Insurance and Security

Business fraud prevention: Recognizing common scams

Help minimize your risk by learning about small business scams.

Published: July 21, 2017

Globally, cybercrime costs trillions of dollars every year — and as a study by Poneman explains, the disruption to normal operations costs small to medium businesses an average of $955,4291. Each year, digital scams get more complex, blending online schemes with real-life engagement and posing significant risks for small business owners.

To help protect your company’s information and prevent business fraud, make sure all your employees are aware of potential scams so they can avoid them. Here are some of the most common scams targeting small businesses:

Business email compromise

In a period of less than two years, business email compromise schemes — in which a scammer impersonating a high-level executive sends an email asking for money or sensitive information — affected 7,000 U.S. companies and cost more than $740 million, according to the FBI’s Internet Crime Complaint Center.

Steve McFarland, CEO of the Better Business Bureau’s (BBB) Los Angeles and Silicon Valley chapter, which serves 480,000 businesses, said even the savviest people fall prey to these schemes. McFarland cites a board director of his BBB chapter, whose executive assistant nearly wired $10,000 to a phony contractor after receiving what looked like an urgent email from her boss instructing her to do so.

A San Francisco-based nonprofit organization experienced a different type of compromised email scam at tax time when the organization’s human resources director received an email that appeared to come from the CEO asking for all employees’ W-2 forms. The scammer used the employees’ Social Security numbers and wage information to file a number of false tax returns.

Creating a company policy that prohibits sending sensitive information or requests for money via digital communication can help prevent business email compromise.


This type of malware, which locks down files or holds information hostage — sometimes with threats of information leaks — until the target agrees to pay a ransom, cost victims a reported $1.6 million in losses to ransomware in 20152.

Any organization can be targeted by ransomware. Sixteen of Pennsylvania’s Democratic state senators were targeted by a ransomware scam in March 2017, losing access to their network, including their website and email accounts. Two months before that attack, the St. Louis Public Library fell victim to a ransomware scam originating from access through a 4-year-old voicemail server. Refusing to pay the ransom, the library worked with the FBI to investigate the crime and partnered with a local security firm to increase its network protection. They were able to wipe information from impacted servers, restoring backup data to return to normal operation without yielding to the attacker’s demands.

Some ways for a company to avoid ransomware include:

  • Backing up data regularly to a secure external drive

  • Enabling pop-up blockers

  • Updating anti-virus software

  • Requiring employees to regularly change passwords

  • Blocking access to some websites from work computers, especially connections to malicious hosts

  • Offering IT security training for employees

Service-Provider Fraud

A number of schemes fall under the general category of service-provider fraud, in which scammers call or email pretending to offer a service such as technical help, search engine optimization, loan refinancing, or directory listings. In these cases, the scammers may ask for sensitive information - such as passwords - to access software, digital media, or other accounts, or ask for payment for services never provided.

To minimize risk of service-provider fraud, always research the reputation of a company or organization before you give them your business or access to sensitive company or customer information.

To learn more about how to reduce your risk and protect your company’s information, visit How to Protect Your Small Business.

1 Poneman Institute. "2016 State of Cybersecurity in Small and Medium-Sized Businesses (SMB)." 2016.

2 Federal Bureau of Investigation. “2015 Internet Crime Report.” 2015.