Shielding your business from cyber shadows: Guide to modern scams
Top cybersecurity experts warn against five common scams targeting small businesses and provide practical strategies to protect your digital assets.
In today’s digital marketplace, small business owners face an evolving landscape of cyber threats designed to exploit trust, urgency, and the quest for efficiency.
As significant online shopping events approach, it’s important to recognise sophisticated scams that could impact both your business operations and customer relationships.
Drawing on insights from cybersecurity experts, this article explores five common scams targeting small businesses and provides practical strategies to protect your digital assets.
Here’s what we’ll explore:
1. SEO poisoning and fake storefronts
When searching for suppliers or deals online, be wary of “ads” in top search results that mimic authentic websites. These sophisticated counterfeits can deliver malware or steal credentials when you enter information.
“Anyone can fall victim to these types of scams,” warns Melissa Bischoping, senior director, security and product design research, at cybersecurity and systems management company Tanium.
“If you’re searching for deals, keep your eyes peeled for ‘ads’ in the top results of your search that may look authentic, even going so far as to copy the look and feel of your intended page when you click on them.”
How to protect your business
- Verify website authenticity by checking the URL in your address bar
- Use password managers that automatically flag when a site’s URL doesn’t match what’s real
- Shop at familiar online stores with established reputations
- Check company profiles before making purchases from new vendors.
2. Antivirus impersonation and false update scams
Cybercriminals are increasingly targeting legitimate software update processes to infiltrate businesses, creating convincing forgeries of trusted security tools you may already use.
“One employee by mistake downloaded a malware script that pretended to be a browser plugin,” explains Artem Sryvkov, formerly at cybersecurity provider EB Solution, and now a search engine optimisation specialist at web design agency Glide Canadian cybersecurity provider EB Solution.
“And it did the job that the plugin advertised.
But it also scanned your PC to check if you had an antivirus. If you did, it would check for a name of an antivirus program and send you a pop-up notification that looked exactly how the pop-up from your antivirus would look.”
This sophisticated approach tricks users into thinking they’re performing routine maintenance, when in fact they’re installing ransomware or other malicious software that can spread throughout your network.
How to protect your business
- Be cautious with all downloaded plugins, extensions, and files ensure they come from trusted sources
- Verify software updates through official channels rather than clicking pop-up notifications
- Remember that most modern antivirus programs update automatically without prompting
- Scan downloaded files before installation
- Maintain regular offline backups of critical business data in case of ransomware infection
3. Business email compromise (BEC)
Perhaps the most financially damaging scam targeting businesses today is business email compromise (BEC), where fraudsters impersonate executives or trusted vendors to manipulate employees into transferring funds or revealing confidential information.
“BEC, like other social engineering attacks, can be tricky to defend against because they prey on our human instincts,” explains Ricardo Villadiego, founder and CEO of cybersecurity company Lumu.
“In 2023, the FBI registered over $2.7 billion in losses and more than 21,000 incidents.”
The sophistication of these attacks continues to evolve with “thread hijacking techniques”.
“Bad actors obtain access to their victim’s email threads and stand up a lookalike domain like washington.com [with a w] instead of vvashington.com [with two v’s],” describes Mike Britton, chief information officer at cybersecurity firm Abnormal Security.
“When the hijacked threads are added into a new message from the fake domain, these tend to go unnoticed, and the criminal has effectively inserted themselves into a seemingly legitimate email thread.”
How to protect your business
- Implement multi-factor authentication on sensitive accounts
- Train employees to identify BEC warning signs
- Establish strict protocols for verifying and approving financial transactions
- Consider technologies that flag lookalike domains and show warning banners for external emails
- Set up a designated payments system to replace email invoices.
4. Vendor and payment fraud
Relationships with suppliers and vendors are built on trust, which makes them prime targets for sophisticated scams.
Vendor email compromise (VEC) attacks exploit these existing relationships, using social engineering to convince targets to redirect payments.
“VEC attacks are among the most successful social engineering attacks because they exploit the trust that already exists in relationships between vendors and customers,” says Mike at Abnormal Security.
“And because discussions with vendors often involve issues around invoices and payments, it becomes harder to catch attacks that mimic these conversations.”
The human element makes these scams particularly devastating, as illustrated by Nicholas Humphery-Smith, who hired his son Michael as sales manager in his memorabilia firm.
Michael diverted payments to his own rival company, resulting in significant losses and a 30-month jail sentence. This case underscores how fraud can originate from unexpected sources.
How to protect your business
- Always verify payment details changes through multiple channels
- Implement automated payment verification systems
- Regularly audit and monitor vendor relationships and payment patterns
- Create clear internal controls for invoice approvals
- Consider behavioural AI tools that understand behaviour and better identify anomalies
5. Cryptocurrency and investment scams
As digital currencies gain mainstream acceptance, scammers are creating increasingly sophisticated schemes to separate businesses from their money under the guise of investment opportunities.
“Scammers create fake websites and social media profiles, promising lucrative investment opportunities in newly launched cryptocurrencies or NFTs,” warns Kammil Sarbuland, blockchain writer at InvoBlox.
“They often employ sophisticated marketing techniques to gain credibility, using celebrity endorsements or fabricated success stories.”
A particularly insidious variant is the “pig butchering” scam, where victims are groomed over months with seemingly legitimate investment opportunities.
“Over the course of months, perpetrators groom the victims with the opportunity to invest in a crypto investment,” explains David Stewart, Director of Financial Services in the Fraud and Security Intelligence global practice at analytics company SAS.
“At some point, they instruct the victims to provide access to a crypto exchange account where funds are drained and moved quickly offshore.”
How to protect your business
- Conduct thorough research on any investment opportunity and the team behind it
- Watch for red flags like lack of transparency or unrealistic returns
- Verify legitimacy through reputable sources like established cryptocurrency news outlets
- Remember, if it sounds too good to be true, it probably is
- Never invest business funds in opportunities you don’t fully understand.
Building a culture of security
Beyond these specific scams, your small business should focus on creating a comprehensive security culture that includes:
1. Better password hygiene
“Protecting your information online starts with good password hygiene,” advises Darren Guccione, CEO of Keeper Security.
“Password managers will also allow you to securely store credit card information, so you don’t have to type it in every time you make a purchase.”
2. Multi-factor authentication
Implement MFA on all business accounts to provide a critical second layer of security. Options include authenticator apps, SMS codes, and security keys.
3. Regular employee training
Make cybersecurity awareness part of your company culture. Train staff to recognise common scam signs such as unusual urgency, requests for secrecy, or unexpected changes in process.
4. Strong verification procedures
Establish protocols for verifying sensitive requests, especially those involving finances or confidential information.
Final thoughts
Remember that cybersecurity is not a one-time effort but an ongoing process of awareness, adaptation, and vigilance.
By understanding these threats and implementing appropriate safeguards, you can significantly reduce your vulnerability to online scams.
