Protect your business from common scams, real cases and how to stay safe

Nov 1, 2024

Protect Your Online Business from the Most Common Scams

Digital scams are a growing and constant threat to any online business, but they are especially harmful for small and medium-sized enterprises. Every month, businesses across various sectors face fraud attempts that aim to exploit operational vulnerabilities, leading to financial losses and damage to their reputation. For a large company, a security setback might be a temporary inconvenience, but for a small business, a single scam can have devastating consequences, directly impacting its stability and growth.

Today, the range of digital frauds has evolved with technology: from phishing emails to complex identity theft attempts and payment scams. Scammers are continually adapting their techniques to deceive even the most cautious users. If you run a digital business, you’ve probably already noticed how common these threats are. From fake refund requests to attempts to access your payment systems, small and medium-sized businesses are frequent targets of these attacks.

In this article, we’ll look at some real scam attempts faced by digital businesses to help you recognize these patterns and prepare to respond. We’ll explore how these frauds work and share practical measures so you can better protect yourself. Whether you run an online store, offer digital services, or engage in any other digital activity, understanding these threats is essential to safeguard your revenue and your company’s reputation. But first, let’s examine the most common types of cyber scams.

Common cybercrimes and their impact on small businesses

In today’s environment, where online businesses are constantly growing, cybercriminals are developing new tactics to exploit any vulnerability. Before proceeding with real cases, let’s review some of the most common cybercrimes that can seriously impact small and medium-sized enterprises (SMEs), putting their finances and reputation at risk.

1. Phishing or identity theft

Phishing is one of the most frequent and effective scam techniques. It involves tricking employees or business owners into providing sensitive information, such as login credentials or bank details, through emails, messages, or even phone calls that appear legitimate. For an SME, falling into a phishing trap could mean that an unauthorized person gains access to their accounts, manipulates confidential information, or makes financial transactions without permission.

For example, the team at a small design company might receive an email that appears to be from their usual software provider, asking them to update their login credentials through a provided link. Trusting the message, one of the employees might enter the requested information, allowing the attackers to access the company’s system and change passwords. This could lead not only to the loss of control over key accounts but also to the exposure of client information, which would severely impact the company’s trust and reputation.

2. Payment scams and transaction fraud

SMEs that make online sales are especially vulnerable to payment scams. This type of fraud can take several forms: from fake returns to the use of stolen cards for purchases that are later reversed. Additionally, some scammers may exploit return policies to request refunds for products they never actually send back, affecting the business’s profits.

For instance, an online clothing store might receive a large order, apparently paid for with a credit card. After sending the merchandise, the store could be notified that the payment has been reversed because the card used was stolen. This would not only result in a loss of income from the product sent but also in the added cost of shipping and return expenses. This kind of fraud can be a severe blow to cash flow, especially when it occurs frequently or with high-value orders.

3. Business email compromise (BEC)

In the type of fraud known as BEC (Business Email Compromise), attackers impersonate a company member (such as a manager or director) to request money transfers or confidential information. This type of scam is difficult to detect because scammers often study the company’s operations and tailor their messages to appear as legitimate requests. Furthermore, with the advent of voice cloning and deepfake technology, it is increasingly challenging to distinguish between a real and a fake call.

Imagine that an administrator at a small advertising agency receives an email supposedly from the financial director, requesting an urgent transfer to pay a supplier. If the tone and details of the message are convincing, the administrator might make the transfer without hesitation. Later, the agency would discover that the email was fraudulent and that the recipient account did not belong to the supplier but to a scammer. In this case, the loss of funds would impact the agency’s operations and generate internal conflicts, highlighting the importance of verifying any transfer request, especially if it’s unusual or urgent.

Whenever faced with a request of this nature, it’s recommended to confirm the authenticity of the request through another secure communication channel, such as a phone call to the sender. This practice helps ensure that the request genuinely comes from the person in question and not from a scammer trying to exploit the situation. Directly contacting the individual through an alternative method, rather than replying to the email or message received, helps reduce the risk of falling for this type of fraud. It’s also common for these messages to convey a sense of urgency, pressuring the victim to act without thinking, so it’s essential to stay calm and verify the information.

4. Malware and ransomware

The use of malware and ransomware is a very common threat. Cybercriminals can infect company systems through email attachments or malicious links, gaining access to sensitive information or blocking the system while demanding a ransom.

For example, the team at a small marketing agency might receive an attachment from a supposed potential client wanting to share information about a new project. However, this file could contain ransomware, causing the agency’s systems to become encrypted and inaccessible. The attackers would demand a ransom payment, and without an adequate backup, the agency would be forced to make the difficult decision of paying to regain access, which would strain its budget and potentially delay client projects. Even then, paying the ransom wouldn’t guarantee recovery of the systems, potentially leading to further financial losses.

5. Social engineering attacks

Social engineering is a technique where attackers psychologically manipulate people into revealing sensitive information or taking actions that are harmful to the company. These attacks can occur over the phone, by email, or even in person, and they often exploit a lack of cybersecurity training.

In a common scenario, an employee at an ecommerce store might receive a call from someone claiming to be from the technical support team of their payment system provider. The caller might ask for help “verifying the account” by requesting certain access credentials. Thinking it’s a legitimate call, the employee might provide the information, which would allow the attackers to access the account and carry out unauthorized transactions.

Understanding these types of fraud and their impact is the first step to avoiding them. Now, let’s take a look at some “real” cases. I put “real” in quotes because these are examples based on real-life incidents, but names, addresses, and other details have been changed to avoid potential issues.

Real-life examples of scam attempts

These are just a few examples of real scam attempts. Not only do they illustrate the common tactics used by cybercriminals, but they also highlight the importance of recognizing the warning signs in each case.

1. Offers to publish third-party applications on the company account

One type of scam often aimed at online business owners and developers is the supposed offer to publish third-party applications on their accounts, with the promise of regular payments. Although the offer might seem like a good way to earn extra income, these attempts often involve apps that contain malware or malicious content, which could harm both the business and its customers.

Example of message received:

“Dear Sir/Madam, I’m interested in using your account to publish my application. I’m open to renting it with management access and monthly payments or buying it outright. If either option appeals to you, please contact me via WhatsApp at +99 123-4567-8901. I’ll make sure the price is fair for both of us.”

Scam analysis:
Although this offer may appear legitimate at first glance, several risk factors stand out. First, if the application contains malware, any customers who download it could be affected, putting the company’s reputation at risk and potentially resulting in the account being blocked, with the subsequent loss of all assets within it. Additionally, if someone is offering to pay for using your account, they could theoretically publish it themselves; this makes the offer of renting or buying the account suspicious. Why would anyone want to publish an app on an account that isn’t theirs unless they have malicious intentions? While it might be possible for someone to be interested in using a well-established account with a good reputation, the message doesn’t mention this at all, making it more likely that this is a scam attempt to distribute malware without consequences for the cybercriminals.

2. Supposed investment offers from “foreign” companies

Another common scam is the offer of supposed capital investment from an international company that appears interested in funding your business or project. The messages are usually written in a formal tone and use financial terminology to convey credibility. However, upon closer examination, there are often clear warning signs, such as a recently created website, fake profiles, or unverifiable information.

Example of message received:

Subject: RE: Project of Interest

“Dear Sir/Madam, an investment banker from CashTrap Bank, Mr. Money McScam, has recommended your project to my board for possible consideration for funding. Considering that your project aligns with the sectors of interest for my board, we would be honored to learn more about your project with an investment intention. Please advise a convenient time to proceed with this discussion.

ILA FAKE MONEY
Principal Partner
Dubious Ventures Group”

Scam analysis:
While investigating this offer, several red flags came up. The first, and perhaps the most noticeable besides the vague and generic tone, was the website itself. Upon visiting it, I found a template with generic text and no detailed information, accompanied by AI-generated images of an office filled with distorted, unrealistic-looking people. This type of image has become more realistic over time, but it is still detectable if you look closely. Additionally, the company’s domain was only three months old.

I also looked up the names of the supposed executives of the company and found that they had no verifiable profiles on professional networks or anywhere online; the entire communication seemed deliberately vague. A legitimate investment firm would have a strong and easily verifiable online presence and would not communicate via generic email addresses.

This type of scam takes advantage of the funding needs of many small and medium-sized businesses, creating a false sense of credibility to trick the business owner into sharing sensitive information or even transferring money under the pretext of an “initial negotiation fee.”

3. Fake collaboration with a popular YouTuber or influencer

Collaborations with influencers are an effective marketing tool for many companies and content creators. However, scammers take advantage of this trend to offer fake collaborations, particularly to tech and app companies. In these cases, they pose as influencers, providing attractive follower statistics and a seemingly low collaboration fee, intending to get the business owner to pay before any work is done.

Example of message received:

“Hi, I’m Scammy McFamous, and I have a YouTube channel specializing in technology (phone reviews, apps, etc.) with over 250k active subscribers and 40 million views. I’m excited to propose a collaboration with you that includes creating a promotional video for your app, where I’ll thoroughly explain its features, how to use it, and add the download link in the video description. The cost of this collaboration is $100. I look forward to hearing from you soon.”

Scam analysis:
At first glance, the offer seems attractive, but there are details that raise suspicion. Both the person and the channel exist and have a following similar to the one mentioned, so when I received the message the first time, I thought it might be genuine. As recommended in cases of identity impersonation, I tried to verify the communication by reaching out to the YouTuber directly through their social media, but I didn’t receive any response. The influencer may not have seen it or simply chose not to reply, but in this case, the lack of response is a signal in itself: if someone were actively selling promotional services online, they would likely be interested in responding to potential client inquiries. Additionally, the proposed price is significantly low for an influencer of that size, which could indicate the offer is fake. Later, upon receiving the exact same message again with no changes, I confirmed it was indeed a scam attempt.

In these cases, scammers aim to exploit the popularity of influencers to deceive companies and obtain payments for services that will never be delivered.

4. Remote work offers promising easy money

An increasingly common scam involves “work from home” messages that promise high earnings for minimal effort. Cybercriminals use messaging apps like Telegram or WhatsApp, posing as recruiters and offering substantial pay for simple tasks, such as posting reviews or clicking on links.

Example of message received:

“Hi! We are looking for people who want to use their free time to earn extra income. This is a remote job that you can do anytime, from anywhere. You only need to dedicate 30 to 60 minutes a day to help hotels and restaurants improve their visibility and earn between 50 and 150 euros. Are you interested?”

Scam analysis:
These types of messages are often accompanied by unrealistic promises, such as earning up to 150 euros a day for just a few minutes of work. Although the offer might seem tempting, scammers typically ask for personal information, like your name and age, under the pretext of advancing the “selection process.” In some cases, once communication is established, they ask for initial payments to access the “work platform” or request financial details with excuses about sending the payment. Often, once they receive the requested payments or information, the scammers disappear.

This type of scam takes advantage of the need for extra income that many people have, using the promise of an easy, remote job to attract potential victims. However, a legitimate job offer rarely asks for upfront payments or financial details at such an early stage. Additionally, a quick search usually reveals that the company they claim to represent doesn’t even exist.

Currently, the account from which these communications were sent has been deleted, further confirming that it was a scam. A legitimate company or representative would not delete their account.

The importance of staying one step ahead in digital security

Digital scams represent a significant and increasingly common risk for both users and companies, especially in a digital environment where business opportunities are more accessible than ever, but so are the dangers. Although some of these fraud techniques might seem simple or obvious at first glance, the sophistication and creativity of scammers are constantly evolving, aiming to exploit any oversight.

Protecting your business involves not only being informed about these scams but also implementing effective security practices. Continuous education and team training, along with the use of cybersecurity tools, can make a significant difference when it comes to detecting fraud attempts. Establishing clear procedures to verify the authenticity of offers and collaborations is also a fundamental pillar in fraud prevention.

Finally, remember that the key to avoiding these scams is to maintain a critical mindset toward any suspicious proposal and always seek reliable sources of information. While digital risks are inevitable, being well-prepared will allow you to protect your resources and focus on the true growth of your business. I hope this information has been helpful and aids you in safeguarding yourself against future scams. Remember that digital security is a shared responsibility, and prevention is always the best defense.