  • Customers who significantly overpay for their order, then request refunds.
  • Customers asking for refunds via a payment method different from the one they originally used.

It can be difficult for businesses to reclaim funds that were paid out voluntarily, so beware scammers asking for full or partial refunds before the original sums have cleared.

4. "Changed account details" scams

The scam

Invoice fraud is particularly common these days, with scammers targeting new and small businesses in the hope that their relative inexperience — plus the fact that their owners tend to take on multiple roles at once — makes them easier to fool.

A typical invoice scam goes like this:

You receive an email (or occasionally a paper invoice) seemingly from one of your suppliers, notifying you that they’ve changed their payment details and you should update your records to avoid missed payments or deliveries.

More often than not, the email will come together with a new invoice which needs to be paid ASAP — using the “new” account details.

Occasionally, these emails are followed by a phone call from someone pretending to be either from one of your suppliers or the firm that handles their accounts. They’ll often be able to name people at the company you work for, and may even speak to you as if you’ve already met or done business.

They’re calling, they say, to “check” that you’ve got their email about the new account details. They’ll also be able to rattle off the details of the email invoice perfectly to lure you into a false sense of security.

Finally, they’ll ask if you’d mind paying the invoice while you’re on the phone, so that they can check that the funds arrive safely.

Unlike a lot of online scams, these emails are usually very well written, and may even include such details as the names, contact details, and even logos of the businesses you work with.

Individuals who speak to you on the phone are polite, well-spoken and will try to generate some kind of rapport with you before asking for the payment to be made.

How to prevent it

Companies do update their payment information from time to time, so how do business owners avoid falling for invoice scams?

Here are our top tips for preventing invoice fraud.

  1. Verify new payment details over the phone. If you receive a letter or email telling you that someone you do business with has changed their payment details, it’s a good idea to speak to your regular contact at that company directly (use your existing contacts — don’t call a number contained in an email) and ask them to confirm the details.
  2. Call them back. Even if you think you’re talking to one of your suppliers over the phone, a sudden request to send money to a different account is a big red flag. Politely end the call and call them back on the number you usually reach them at.
  3. Use three-way matching. Where possible, match every (1) purchase order you receive to both (2) a receipt of goods and (3) an invoice.
  4. Look out for Confirmation of Payment alerts. Recently rolled out to prevent fraud of this kind, CoP alerts show the name of the person or business you’re about to make a payment to after entering their account details and sort code.

Finally, be sure to regularly audit your invoices and payments, and make your staff — especially if you’re a smaller business where people fill a variety of roles — aware of what to look out for.

5. Smishing scams

We’ve all heard of “phishing”, where fraudsters email pretending to be reputable companies or organisations and try to steal our data or infect our computers. But “smishing” is increasingly being used to target small businesses.

Smishing is essentially the same thing as phishing, but with text messages (or “SMS”, hence “smishing”) being used instead of email.

The goal is to trick recipients into tapping on a link contained within the message and either logging in to a fake version of a real website (thus providing the fraudsters with your actual login details), or downloading malware to your device.

Common smishing scams include:

  • Fake tax refunds. Guess what? You paid too much tax and now you’re getting £190.77 back! Just as soon as you’ve followed this link...
  • Reactivation scams. The email or banking account you use has been locked due to a suspicious login attempt, and you need to “confirm” your identity to reactivate it.
  • Payment confirmation scams. You’ve recently made a payment, but either your or the recipient’s bank needs to verify that it was really you...
  • Password update password scams. Oh no! The site or service you use for your business has been hacked. Follow this link to change your password ASAP.
  • Parcel delivery scams. A parcel that was allegedly sent to your business is being held until payment is made. Fail to pay and the item will be returned to the sender.

The reason smishing scams are becoming such an issue for small business owners is because, when you regularly make and receive payments, place orders, or receive packages, it’s easy to mistake messages of this kind for the real thing.

Unlike emails, text messages also tend to receive much less scrutiny. Picking up your phone and tapping on a text message — or a link within it — takes mere seconds; before you know it, you’re providing a scammer with your genuine login information...

How to prevent it

The most important thing to remember is that no credible organisation will ever ask you via text message or email to provide or provide or “confirm” data that they should already have.

The nature of the text messages business owners receive can vary wildly, but there are a number of things that you and your team can do to reduce the chances of being caught out by a smishing attempt.

  1. Check the number. Legitimate SMS alerts from bigger businesses and organisations tend to come from six-digit codes (e.g. “622622”) rather than regular phone numbers.
  2. Take a breath. Fraudsters attempt to fluster the recipients of their text messages by creating a false sense of urgency. Take a few minutes to re-read the text and properly consider its validity. If anything seems unexpected or 'off' then it probably is — pop the number into Google to see if it’s associated with any known scams.
  3. Use a garbage log-in. Even if you believe a message to be genuine, a quick way to test the legitimacy of the site you land on is to enter random data into the login fields. The real site would recognise incorrect login details, whereas a fake would happily accept them, record them, and allow you entry.
  4. Contact the bank or company directly. If you’re unsure whether a message is genuine, contact the alleged sender via some other channel (e.g. phone or live chat) to confirm that they’ve contacted you.
  5. Never reply. Even if the text message prompts you to text ‘Stop’ to no longer receive these messages, doing so will only mark your number as active and increase the chances of similar attempts being made. Block, delete, and ignore — but never reply.

Smishing can be incredibly frustrating since, even if you block one number, fraudsters can easily switch from one number to the next.

The best practice is to scrutinise each and every unsolicited text message you receive to your phone, avoid following the links contained within them, and to alert your team to the potential risks before they happen.

Wrap up

Technology has done wonders for small business owners, but with that convenience comes with a number of risks.

Keep yourself and your team up to date regarding online scams in order to protect your business, and assign key tasks — for instance, anything relating to payments or orders — to a specific person at your business rather than sharing responsibility between you so that they’re more focused on the task at hand and know what to look out for when it comes to scams.

Finally, if you believe you’ve fallen victim to this kind of scam, be sure to contact Action Fraud (the private sector company that replaced the National Fraud Authority in the UK) as soon as possible.

Stay informed and stay safe!