Common Scams to Avoid to Protect Your Business

Phishing/Vishing/Smishing

What is it?

If we think of cybersecurity attacks, we might think of hackers analyzing lines of complex code, searching for vulnerabilities in software or hardware. But that’s not always the case. Hackers are now targeting employees to exploit human emotions, social ties, and the innate desire people have to do the right thing or respond to urgent requests through emails (phishing), text message/SMS (smishing), and phone calls (vishing) based social engineering attacks.

Phishing is a form of social engineering in which hackers use fake emails to trick the recipient into providing personal or sensitive information that can be used for fraudulent purposes.

Vishing is the telephone equivalent of phishing. It’s the act of using the telephone to scam the call recipient into surrendering sensitive information that will be used for identity theft.

Smishing is another form of phishing that involves criminals using a text or SMS message to try and obtain sensitive information from the recipient.

Social engineering scams are a tried and tested method for scammers to breach your business and obtain information that could jeopardize your business’s sensitive data or revenue. Moreover, scammers are becoming increasingly sophisticated in their efforts to accomplish this.

Scam examples

Spear phishing

Spear phishing is a targeted email designed to trick individuals or small groups into sharing information or allowing malicious code to run on their device. This technique uses more sophisticated technology and personalization to evade email filters and convince victims that the email is legitimate.

Notifications

Smishing can include bank notifications, package tracking updates, or urgent warnings that act on a your desire to resolve a problem. Be aware that Scotiabank will never call you and demand that you divulge personal financial information about you or your business.

Urgency or excitement

Vishing attacks often involve a sense of urgency, like dealing with a tax or legal matter, or a sense of excitement, like winning a prize or a free trip. These attacks prompt you to divulge personal and financial information that can be used for fraud or identity theft.

How to protect yourself

These scams often contain urgent or provocative requests and are disguised to look legitimate and may even seem to come from sources that are familiar to you.

Always stop and take the time to carefully evaluate emails, phone calls, or text messages requesting sensitive information, especially when the request is urgent or the deal seems too good to be true.

Always check the sender:

Phishing emails are often designed to look legitimate
Watch out for emails where the email address doesn’t match the company supposedly sending the email

Always be wary of suspicious links or attachments:

Beware of attachments, especially those that you weren’t expecting as part of your regular communication or job tasks
Before clicking a link, check its destination by hovering over it with your cursor. The visible part of the link that you click is called the anchor. The destination is where the link truly leads. If you don’t recognize where the link is taking you, don’t click on it.

Don’t be pressured by threats or sensational claims:

A sense of urgency or threats that something will happen if you don’t select a link, open an attachment, or act immediately are all signs of a scam
Payment scams typically claim that an invoice is overdue, or a business deal will fall apart if payment is not made immediately. Slowing down to verify the request is vital to avoiding these scams.

Contact the person or company directly:

Verify the validity of the person or organization contacting you by reaching out to them directly by phone using a known contact number
If they sent you an email, call them using a number you have on file for them — not the number provided in their email, as emails can often be faked or intercepted by scammers
Use a search engine to find the company’s website or contact them to confirm details

Try a fraud simulation activity

Malware/Ransomware

What is it?

Malware, short for malicious software, refers to any software designed to steal sensitive data and damage or destroy computers and computer systems.

There are many different types of malware that exist, including viruses, worms, Trojan horses, spyware, adware, and ransomware. No matter the type of malware, they all share the same objective — to capture and steal sensitive information and disrupt computer systems.

Ransomware is an extremely popular type of malware affecting businesses today, which can attack and encrypt (lock) your system to extract a ransom.

Malware is designed to hide within the operating system and avoid security safeguards. If you have ransomware on your computer, you might not know it. It can lie dormant until activated by a scammer to encrypt (lock) your files and demand payment.

Ransomware will lock your files so that they become unusable or untouchable in the hopes that you’ll pay the ransom to retrieve them.

Removing ransomware and decrypting your files can be a significant challenge even for IT experts.

Note that even if the ransom is paid, there is no guarantee that your files will be decrypted. It’s also possible that the scammer could sell your information, leak it online, or delete it.

Scam examples

Infected downloads

Downloading an infected program from an illegitimate website is the most common way to unintentionally install malware on your systems.

Because malware is designed to look legitimate, it’s easy to mistake it for a genuine program that you might actually want on your computer.

Although many websites offer free downloads, you should only download programs and software from reputable companies.

In addition, malware can also be installed by clicking a link in an email or text message.

Surf with caution

Another way to unintentionally download malware to your device is by visiting an infected website.

These websites have been designed to look real but may contain elements that initiate a malware download. These elements include:

Advertisements
Fake error messages
Pop-up windows

Learn more about how to spot a malicious website.

Suspicious Attachments

Some phishing emails contain malware that’s disguised as an attachment. These attachments are a common way to infect your computer.

By simply opening an attachment infected with malware, you may be falling into a scammer’s trap, with the malware running in the background unnoticed.

How to protect yourself

Protecting your systems from malware and ransomware is a process that involves:

Identifying and installing malware safeguards (for example, anti-malware software and firewalls)
Educating employees to build awareness and recognize potential risks
A commitment to building plans, processes, and policies that diminish the likelihood of encountering the malicious software

To help protect yourself from malware and ransomware:

Install quality anti-virus and anti-malware software for your networks, and make sure to install updates as they become available as updates typically have new security patches
Set up a firewall to block connections to malicious websites and to stop malware from entering your network
Update to the most recent operating system on your systems and devices, and make sure to install updates as they’re released. Operating system updates often contain security patches that will protect your system from new threats.
If possible, routinely back up your systems to an external source that’s not linked to your computer. An example of this kind of backup is through a removable external drive or cloud-based storage system. If your computer is physically linked to the device that’s storing your backup data, the malware could affect that too.
Always be wary of attachments or links from unknown sources
Pass along this knowledge to your employees by training them in cybersecurity procedures and defensive strategies for systems protection

If you find that your systems have been infected with malware or ransomware, you can try removing the infected devices from the network. This may prevent the infection from spreading to other devices and causing further harm.

You can also consider running a scan using anti-virus or anti-malware software. Reputable software may have instructions for how to deal with the issue.

Another option is to ask an IT professional for support in clearing up the issue and restoring your systems.

Following a malware or ransomware attack, be sure to change your passwords to try and prevent a further data breach.

Alert your local authorities and your local anti-fraud centre. For Canadian citizens, contact the Canadian Anti-Fraud Centre (CAFC) at 1-888-495-8501 or visit the CAFC reporting page for more information.

Try a fraud simulation activity

Business Email Compromise

What is it?

Business Email Compromise (BEC) is a form of fraud that attacks both large and small businesses.

Technically a form of spear phishing, BEC attacks companies conducting regular payment processing activities, taking advantage of employees with access to sensitive company or customer data and those responsible for vendor management and payment processing activities.

As commonly presented, the scam plays out when a fraudulent email or message arrives from someone pretending to be the CEO, a senior manager, or a third-party vendor, requesting an immediate money transfer, a change of account number or invoice, or access to sensitive data.

Scam examples

The CEO scam

As part of this scam, fraudulent emails are sent to finance team employees from scammers claiming to be senior management — either a Chief Executive Officer (CEO), Chief Financial Officer (CFO), or anyone with the authority to sanction a money transfer. The scammer will forge (spoof) the email’s “from” address so the message appears to have been sent from a legitimate email address.

The phishing email will use social engineering tactics to trick the recipient into wiring money to an unknown party.

The email will be written with a sense of urgency and will likely insist that the transfer remain confidential.

Change payment schemes

Fraudsters sometimes send emails that look like they’re from suppliers or customers that your business has a well-established relationship with.
They will set up a fraudulent account using a fake email or phone number, pretending to be a trusted supplier or an existing customer. The fraudulent emails will request that you transfer payments from an existing account to a new account that the fraudsters control.

Information theft

Scammers may also seek to manipulate employees into releasing other employees’ or customers’ personally identifiable information (PII). This information can then be used in further fraud, such as phishing attempts, CEO impersonations, or to create fake invoices and accounts.

How to protect your business

Be sure to train your employees on how to identify phishing scams, especially spear phishing and Business Email Compromise scams. Always reinforce the fact that email addresses can be spoofed (forged) and must be carefully verified.

Reiterate to your employees the need to look out for red flags, such as a sense of urgency. If there’s a sense of urgency regarding a wire transfer or payment, advise your employees to inform their manager.

Employees should always reach out to a known contact to confirm requests for transfers of funds from customers and suppliers. Use known numbers, not the details provided in the most recent email request, as they can be faked.

Remind your employees not to accidentally tip off a scammer by posting on social media when they or another staff member are on vacation or away from the office
Establish a two-step verification process for wire transfer payments, such as assigning secondary sign-off personnel
Create a process to recall a payment that may be fraudulent
Keep an up-to-date and detailed supplier/payee directory

Try a fraud simulation activity

Cheque fraud

What is it?

Cheque fraud is still on the rise. From small businesses to large enterprises, companies of all sizes can become victims of cheque fraud.

If someone uses a cheque illegally to obtain funds, they’re committing cheque fraud.

Stolen cheques can be intercepted in the mail.

Learn how to recognize different types of fraud so you can protect yourself and your business from fraudsters

Scam examples

Counterfeit cheque

Counterfeit cheques generally have slight differences compared to legitimate cheques.

The colour, logo, font, and security features may vary.

Altered cheque

Materially altered cheques are valid and authorized items but contain changes to the:

Payee’s name
Date
Amount (numeral/written)
Time of payment

How to protect your business

Protect your business from card and cheque fraud by reviewing your transactions daily. Having a good understanding of your finances will always add an extra level of security.

If you suspect your card/PIN has been compromised or spot any fraudulent activity on your account, please contact us immediately at 1-866-625-0561.

Set up an alert on your credit card so you know when your card’s being used
Choose paperless statements to help protect your account
Don’t leave your bank cards unattended
Never share your PIN with anyone or leave it written next to your card
Don’t share confidential information over the phone or in an email; remember, Scotiabank will never call or send you an email and ask you to provide your full card number or password
Sign the back of a new Bank card immediately after you receive it
If your card is declined, lost, or stolen, call us right away to reduce the risk of fraud
When bank cards are no longer valid, destroy the cards by cutting them up
If a cheque goes missing, call Scotiabank to stop payment immediately
Report any lost or stolen bank cards to Scotiabank immediately
Lock up cheques, deposit slips, bank statements, and any equipment used to issue cheques in a secure location
Restrict access to cheques and equipment
Shred any cancelled cheques, old statements, or expired debit and credit cards
Make sure cheques are fully filled-in ; do not leave blank spaces on the payee or amount line
Only employees who are authorized to issue cheques should be able to access, process, and mail them
Separate duties by having one employee issue cheques while another reconciles them
Regularly review your cheque order to ensure there are no missing cheques; report missing cheques to your bank or supplier immediately
Set up ScotiaConnect to enable daily reconciliation of banking activity and cheques issued
Learn more about cheque management services for our Commercial Customers

Try a fraud simulation activity

Wire payment fraud

What is it?

Wire payments continue to be a target for fraudulent activity due to the speed and higher dollar limits of the transaction. Common methods of wire payment fraud include business email compromise (customer email hack/vendor email hack), account takeovers, malware, and phishing (including smishing and vishing).

Remember, you should never feel rushed to respond when working with a trusted organization.

Fraudsters know that money sent through a wire transfer is difficult to recover because of speedier settlement and the complexity involved in the recovery of funds sent between different jurisdictions.

Employees who are responsible for processing wire transfers are deliberately targeted.

Social engineering tactics play a major role as fraudsters rely on an employee’s sense of duty and desire to do the right thing in an urgent situation.

Employees must always take the time to decide whether or not the wire payment request is genuine before processing a transaction.

Scam examples

Change payment instructions

A common wire payment scam occurs when a fraudster sends an email pretending to be a trusted supplier requesting a change of wire payment instructions or account information. The email may request a change of account payment details so that funds are forwarded to a fraudulent account or include a malicious link that downloads malware onto your device and network.

Spoofing

Email spoofing occurs when a fraudulent email is created using a fake sender address to trick the recipient. There are 3 common methods used to spoof an email:

Forging the contact name and email address visible to the recipient
Setting up a valid email address with a name of someone in your organization
Creating a new email address that looks like the real one

Urgency

While some fraudsters spend weeks grooming a business target, one of the key red flags for wire fraud remains a false sense of urgency.

Always think before making a wire transfer, and make sure all protocols are followed before a transfer is initiated.

How to protect your business

Here are a few ways you can protect your business:

Conduct regular phishing simulation tests for your staff; include instructions on how to spot warning signs of phishing emails and how to report suspicious emails to your IT security team
Validate any unusual transaction requests by using a trusted phone number for the contact in question
Implement a separation of duties or a dual-signature system that requires authorization from 2 different employees to process supplier payment changes and wire transfer requests
Conduct regular reviews of wire transfer transactions
Know the habits of your customers and suppliers, including the frequency and amounts of their regular transactions
Have a plan in place to report and recover fraudulent transfers; it is recommended you document all communications, maintain a list of contacts, and report it to your bank, your local police station, and your local anti-fraud centre. For Canadian citizens, contact the Canadian Anti-Fraud Centre (CAFC) at 1-888-495-8501 or visit the CAFC reporting page for more information.

It’s especially important to educate your employees to recognize, avoid, and report unusual wire payment requests.

Here are some tips to share with your employees:

Pay close attention to the sender’s email address, and double-check it against the customer’s profile on record to ensure there are no discrepancies (for example, johndoe@powercom vs. johndoe@povvercom)
If during a callback something seems suspicious, consider performing a callback to another signatory on the account if available and escalate the matter to your manager
Contact customers using only the telephone number in their profile and do not use alternate telephone numbers
Review recent telephone number changes on the customer profile and perform enhanced due diligence checks
Be on the lookout for signs that signatures have been copied and pasted (for example, watermarks or a white or discoloured box behind the signature)
In the event of a mismatched or suspicious signature, perform enhanced due diligence by undertaking additional inquiries into the matter and escalate to your manager
Be suspicious of errors in spelling, grammar, or the format of dollar amounts

Try a fraud simulation activity

Common business scams

Educate yourself

Types of business scams

What is it?

Scam examples

How to protect yourself

Spot the warning signs

What is it?

Scam examples

How to protect yourself

Learn more about protection against malware and ransomware

What is it?

Scam examples

The CEO scam

Change payment schemes

Information theft

How to protect your business

Learn more about protection against Business Email Compromise fraud

What is it?

Scam examples

Counterfeit cheque

Altered cheque

How to protect your business

Learn more about cheque fraud protection

What is it?

Scam examples

Change payment instructions

Spoofing

Urgency

How to protect your business

Learn more about protection against wire payment fraud

Report an incident or suspicious activity