Cyber fraud is a major threat for small businesses. Here are six of the most common cyber fraud schemes that target small businesses, and tips on how to avoid getting compromised by these attacks.

Cybersecurity is crucial for large corporations. Everyone hears about it when large companies like Target and Home Depot are victims of data breaches, but when small business security is breached, it rarely makes the headlines. However, 43 percent of cyberattack victims are small businesses with fewer than 250 employees, according to the 2019 Verizon Data Breach Investigations Report. That means your business is potentially a target of cybercriminals, and they are getting better at tricking business owners and their employees.

The first line of defense is to be aware of the ways scammers may conspire against your business. Here are six of the most common cyber fraud schemes that target small businesses, and tips on how to avoid falling prey to these attacks.


How it works: Imagine that an employee who handles purchasing for your business receives an email that appears to be from your company’s vice president. The email requests that the employee order a new laptop and have it shipped to an unfamiliar address. Because the email appears to come from an executive team member, the employee follows the request and inadvertently purchases and ships a new computer to a thief.

Phishing emails are targeted emails that appear to come from official accounts, clients, and stakeholders. They are intended to trick recipients into sending money, expensive items, or personally identifiable information. That sensitive information may include Social Security numbers, birth dates, gym membership information, and other data that makes it easy to commit identity theft. In many cases, these emails appear to come from higher management requesting that HR personnel send personal information (think W-2’s). This provides thieves with enough information to steal employees’ identities and damage their finances.

How to avoid it: Train employees to recognize fraudulent emails. In many cases, phishing emails will contain grammar mistakes and spelling errors, or logos and other graphics that look a little off. Also, instruct employees to check with the supposed sender before providing sensitive information or valuable property. All employees should be instructed to verify any request via trusted communications channels, such as a phone call or originating a new email to the person’s company email address, or looping in someone from legal to review the request.

Frequently, phishing emails will come from an email address that looks very similar to the legitimate email address, with one or two different letters. Instruct employees to review the email address when they receive sensitive requests carefully.

Fake invoices

How it works: Your accounts payable employee receives an invoice for a load of boxes and other shipping supplies. She knows that your warehouse regularly orders shipping supplies. So even though she doesn’t recognize the vendor, she assumes the invoice is legitimate and pays it. However, the invoice was from a scammer who has never sold anything to your business, and they just made several hundred dollars off your business.

When scammers send fake invoices charging you for services or items you never received, they take a bet that whoever pays won’t check the bill before paying. They may also make an invoice for the types of materials or supplies you would usually purchase, so it doesn’t look suspicious.

How to avoid it: Make sure to review each invoice for legitimacy, and never pay unless the charges are verified. Train your staffers to do the same thing. Even if the invoice appears to come from a trusted vendor if it has a different address than the one you usually remit to, call the vendor to verify. Find the vendor’s number on previously approved invoices or online to ensure that you are not being redirected to the scammer’s phone number.

Also, make sure your business has clear procedures for processing and paying all invoices. For instance, the person who ordered the supplies or services should be required to verify the invoice before the accounts payable department can pay it.

ACH and wire transfer fraud

How it works: ACH transactions and wire transfers are the quickest ways to send cash, and scammers are taking advantage of these transactions to steal from bank accounts. Cybercriminals use phishing emails, compromised websites, and malware to steal bank login credentials. Cyberattackers then use those credentials to transfer money out of victims’ bank accounts and into their account, which is often overseas where funds can’t be recovered.

How to avoid it: Make sure staffers use the strategies they would use to prevent phishing attacks. This includes watching out for inconsistencies in email addresses or domain names or unusual language in emails. Before approving a wire transfer or ACH transaction, always call a phone number you trust, such as your bank, and talk to someone who has been working with you. Also, instruct your bookkeeping staff to reconcile transactions daily to identify and return any unauthorized ACH debits. You and your team could also consider blocking all ACH debits.

Unordered office supplies

How it works: Picture this: A person claiming to be a vendor may call to “verify” a supply order and your address. After talking with you, they send supplies or equipment you didn’t order and demand you pay for it. When you protest, they present a recording of your conversation, which includes you verifying your address, as proof that you “ordered” the supplies.

How to avoid it: If you receive merchandise you didn’t order, you can legally keep it for free. But you can prevent the appearance of ordering unwanted merchandise by directing all calls about orders to one person or department who handles and tracks all orders.


How it works: A staff member clicks a link in a fraudulent email or opens a fraudulent attachment, which causes your system to lock up. Then the fraudster demands that you pay a ransom to have it unlocked to regain access to your files.

How to avoid it: Train staff members to detect fraudulent emails. Also, make sure all of your computers and devices are running with the most updated software and operating systems. These updates are necessary to combat the latest bugs, including ransomware. Also, use virus protection software that includes protection for ransomware, and keep it updated. Implement strong spam filters and only allow access to sensitive information for those staffers who need it.

If you get locked out of your computer, first look online to see if there are decryption tools available for the ransomware you’ve acquired. Sometimes, the details of the ransomware have been leaked, and good guys have already developed a fix. If not, you can pay the ransom, but there’s no guarantee that you’ll get your files back or that they won’t be damaged. When you pay the ransom, you are funding a criminal’s business model. Some experts recommend simply recreating the files you can and moving forward.

Government agency impostor scams

How it works: You receive a phone call from someone posing as a representative of law enforcement or other government agency. They threaten to impose fines, suspend your business license, or take legal action.

How to avoid it: Rather than getting worried that you’ve missed an outstanding payment, write down the information the caller gives you. Then tell them you’ll call back. Most scammers will do everything they can to keep you on the phone and get a credit card payment. Don’t fall for it.

Before paying any money to a supposed government agency, call the number for the agency listed in your local directory and verify the charges. Visit in person if possible and never send money via wire transfer or gift card.

Following these tips can help you to ensure that your business stays safe from any hackers or any malicious attacks.

This article is for promotional purposes only. Santander Bank, N.A. (“Santander”) does not provide investment, business, financial, accounting, tax, or legal advice, and the content of this article does not constitute investment, business, financial, accounting, tax, or legal advice. Santander does not make any claims, promises, or guarantees about the accuracy, completeness, currency, or adequacy of any content. Santander expressly disclaims all express and implied warranties of accuracy, completeness, currency, or adequacy of the information and content in this article. Readers should consult their own attorneys or tax or other advisors regarding the applicability of any referenced information or financial or other strategies to their own unique circumstances. This article does not necessarily reflect the views or endorsement of Santander.

Santander Bank, N.A. is a Member FDIC and a wholly owned subsidiary of Banco Santander, S.A. ©2022 Santander Bank, N.A. All rights reserved. Santander, Santander Bank and the Flame Logo are trademarks of Banco Santander, S.A. or its subsidiaries in the United States or other countries. All other trademarks are the property of their respective owners.


Was this article helpful?

You already voted!