September 17, 2024

Businesses are just as likely to fall victim to scams as consumers. CERT NZ’s 2023 annual summary showed the amount businesses and organisations reportedly lost to scams and fraud, nearly doubled – rising from $956k in 2022 to $1.9m in 2023

If you are a business owner, these scams could directly affect your income. If you’re an employee, the last thing you want to do is expose your employer to a scam. So what are common scams you need to be aware of and avoid?

Phishing
Phishing is a term used to describe the illegal practice of using email to obtain access to sensitive data such as passwords, bank account numbers, or credit card numbers. This is probably the most common way scammers target businesses. These emails may come from an unknown email address or mimic the email domain of a business simply by changing one letter. Sometimes, they are even disguised as if they were sent from a senior person within your own organisation.

They use techniques such as malicious links (often to something that seems innocuous such as a survey) to obtain access to data. Another example is the fake invoice scam, urging the receiver to pay for overdue goods or services that the business never received. Or impersonating one of your regular suppliers but asking for payments to be directed to a new bank account.

A fake "password expired" email might lure individuals into entering their current password on a fraudulent website, providing scammers access to sensitive company information. Some businesses have been duped by emails from scammers pretending to be employees requesting their salaries be paid into a different account.

Fake emails made to appear as they have been sent by a manager within your organisation are also common. Sometimes they urge the employee to make a payment to a new supplier, directing the funds to an account the scammer can access. But there are many creative ways they can defraud organisations.

The not-for-profit organisation Frances* works for lost $2000 last year to a phishing email scam involving iTunes gift cards. The email, set up to look as though it came from the organisation’s CEO, was sent to all staff members. It claimed the CEO was busy in meetings all day and needed the staff member to buy $1,000 of iTunes cards for him. Most of the staff realised it was a scam but a couple of new team members thought it was genuine and bought the cards, replying to the email to say they had completed the task. The scammer then sent a second email asking the team members to send him the 16-digit code from the gift cards. Once the scammer had that information, they were able to redeem the value of the gift cards. Frances says the fact the scam email was sent on a day most of the team was working from home made it easier for the scam to be successful as it limited the opportunity for staff to realise they hadn’t been singled out for an important task by the CEO. The organisation has since increased its communications to staff about phishing emails and common scams.
*Name has been changed.

Fake IT support

Criminals will try to scam businesses by calling or texting random staff members, pretending to be the organisation’s IT contractor, claiming their computer has a virus or they need to upgrade software. They tell the employee to download software that will help or ask for login details to fix the issue. But there’s no virus or service. The software hacks your computer or the hacker logs in to your systems to steal information.

Fake surveys
Scammers will sometimes use fake surveys to gain access to information they can use later to defraud the organisation. The other way they do this is to pretend that they are updating an industry database and need the email addresses and other information of senior personnel. It may seem harmless but they can use these details to appear legitimate in future interactions with your business.

How to avoid scams in your workplace

  • Protect your email with multi-factor authentication. This can prevent your email account from being accessed by a scammer.
  • When you register a domain name for your website, think about registering other, similar domain names too. It’s not expensive to do, and could stop scammers launching a phishing attack against your business or using your business to front a phishing attack against others.
  • Keep operating systems and software up to date on all devices.
  • Don’t open attachments from senders you don’t know or click on links for unsolicited offers.
  • If you’re a business owner or team manager, train your staff:
    • Communicate information on phishing and keep them updated on new scams.
    • Make sure staff know when it’s appropriate to share private information and financial details, and with who.
    • Set policies around payment for products and services.
    • Set out the dos and don’ts for new staff as part of getting them on board.
    • Create a password policy.
    • Have a cyber security policy.
  • Don’t use the same password for any of your systems.
  • Limit who has access to company credit cards.
  • Where possible, ensure all payments are be set up by one team member and authorised by another. It increases the chances of scams being noticed.
  • Research new vendors to make sure they are legitimate businesses and query any changes to bank accounts you pay regularly.
  • Trust your gut. If you are suspicious you are being scammed, don’t reply or make any payments until you can confirm the request is legitimate.
  • If you suspect you are being scammed, Google the organisation named in the scam along with the word scam. Often the results will tell you it’s a common scam.

We will provide more information on what to do if you have fallen victim to a scam in an upcoming blog, but your first step is to call your bank immediately. They can guide you through the next steps, including whether involving the police is necessary.