Business Solutions Center
Business Columns

Email Scams Targeting Small Businesses

Small Business Technology Tip - Dave Pelland
Dave Pelland Dave Pelland has extensive experience covering the business use of technology, networking and communications tools by companies of all sizes. Dave's editorial and corporate experience includes more than 10 years editing an electronic technology and communications industry newsletter for a global professional services firm.

Email Scams Targeting Small Businesses

Email Scams Targeting Small Businesses

Even as small businesses get better at identifying and mitigating phishing and ransomware attacks, the business email compromise (BEC) threat continues to evolve.

A BEC attack involves hackers either gaining access to a corporate email account and sending messages to steal money or information from other companies that do business with the victimized company, or impersonating another company by using a similar email address.

As the threat increases, so do the costs to its victims. According to the FBI, BEC scams cost U.S. companies at least $12.5 billion in losses between 2013 and 2018.

And email remains a popular attack vector for hackers. According to one 2018 study, 49 percent of workplace infections from malicious software (nicknamed “malware” by security pros) is installed through email scams.

Small businesses remain a popular target for SEC scams for several reasons, starting with the fact that there are so many more small businesses than large companies in the United States. Equally attractive to hackers is the fact that most small businesses have fewer or less sophisticated cyber security protections than their larger counterparts.

Small companies also have a potential disadvantage in that, unlike consumers, they’re less able to ignore incoming calls or to open emails from unfamiliar addresses.

Common Scams

While targets vary among specific scams, hackers are generally using BEC techniques to trick business users into disclosing sensitive information such as company financial data; the passwords to banking and cloud accounts; customer data; and personal information about company employees.

Probably the most common email scam targeting small businesses involves fake invoices for office supplies or directory listings. Those are designed to look like routine notices, and usually involve relatively small amounts in the hopes they’ll be paid without arousing suspicion.

The best defense against invoice fraud is to verify that any invoices are legitimate before paying them. For manual invoices, make sure the amount of the invoice is close to past payments or your agreement. It’s also important to check whether the vendor’s payment information is the same as past invoices. Any variations in this information can suggest potential fraud.

Similarly, if you receive an email that appears to come from a vendor advising you that the vendor’s payment information has changed, be sure to verify that the change is legitimate. Call the vendor directly, but don’t use the phone number of email address included in the message providing the new payment information.

In another scam, a company may receive a Request for Proposal notification that seems to come from a larger enterprise. These notices will often use the name and logo of a legitimate company, but may include a PDF that is loaded with malware designed to compromise your business data, or may include a link where you’re asked to enter banking information.

As with other notices, verification is a key step in defending yourself against fraud.

Protect Your Accounts

To protect your own accounts from being compromised, it’s important to use two-factor authentication on any accounts that allow it. This requires the use of an access code as well as your password to access the account, reducing the risk that your account can be breached by someone who guesses your password.

You should also close accounts on any cloud services that you’re not using to reduce the risk of those accounts being compromised and your email address being exploited by hackers.

Read other business articles by Dave

The information included on this website is designed for informational purposes only. It is not legal, tax, financial, or any other sort of advice; nor is it a substitute for such advice. The information on this site may not apply to your specific situation. We have tried to make sure the information is accurate, but it could be outdated or even inaccurate, in parts. It is the reader's responsibility to comply with any applicable local, state, or federal regulations, and to make their own decisions about how to operate their business. Nationwide Mutual Insurance Company, its affiliates, and their employees make no warranties about the information, no guarantee of results, and assume no liability in connection with the information provided.