Business Fraud Prevention: 101

    Charles Brandt
    By: Charles Brandt
    June 12, 2024

    Nowadays, business fraud is a big business. According to Alloy’s 2024 State of Fraud Benchmark Report, 56% of surveyed businesses lost more than $500,000 to fraud in the last 12 months, and 25% lost over $1M.

    While organizations of any size can be vulnerable to fraud, small businesses often don't have the resources to hire an IT staff, and fraudsters know it, which is why SMBs are often their preferred targets.   

    In this blog, I’ll cover some red flags to look out for and how you can prevent scammers from getting away with it.

    5 Business Fraud Red Flags

    An executive waves a big red flag to alert employees to common business fraud scenarios.

    Here are five ways fraudsters try to get their hands on your money.

    1. Asking Personal or Strange Questions 

    Beware of any personal questions! Fraudsters can use your answers to these questions to retrieve your login credentials or access financial accounts. 

    Example: You get an email asking you to verify answers to security questions for a portal, like your mother’s maiden name or your anniversary. 

    Example: You get a phone call from someone who says they’re from a government agency, and they ask you to verify information like your Social Security number, account number, or personal address. 

    Example: You get a phone call repeatedly asking, “Can you hear me?” Don’t say yes! During a recent scam, hackers recorded the answer and used it to verify phony credit card charges and bills. 

    2. Directing You to External Websites 

    If you open an email from an unknown sender that includes a clickable link to another website, you should evaluate it very closely before clicking. Redirect scams work mainly by creating fake websites and luring people to visit them. These websites might be disguised to look like those of legitimate banks, credit card companies, or even retail shops, but they’re really designed to steal your account credentials or deliver malware. Instead, go directly to the website through a known secure link in your bookmarks or a reputable search engine.

    Example: You get an email that looks like it’s from PayPal saying that your account has been compromised and will be deactivated unless you confirm your credit card information on their website (link provided). 

    Example: You’re a new employee, and you receive an email that appears to be from your company. It explains that your login information isn’t working, and your direct deposit won't go through unless you verify your information on their website (link provided). 

    3. Requesting Wire Transfers

    Criminals get creative with this one. From posing as charities, government workers, or other members of your company, fraudsters will pretend to be anything and anyone to try to get you to wire funds. Don’t accept wire transfers over email, and always confirm via a phone call to a number you know and trust. Your change management workflow should include the process of changing any account number records you have on file for future use.

    Example: You get a phone call or other communication that the IRS is demanding immediate payment through a wire transfer. 

    Example: An executive at your company sends an urgent email to you, saying that an important business deal won’t go through unless you wire funds immediately. 

    4. Urging You To Click Links

    Malware — short for malicious software — is the fastest-growing threat of 2024. Malware comes in all shapes and sizes, but it can often be seen as downloadable programs, software tools, ransomware, or ads in your inbox. 

    Example: The CEO of your company (or at least, that’s who it appears to be) sends an email asking you to watch an important video contained in a link. 

    Example:  A vendor emails you the link to an eBook and says you might find it helpful. 

    5. Asking You To Buy Gift Cards 

    A very common situation we see in the wild is threat actors trying to get company employees to make purchases that can then be transferred through a simple redemption code or card number. They’ll pretend to be someone who has the authority to authorize the purchase and ask the individual to act quickly.

    Example: You get an email or text message from your boss asking you to buy gift cards and send them photos of the backs. 

    Additional Types of Business Fraud SchemesBusiness fraud trends in 2024 include the use of AI and more.

    The examples I outlined above highlight a few common scams that have been grabbing recent headlines and affecting SMBs across every sector. But it’s also important to safeguard your business against the types of fraud that often fly under the radar and are committed by some of the very people you thought you could trust. 

    Financial Statement Fraud

    Financial statement fraud is when a company’s financial performance is intentionally misrepresented to make it appear better than it is. That might involve overstating revenue, understating expenses, or hiding liabilities.

    Asset Misappropriation

    Embezzlement is just one type of asset misappropriation, which also includes the theft of cash, inventory, or a company’s intellectual property. 

    Corruption

    Abusing power for personal gain — like accepting bribes or engaging in conflicts of interest — is considered corruption. 

    Other Forms of Cybercrime

    Apart from phishing and malware, other forms of cyberattacks —, like business email compromise, data breaches, distributed denial of service (DDoS) attacks, and crypto-jacking — are frequent components of fraud schemes.

    Money Laundering

    Money laundering is the process of hiding the source of illegally obtained money by passing it through legitimate business transactions. 

    Tax Evasion

    Tax evasion involves misrepresenting or concealing information to reduce your tax burden.

    Insurance Fraud

    Making false or exaggerated insurance claims or withholding information to obtain insurance coverage are examples of insurance fraud. 

    Securities Fraud

    Securities fraud can range from providing false or misleading information to investors to insider trading and market manipulation.

    Procurement Fraud

    Procurement fraud describes rigging the bidding process, accepting kickbacks, or engaging in collusion with vendors.

    Invoice Fraud

    Invoice fraud — when a scammer sends a fake invoice to a company hoping their accounts payable team will pay — is shockingly common

    Example: Someone calls your company to verify an order or ask questions about your printer and copiers, and then sends unwanted, substandard and/or significantly overpriced office supplies. The scammer refuses to honor a return and will send an invoice. Scammers like these are often referred to as toner pirates

    Example: You are emailed an invoice from what appears to be a vendor you work with (the email address and signature are correct), but you don’t remember them providing the good or service that is listed on the invoice. 

    Unfortunately, scammers are getting so good that, in many cases, they’re able to hack into a vendor’s systems to access their email, clients, transactions, and banking information. So, even if you receive an invoice in an email from the company you work with, you might not be able to trust its contents. 

    How Are Scammers Able To Do This? 

    Accepting kickbacks or bribes is another form of business fraud, depicted as an under the table deal.

    Some scams — like common office supply scams — are nothing new. But the internet has given criminals a new and easy way to rob companies blind. And while that Nigerian prince scam still pulls in around $700,000 a year, scammers have learned how to fool people who assume they’re not easily fooled. 

    Scammers have gotten very good at using your brain against you to make phishing scams far more successful. They’re then able to use what they know to make their emails far more convincing. Sophisticated cybercriminals have also discovered that leasing out their ransomware — referred to as ransomware as a service (RaaS) — to other criminals is a nice side hustle. So scammers who don’t know the first thing about coding can still bring a company to its knees. 

    And while AI has been an amazing time-saver for businesses recently, cybercriminals have also been helping themselves to this technology to create deepfakes — typically audio or video content that mimics someone’s likeness. 

    Finally, most businesses and most employees at those businesses are making it very easy for scammers to do this. So let’s talk next about how not to do that. 

    How To Prevent Business Fraud

    An employee scans his fingerprint to illustrate how proper user authentication methods can help prevent business fraud.

    So, if you can’t trust an email sent from a legitimate business anymore, what’s a business to do? Effective fraud prevention and detection are possible, but they require a combination of internal controls, audits, employee training, and robust policies and procedures. Even having non-technical practices — like separation of duties, job rotation, and mandatory vacation — can help detect internal threats that may otherwise go unnoticed.

    If You See Something, Say Something 

    First and foremost, if you feel like a phone call or email is sketchy, it probably is. If you already have a security team in place at your business, you should notify them immediately. They’ll almost certainly have a system of verifying the email or caller you’re dealing with and know what to do if someone is attempting to steal your information. 

    Provide Ongoing Security Awareness Training 

    One of the keys to prevention is knowing what to look for. Stay active with training employees on security practices, and be sure to have a plan in place when that phone call from your “client” requesting your password reset doesn’t sound legit. If you don’t have a security team in place, consider hiring one to protect your resources. 

    Only Work With Vendors You Trust

    If a scammer can easily hack into your vendor’s email and systems, then that vendor represents a significant risk to your business. Vendor due diligence is becoming commonplace, and that means some businesses are having to step up their security just to maintain their clients. So, if it’s been a while since you’ve audited the businesses that have access to your location and/or your systems, it’s time. At Marco, we audit vendors regularly and have a risk department to evaluate third-party vendors.

    Having fewer approved vendors — or automating supply ordering — can also help your accounts payable team spot phony invoices quickly.

    Follow Data Security and Cybersecurity Best Practices

    If you knew of a single, fairly simple solution that could thwart 99.9% of account hacks, you’d use it, right? Unfortunately, while more and more businesses are adopting multifactor authentication (MFA) to protect their systems and data, 54% of small to medium-sized businesses still don’t use it. 

    Of course, fraud is a complex problem, and no single solution can prevent it. Marco’s cybersecurity team has created a checklist modeled on best practices outlined in the NIST Cybersecurity Framework. Download it or use it online to see if your current tools and policies are sufficient. 

    If you see a few areas that might need improvement, or you’d benefit from some ongoing cybersecurity mentorship to anticipate new threats, we also offer fractional CISO services to make it much easier for your business to protect itself from fraud and all forms of cybercrime. 

    Explore IT Consulting Services Learn More
    Topics: Security