Protect your business from fraud

Recognize, Reject and Report Fraud

To protect your business from fraud and avoid paying out-of-pocket to scammers, you need the facts. The number of fraud schemes and con artists ready to part your business from its money is endless. Here, we explain some of the most commonly used scams targeting businesses in Canada, to help give your company a fighting chance against fraud.

Social engineering plays a huge role in how scammers perpetrate fraud. It's all about manipulating people into revealing confidential or personal information, or taking actions that lead to them being victimized by fraud.

Social engineering relies heavily on individuals being persuaded based on feelings of:

• reciprocity (returning a 'favour'),
• commitment and consistency (honouring a prior 'commitment'),
• social proof (following what others do),
• authority (obeying authority figures),
• liking (being persuaded by someone who is liked), and
• scarcity (a perceived shortage generates demand).

It's important to be aware of these very common human tendencies that fraudsters exploit to achieve their ends.

Your best fraud prevention tactics are information and vigilance.

Common scams

Here are some examples of common scams to look out for and tips to help you fight back.

Business grants and loans scam

How it works:

You find a website while searching online for small and medium-sized business financing. It has the appearance of a government department helping small businesses access grants and loans, but it's only masquerading as such. For a fee, they'll ensure you get 'special acces' to government funding programs and may infer that the funding is guaranteed. Their website and/or name may mimic a government department, right down to the use of the Canadian flag or other logos and wordmarks.

This is a sure way to squander your money. First of all, services and information to help you apply for government grants and loans are offered free of charge by government departments or agencies. Secondly, nobody can guarantee your business would receive such funding, nor are private sector companies involved in the approval process for it.

What to do:

• Be skeptical! Never feel pressured to commit.
• Closely examine the company's ads and website, and take time to research it before subscribing to any newsletters, sending money or giving credit card or bank account details.
• Seek legitimate information about small and medium-sized business start-up and financing at the Canada Business Network.
• Call 1 800 O-Canada (1-800-622-6232) for general information on Government of Canada programs and services.

Directory scam

How it works:

You're contacted by a seemingly legitimate business directory supplier wanting to confirm your address and contact information. Simple - you confirm. The caller may imply that your company has purchased the directory listing in the past, saying that the call is simply to update your company contact information. This is called the "Assumed Sale" technique.

Then you receive a confirmation call designed to get you to agree to purchase the directory listing and a few weeks later, you receive an invoice for several hundred dollars for online advertising you supposedly agreed to. The online directory is of little or no commercial value, isn't searchable, and offers nothing better than a standard Google search would.

When you call to dispute the charge, they say they have a recording of you agreeing to the services, which they've edited to suit their purposes, and they threaten to send your file to a collection agency. Then if you don't pay, you receive aggressive collections calls, falsely claiming that your credit rating will be affected, when in fact they have no legitimacy to report you to a credit bureau, because the invoice or contract wasn't from a legitimate source or your usual supplier.

A twist on the directory scam is a notice sent to your business, usually by email, asking you to confirm company information. At the bottom of the page is a signature line followed by fine print that often gets ignored, stating that by signing the notice you have agreed to a two-year directory listing for $1,500 per year. The notices often use symbols suggestive of legitimate directory companies like the Yellow Pages' "walking fingers." 

What to do:

Before providing any information to a third party, always check their legitimacy by taking a few simple steps:

• Don't rush to agree to a listing.
• Hang up and call your usual contact to confirm if a request is real.
• Confirm that the caller is an actual supplier: ask for their company contact information.
• Ask to see the service contract or purchase request.
• Carefully review any invoices, checking logos to verify they're the real ones (such as "walking fingers" that point in the correct direction).
• Check with colleagues that there was indeed an order placed and that verifications were made.
• Check the Better Business Bureau's website to help determine if you should engage the company.
• If the caller claims that they'll report you to a credit bureau, ask which one they belong to and then check on them.

If you receive an unsolicited offer from a company wanting to sell you services:

• Be skeptical.
• Never feel pressured to commit right away. 
• Ask for the company's contact information, then research it and the people who contacted you.
• Ask for a written contract and thoroughly inspect it, along with any invoices, before making a payment.

If you are threatened verbally or in writing, call your local police and the Canadian Anti-Fraud Centre.

Office supply scam

How it works:

In a typical office supply scam scenario, you or your buyers receive an email or call from someone who seems to be your business' regular supplier of photocopy toner, light bulbs or some other type of office supplies. The scammer could infer that there's a government requirement for you to replace an 'expired' product, such as a first aid kit, and that they're contracted by government to be a supplier of that product, and that you could face a fine if you aren't in compliance. They may be hoping to catch a new or lower level employee who isn't aware of how things work, or may use 'spoofed' emails to make it appear that they originate from your usual supplier.

Office supply fraudsters ask you to verify information such as address, banking details, the person to be invoiced or other information associated with ordering supplies. In the case of emails, they could provide you with new banking details and request that future payments for supplies be made to this "new" account. They might also ask for seemingly irrelevant information like the number of employees in the organization. These inquiries are designed to trick you into giving up key information so they can fine tune their trap.

Sophisticated fraudsters will later place a second or third phone call to gather even more information or try to mislead your colleagues into believing that you or a manager agreed to placing an order and that everything is already settled; they only need payment.

When you receive the very realistic looking invoice, with or without the supplies, you're asked to pay. When you refuse, you get aggressive collections calls threatening to report you to credit bureaus and local business associations to damage your reputation.

Another twist on the office supply scam goes like this: a training company convinces you to sign up for health and safety or other specialized training for employees, citing government regulations requiring it. The scammer may not actually provide the training after being paid to do so, or they may provide inferior training that isn't properly authorized. In the meantime, you're on the hook for the cost.

What to do:

Before providing any information to a third party, always verify that they are legitimate:

• Don't rush to agree to anything.
• Hang up and call your usual supplier contact to confirm that the request is legitimate.
• Confirm that the caller represents an actual supplier – ask for their business contact information.
• Contact the government authority directly to check your legal obligations. Calling 1 800 O-Canada (1-800-622-6232) or going to your provincial government's information line will get you to the right place.
• Ask to see the service contract or purchase request.
• Check with colleagues to confirm that an order was indeed placed and verifications were made.
• If you receive threatening collection calls or letters about payment from a lawyer or law office, check with the provincial law society to verify the information.
• Before making any payment, inspect invoices thoroughly to ensure the supplier company name is what you're used to seeing (with no slight differences).
• Ensure that employees in your business are trained to recognize, reject and report scams.

If you receive supplies you didn't order:

• Know that it isn't your responsibility to return the product; the sender can pay for shipping if they wish to.
• Send a certified or registered letter to the sender, requesting proof of the order.
• If they can't produce proof that the goods were ordered, indicate that you're keeping the supplies as a gift.
• If they can produce proof, follow procedures for ordered goods.

If you receive supplies that you ordered but they're of inferior quality, or overpriced:

• Inspect the supplies and reject those that don't conform to the contract, are overpriced or have defects.
• Send a certified or registered letter to the sender to notify them that their supplies don't conform and they have a month to retrieve them or you'll dispose of the products and will not accept any further orders.

If you are threatened, call your local police and the Canadian Anti-Fraud Centre.

Phishing, Spear Phishing, Whaling, Vishing, SMiShing…

How it works:

There are many "phish" in the "fraud ocean"! They all refer to the same broad practice: someone is trying to trick you into giving up sensitive business information like your credit card number, bank account number or passwords.

In a typical phishing scam, you are contacted via email, social media, telephone or text. The scammer will masquerade as a financial institution, service provider, client, supplier, prospective business partner, or even a government organization.

What to do:

Always be wary of unsolicited emails, text messages or phone calls from individuals or organizations prompting you to click on an attachment or link. It could lead to a website that looks legitimate, like your email login page, but is in fact only an extremely convincing imitation designed to steal your information.

• Check embedded links in emails by hovering your mouse over them to verify the address.
• Don't take for granted that links starting with "https:" – where "s" used to mean "secure" – are in fact safe. Scammers have learned and are now using those websites to lure you. 
• Don't click on any attachments; they could contain malware.
• Don't share attachments unless you created them or know the sender and know they are safe.
• Don't reply to suspicious emails, as this only confirms to spammers that your email address is functional, making it a potential target.
• Flag unsolicited or suspicious emails as "spam," then delete them. This allows most email service providers to "learn" and refine their spam filter. Next time this sender emails you, it will go directly to your trash.

Would you be able to spot this phishing attempt? In this example, scammers are trying to mimic your mother's email address, using the services of a fictitious email service provider: wmail.ca 

From: rnommy@wmail.ca  

The catch: can you see that the first "m" is actually an "r" and an "n" stuck together?

And this one…

From: mommy@wmail.com 

The catch: did you notice that it comes from a ".com" rather than ".ca"?

Or this one…

From: mommy@wmail.ca

The catch: hover your mouse over the hyperlink. It actually links to mommy@thisisscam.ca. This is a clever way to mask the actual sender. 

Be vigilant!

Fake CEO scam

How it works:

The 'fake CEO' scam (also known as the 'business email compromise') is a type of spear phishing in which fraudsters impersonate your company's CEO or other senior employee using a legitimate-looking email. They may have lifted information from your company's website or hacked into your business'  email system to get information about key employees, clients, suppliers and banking information.

This type of fraud uses social engineering and psychology to bypass the normal controls and procedures within a company. There are different scenarios they can spin. Posing as the fake CEO, they might target financial employees to enact money transfers, or say that a contract is in danger if a supplier isn't paid immediately, insisting on an electronic payment to a certain person or business. Or they might impersonate one of your important suppliers who has not been paid and is threatening to escalate the issue. There are many different scripts in this type of scam.

What to do:

• Stop. Take a second look at the email.
• Examine the sender's email address, which may be very similar to the real one, with only one or two different characters.
• Check with the supposed author of the email or the CEO's administrative assistant to verify the request.
• Establish a standard process that requires multiple approvals for money transfers.
• Double-check with executives when they send wire transfer requests by email, even when they look legitimate, but don't reply to or use the contact information from the request email.
• Limit the amount of employee information available online and on social media. Fraudsters use it to find potential victims and to time their targeted fraud.
• Ensure that business computer systems are secure with up-to-date antivirus software and strong employee passwords to protect email accounts from hackers.
• Learn more about the various "spear phishing" scams to be prepared to reject them.

Intellectual property scam

How it works:

You might receive a letter or email that appears to come from a federal agency like the Canadian Intellectual Property Office (CIPO), saying that your business' intellectual property (IP) rights must be renewed.  It could contain images of patents or trademarks, contact information, registration numbers and other information that is publicly available. All this very specific information makes the reminders appear authentic. They'll ask for payment in exchange for renewing your IP rights and you could end up paying much more than necessary. They might state that they aren't CIPO, but it could be buried in very small text and not easily seen.

What do to:

• Check who sent the reminder. Emails from CIPO come from an address ending in "@canada.ca"; letters from 50 Victoria St., Gatineau, QC, K1A 0C9. If the notice comes from elsewhere, it’s not from CIPO.
• Know what you owe. The fees requested in fake solicitations are usually much higher than CIPO’s fees. Check CIPO’s list of fees.
• Intellectual property rights need to be renewed at very specific times. For example: trademarks every 15 years and patent maintenance fees  every year. Consult CIPO’s list of fees.
• Read the fine print. It may confirm that the solicitation does not come from CIPO. If still unsure, contact CIPO to confirm that the solicitation is legitimate.
• If you have received an email or correspondence regarding the renewal of your trademark or patent, verify that it is legitimate by contacting the CIPO Client Service Centre at 1-866-997-1936, or by email at ic.contact-contact.ic@canada.ca.

Malware and ransomware

How it works:

Malware, or malicious software, is a computer program that's specifically designed to damage the normal operation of your computer or network. You can accidentally 'catch it' when downloading email attachments, clicking links in emails, visiting less reputable websites or downloading music, videos or programs. It can also infect your computer through pop-up ads. 

Malware is a security issue and is never good news. It can send spam, access your computer, find personal information, disable your security settings or re-install itself after you remove it. In the form of ransomware, it can block access to your business computer by locking your screen or encrypting your information while scammers demand payment to unlock it.

What to do:

There are many ways to prevent and avoid malware. Protect your computer and network with security software, back up your data externally and stay vigilant. For more details on staying safe, visit the Get Cyber Safe website.

Recognize the pitch

Scammers have well-developed skills and techniques. They know exactly which strings to pull. They bank on certain values and emotions we all share:

• We trust. It turns out we should be much more skeptical of unsolicited calls, emails, mailed letters and faxes. It's increasingly easy to spoof emails, logos or websites.
• We fear. If they threaten your bottom line, your credit score or your customers, hang-up and call the police. Don't be victimized.
• We don't know. Education and awareness can go a long way. That's why sharing information and experiences with other businesses and within your industry is crucial.   

Here are a few techniques scammers use to lure you. Get familiar with these tips for the next time you get a cold call or unsolicited email.

Urgency

This is a pressure tactic that offers a special lower rate and often implies it's a one-time deal offered only by the caller, to entice the person to pay immediately: "I'm glad I caught you today." "Offer ends tomorrow." "I can offer this rate now, but I can't guarantee it will be offered again." 

Creative name use

This is about using a company name that sounds large, national or international. Giving the first or last name of the caller, although it's likely an alias, helps develop familiarity.

Authority

This borrows credibility from an outside source and can be highly persuasive. "We're registered with the government as the official supplier of…" "You're required by law to buy this…" "We're owned and operated by MBA graduates with over 12 years' experience in the industry."

Reciprocity

This involves offering a prize, a special price or other privileges to get you to send money or confirm an order. "We'll give you something, you give us something in return."

Foot in the door

This involves getting you to agree to some small purchase, and then surprising you with larger commitments later. For example, you accept a free box of paper, but then discover that in doing so, you've agreed to an automatic monthly supply of paper.

Pitch a better deal

This involves offering something very expensive, expecting you to balk at the price, wherein you're offered something cheaper that now looks more reasonable. You may mistakenly think you got a good deal but later realize you've been defrauded.

Initial agreement pressure

Early in the pitch, you're asked a question like: "Do you like to save money?" Later you're pushed to stick to your word and commit to a purchase by reminding you that: "You said you liked to save money."

Altercasting

This places you in a desirable and respected social role: "As a critical member of your organization, you should know…" or "Are you the manager? Then you should have the authority to approve this offer now…"

Professionalism

This plays on your sense of professional integrity. If you say you're not sure you ordered it, you're told, "My records show that I called you on (date) / at (time) and confirmed the amount. I'll include my personal business card in case you have a problem with the order."

Untraceable payment methods

Scammers often want payment through wire transfers, gift cards, and more recently Bitcoin or another cryptocurrency, all of which are nearly impossible to reverse or track, particularly the latter.

Reject fraud - Top five myths to bust

1- Fraud isn't a real problem for my business

It is. According to a recent report by PwC, 55% of Canadian organizations experienced some form of economic crime in the past 24 months. BDO Canada estimates that fraud cost Canadian businesses more than $30 million in 2017.

Falling for fraud can impact your money and your personal information, and it definitely wastes your time. It can also impact your customers if your services are interrupted or their personal information is compromised. Fraud can hurt your reputation and your bottom line, yet there are steps you can take to protect your business.

2- Scammers are obvious

In 2017, Canadians lost close to $100 million to fraud, so scammers can clearly be very convincing. Don't blame yourself for not catching on if it happens to you. According to the Better Business Bureau (BBB), fraudsters use the following tactics against businesses because they have worked over and over:

• They pretend to be someone the business would trust.
• They create a sense of urgency.
• They fly under the radar, slipping through normal business processes undetected.
• They use intimidation and fear.
• They entice business representatives with promises of amazing deals.

Businesses told the BBB that learning about a specific scam and the methods and behaviour of scammers was the most helpful way to avoid being scammed. Arming yourself with good information will go a long way.

3- Scammers aren't interested in small and medium-sized businesses

The Canadian Federation of Independent Business found that one out of every five small businesses has been victimized by fraud, at a cost of $6,200 on average. They also found that most businesses take measures to protect themselves from fraud, costing on average $2,900 – much less than the cost of falling for fraud. A quick cost/benefit analysis would suggest that it makes financial sense for small and medium-sized businesses to invest in fraud prevention.

4- It's not worth reporting fraud

There are many reasons why businesses choose not to report fraud. They may fear it will jeopardize their reputation, require too many resources relative to the loss, or it's too minor to warrant involving the police.

Understand that it's extremely important to report fraud – it's one of the best ways the authorities can identify current scams, see who is being targeted, gather evidence to disrupt and shut down the operations and better protect businesses in Canada from being victimized by fraud.

Law enforcement may not be able to take action immediately but the information you provide remains confidential. It can be used for investigations, to identify trends and to warn others (through alerts and other public education), and it can be shared with other law enforcement partners.

5- Fraud is a one-time thing

Actually, this isn't the case. Statistics show that once scammed, your chances of being targeted again are higher. It's called the 'sucker list.' While it may be tempting to write off being scammed as the cost of business and move on, remember that if employees are not trained to prevent fraud, the scam that caught your business once, or a new and different one, can show up again.

Top 10 fraud-fighting tips for businesses

Invest in your people

• Provide training to employees on scam detection and prevention.
• Talk about scams and share information in employee meetings.
• Ensure employees know not to provide personal or business information and banking details to anyone not known and trusted.
• Let employees know that if a request seems suspicious, they should do an online search and independently verify it.
• Don't let employees fall victim to tactics like bullying, negotiations for a lower price, alleged urgency, or charges for unordered or unused goods.

Invest in your processes

• Limit the number of people authorized to pay invoices or place orders for your business and have an approval process in place with verbal authentication.
• Have clear procedures in place to make sure invoices are legitimate.
• Keep your filing and accounting systems well organised—this makes it easier to detect bogus accounts and invoices. Double check every request for payment.

Invest in your networks

• Consider what business information you post on social media and networking sites, as scammers use publicly available information to target businesses.
• Invest in security systems to keep your office networks, computers, and mobile devices secure. Update your security software, change passwords and back up data regularly. Store your backups offsite and offline.

Report fraud

False or misleading advertising

• Contact the Competition Bureau and file a complaint (1‑800‑348‑5358).
• Contact the Canadian Anti-Fraud Centre (1‑888‑495‑8501).

Lost money

• Contact your local police force and file a report.
• Contact your bank or financial institution and credit card company.
• Contact the Canadian Anti-Fraud Centre (1‑888‑495‑8501).

Identity theft

• Contact your local police force and file a report.
• Contact your bank or financial institution and credit card company.
• Contact the two national credit bureaus and place a fraud alert on your credit reports.
• Always report identity theft and fraud. Contact the Canadian Anti-Fraud Centre (1‑888‑495‑8501).

Banking information theft

• Contact your local police force and file a report.
• Contact your bank or financial institution and credit card company.
• Contact the two national credit bureaus and place a fraud alert on your credit reports.

Spam emails and text messages

• Visit Fight Spam for information on Canada's anti‑spam legislation and how to report spam.