As the holidays approach, many people take time off to rest, but fraudsters ramp up their efforts. December is a peak time for scams, with businesses operating with reduced staff and individuals that are busy and potentially distracted and tired - making them more susceptible.
Fraudsters exploit the holiday season by targeting businesses with Business Email Compromises (BEC), Vendor Email Compromises (VEC), fake invoices, fake deliveries, and other scams, taking advantage of employees distracted by holiday preparations and potential lapses in established controls. To protect your business from holiday scams, it's crucial to be aware of the tactic’s fraudsters use. We've outlined the most common holiday scams, how to recognize them, and steps you can take to protect your business.
1. Business Email Compromises (BEC)
BEC is a cybercrime where attackers use email to deceive businesses into sending money or sharing confidential information, often by posing as a trusted figure like a company executive or known vendor.
More information on Protecting Against Business Email Compromise is available here
Examples of Business Email Compromise (BEC)
- Fake Executive Requests: Fraudsters impersonate high-level executives, sending emails requesting urgent wire transfers, gift cards or sensitive information.
- Vendor Impersonation: Attackers pose as trusted vendors, sending fraudulent invoices or payment instructions to trick businesses into transferring funds.
- Payroll Diversion: Fraudsters gain access to employee email accounts and redirect payroll deposits to their own accounts.
- Account Takeover: Cybercriminals hack into a company's email system and use it to send out phishing emails to clients and partners, requesting payments or confidential data.
2. Vendor Email Compromises (VEC)
VEC is a type of Business Email Compromise where attackers impersonate a third-party vendor and use the vendor's email account to send fraudulent emails requesting payments or sensitive information.
Examples of Vendor Email Compromise (VEC)
- Invoice Manipulation: Attackers alter legitimate invoices from vendors, changing payment details to divert funds to their own accounts.
- Payment Diversion Requests: Fraudsters send emails from compromised vendor accounts, instructing businesses to update payment information for future transactions.
- Fake Delivery Notifications: Scammers send emails from vendor accounts claiming issues with deliveries, prompting businesses to click on malicious links or provide sensitive information.
- Order Confirmation Scams: Attackers use compromised vendor emails to send fake order confirmations, requesting immediate payment or additional details.
3. Fake Invoice Scams
Invoice scams become more prevalent during the holidays, targeting businesses eager to settle bills quickly. Scammers send convincing fake invoices, mimicking legitimate suppliers, in the hope that the business will pay them amidst the holiday rush.
How It Works:
- Fake Invoices: Scammers trick businesses into paying for items they didn't purchase.
- Malicious Links: Clicking on links that download malware or steal payment information.
Common red flags to watch out for:
- Minor changes or errors in the email address or domain name.
- Differences in the invoice, letterhead, fax, or email template.
- Unfamiliar supplier or vendor with unusual dollar amounts or requests for items not ordered.
- Voicemails with call-back numbers that don't match the shipper's service number.
- Altered beneficiary and transaction information.
- Requests to update delivery/payment preferences.
- Links that don't clearly show the domain.
- Certificate errors or missing company information.
Reject common holiday business scams:
These holiday scams can be difficult to detect, but you can protect your business by following these tips:
Keep a list of expected packages, tracking numbers, and shipping companies. Log in directly to the retailer's site to check delivery status.
- Require multiple approvals for payments and regularly verify transaction logs and payment reports.
- Be cautious of emails requesting payments, transfers, or account changes, especially if they are unexpected, urgent, or unusual.
- Verify the sender's identity by calling a known number or sending a separate email to their official address.
- Avoid clicking on links or attachments in suspicious emails, as they may contain malware or phishing attempts.
- Use strong passwords, enable multi-factor authentication for email accounts, and change passwords regularly.
- Educate staff on recognizing and reporting scams and implement policies for verifying and approving financial transactions or changes.
- Remember, Scotiabank will never ask for personal or financial information like account numbers, PINs, one-time passcodes, or passwords through email or text message.
Report
If you suspect you’ve been a victim of a scam, it’s essential to take the following steps:
- Engage your bank without delay. For Scotiabank business clients, reaching out to your Relationship Manager can expedite the protective measures needed to secure your account.
- It is imperative to involve local law enforcement. Reporting the fraud to the police not only aids in the immediate investigation but also helps to prevent the perpetrator from targeting others.
- The Canadian Anti-Fraud Centre (CAFC) stands as a pivotal ally in the fight against fraud. They offer indispensable resources and support, accessible via their hotline at 1-888-495-8501 or their comprehensive website.
Remember
Anyone can fall for a holiday scam. Knowing the signs and recognizing, rejecting, and reporting them is the best way to avoid them and enjoy a stress-free holiday season.
To learn more about protecting your business from common scams, visit:
https://www.scotiabank.com/ca/en/security/protecting-your-business/common-business-scams.html