Protect your business from fraud — Common scams targeting Canadian businesses

Here are some of the most common scams used against business in Canada and some tips about what to look for and how to protect your business.

Business grants and loans scam

How it works

You are searching online for small and medium-sized business financing, and you find a website for what claims to be a government department helping small businesses access grants and loans. The site says that, for a fee, you will get "special access" to government funding programs—it may even imply that funding is guaranteed. The website might be designed to mimic that of a government department, right down to the use of the Canadian flag identifier or other official government logos and wordmarks.

Buying into this kind of offering is a sure way to lose your money.

How to spot it

There are three main points to keep in mind when looking for a business grant or loan. The first thing to remember is that government departments or agencies do not charge for services and information to help you apply for government grants and loans. Secondly, no one can ever guarantee that your business will receive such funding. Third, no private sector companies are involved in the process of approving government applications for business financing.

Protect your business

Be skeptical, and never allow yourself to feel pressured to commit.

Closely examine the website and any related advertisements and take the time to research the source before subscribing to any newsletters, sending money, or providing any credit card or bank account details. Also, visit the website of the government department by going there directly (not via an email link).

Call 1-800 O Canada (1-800-622-6232) for general information on Government of Canada programs and services.

Further reading

Directory scam

How it works

You’re contacted by a seemingly legitimate business directory supplier wanting to confirm your address and contact information. The caller may imply that your company has purchased the listing in the past for an ad in a magazine, journal, business directory, or an online directory listing. They say that the call is simply to update your company contact information. Simple. You confirm. This is called the “Assumed Sale” technique.

Then you receive a second call to "confirm" that you have agreed to purchase the directory listing and, a few weeks later, you receive an invoice for several hundred dollars for online advertising you never agreed to. The online directory is of little or no commercial value, isn't searchable, and offers nothing more than the results of a standard web search.

When you call to dispute the charge, they say they have a recording of you agreeing to the services. If they play you the recording, you can tell that they have edited your words from one of their real calls to suit their purposes. They threaten to send your file to a collection agency. If you don't pay, you receive aggressive collections calls during which the callers threaten you, saying that your company's credit rating will be affected.

How to spot it

If your business really does have a history with a supplier, then the supplier will be able to provide the address they have on file, along with other proof of a previous purchase. Also, even if things get so far as the scammer sending you an invoice or contract, it is important to remember that because they are neither a legitimate source nor your usual supplier, they have no actual grounds to report your business to a credit bureau.

A twist on the directory scam is a notice sent to your business, usually by email, asking you to confirm company information. At the bottom of the page is a signature line followed by fine print that often gets ignored, stating that by signing the notice you have agreed to purchase a two-year directory listing for a fee like $1,500 per year. Such notices often use symbols or logos that resemble those of familiar legitimate directory companies, such as the "walking fingers" logo used by the Yellow Pages.

  • Test your flair for detecting fraudulent invoices

    Your accounts payable employees sort through the mail, check the invoices and, for the most part, they just make sure things get paid on time. But what if one of these employees opens an invoice from a stranger that bills your business for goods you never ordered or have not received? Even worse, what if the fraudulent invoice indicates you as being the party who authorized person the purchase?

    Take a look at this fake invoice and ask yourself whether you or your staff would question it at first glance.

    Fake Invoice

    Invoice (PDF; 1.9 MB; 2 Pages)

    The logo is the same as the familiar "walking fingers" logo for the Yellow Pages, but if you look closely, you'll notice the fingers are "walking" in the opposite direction compared with the real logo. Also, the company name is slightly different, but similar enough to make it clear the deception is intentional.

    Okay. So what? This invoice is not for a big amount, right? Well, the first one might not be. But if not caught early, the combined payments will add up over time. If your staff don't notice that first invoice and just pay it, then the fraudulent vendor is added to your vendor lists. That means their next invoice is more likely to be paid without question.

    What's more, as soon as the first fraudulent invoice is paid, your organization is placed on a "sucker list," and your business information could be shared with other fraudsters and your company marked as an easy target.

Protect your business

Before providing any information to a third party trying to get a commitment for a directory listing, always check their legitimacy by taking a few simple steps:

  • Don't rush to agree to a listing.
  • Hang up and call your usual contact to confirm that the request is real.
  • Confirm that the caller is an actual supplier by asking for their company contact information.
  • Ask to see the service contract or purchase request.
  • Carefully review any invoices
  • Verify logos to make sure they are real. For example, if a logo looks like the Yellow Pages symbol, refer to the Yellow Pages website to confirm their actual logo—are the “walking fingers” walking in the correct direction?
  • Check with colleagues to confirm whether an order was indeed placed and verified.
  • Check the Better Business Bureau website to help determine whether you should engage the company.
  • If the caller claims that they’ll report you to a credit bureau, ask which credit bureaus they belong to and then confirm what they tell you.

If you receive an unsolicited offer from a company wanting to sell you services:

  • be skeptical
  • never feel pressured to commit right away
  • ask for the company’s contact information, then research both the company and the person who contacted you
  • ask for a written contract and thoroughly inspect it, along with any invoices, before making a payment

If you are threatened verbally or in writing, call your local police and the Canadian Anti-Fraud Centre.

Further reading

Office supply scam

How it works

In a typical office supply scam scenario, you or your buyers receive an email or a call from someone who creates the impression of being your regular provider of specific office supplies. The scammer might imply there is a government requirement for you to replace an "expired product," that the government has contracted them to supply that product, and that you could face a fine if you don't comply with the requirement. The hope seems to be that they will catch a new or lower-level employee who isn't aware of how things work, or they may use "spoofed" emails that look like they originated from your usual supplier.

Another type of office supply scam is when a training company convinces you to sign up for specialized training for employees, citing government regulations requiring the training. The scammer may not actually provide the training after being paid to do so, or they may provide inferior training that isn't properly authorized but, either way, your business is on the hook for the cost.

When you refuse to pay the invoice, you get aggressive calls threatening to report you to credit bureaus and local business associations to damage the reputation of your business.

How to spot it

Office supply fraudsters ask you to verify information such as your company address, banking details, the person to be invoiced, or other information associated with ordering supplies. In the case of emails, they might go so far as to provide you with new banking details and request that future payments for supplies be made to this "new" account. They might also ask for seemingly irrelevant information like the number of employees in the organization. These inquiries are designed to trick you into giving up key information so they can fine-tune the trap.

Sophisticated fraudsters will later follow up to gather even more information or try to mislead your colleagues into believing that you or a manager agreed to place an order and that everything is already settled; they only need payment.

Protect your business

Ensure that employees in your business are trained to recognize and report office supply scams.

Educate yourself, your employees and your coworkers to be cautious of unsolicited calls:

  • create a list of companies that are typically used by your business
  • limit the number of staff who can approve purchases and pay bills
  • clearly define procedures for verification, payment and management of accounts and invoices
  • contact your province’s regulator to know your legal obligations

Before providing any information to a third party:

  • don't rush to agree to anything
  • get in touch with your usual supplier contact to confirm that the call or email is legitimate
  • ask for the caller's business contact information and confirm that the caller represents an actual supplier

Before making any payment:

  • ask to see the service contract or purchase request
  • check with colleagues to confirm that an order was indeed placed and verified
  • inspect invoices carefully before making any payments as fraudsters will use company names or logos similar to those of known businesses to make their invoices seem real

If you receive supplies that you didn't order:

  • know that it is not your responsibility to return the product; the sender can pay for return shipping if they wish
  • send a certified or registered letter to the sender requesting proof of the order
  • if they can produce proof, follow your company's established procedures for receiving and paying for ordered goods
  • if they can't produce proof that the goods were ordered, indicate that you will be keeping the supplies as a gift

If you receive supplies that you ordered but they are of inferior quality or overpriced:

  • inspect the supplies and reject those that don't conform to the contract, are overpriced, or have defects
  • send a certified or registered letter to the sender to notify them that their supplies don't conform and they have a month to retrieve them or you'll dispose of the products and will not accept any subsequent orders

If you receive threatening collection calls or letters from a lawyer or law office about payment, check with the provincial law society to verify whether it is from a legitimate lawyer or law office.

If you are threatened, call your local police and the Canadian Anti-Fraud Centre.

Contact the government authority directly to check your legal obligations. Calling 1 800 O-Canada (1-800-622-6232) or going to your provincial government's information line will get you to the right place.

Further reading

Phishing, spear phishing, whaling, vishing, smishing

Definitions

Spear phishing
is when fraudsters are looking for one specific piece of information.
Whaling
occurs when fraudsters try to catch big targets through a malicious phishing attack aimed at high-ranking bankers, executives or others in powerful positions or job titles in the organization to siphon off money or access sensitive information.
Vishing
refers to phishing by Voice over the phone or VoIP.
Smishing
refers to phishing conducting using text messaging, also known as SMS (Short Message Service).

How it works

All of the terms related to this group of scams refer to the same broad practice in which someone tries to trick you into giving up sensitive business information, such as credit card numbers, bank account numbers, and passwords.

In a typical phishing scam, you are contacted via email, social media, telephone, or text. The scammer masquerades as a financial institution, a service provider, a client, a supplier, a prospective business partner, or even a government organization.

How to spot it

There are several subtle but consistent ways to spot a “phishing expedition”. In the following example, scammers are trying to mimic your bank’s email address using the services of a fictitious email service provider, “yourbankltd.ca”.

From: loandept@yourbankltd.co
The catch: Did you notice that it comes from a ".co" rather than ".ca"? Or this one…

From: rnoneywise@yourbankltd.ca
The catch: Can you see that the first "m" is actually an "r" and an "n" stuck together? Or this one…

From: yourbank@yourbankltd.ca
The catch: Hover your mouse over the hyperlink and you will see that it actually links to yourbank@thisisascam.ca. This is a clever way to mask the actual sender.

Be vigilant!

  • Test your flair for detecting fraudulent emails

    Most people are familiar enough with spam that they treat most incoming emails and various websites with some degree of suspicion. But take a look at these examples:

    Example 1:

    To: "undisclosed recipient"
    Date: January 22, 2019
    Re: Special offer — ACT NOW!!!

    Dear Pat Quick,

    Account number: 070004623

    What if I told you that you can get 35% off toner? Take advantage now of our special offer!

    Download our order form and remit it ASAP by email to ensure rapid delivery.

    Please note: You will need to provide us with your name, shipping address, and credit card number (with expiry date) and we will send you your toner.

    Order now! Supplies are limited.

    Yours truly,

    Edward Mitchum
    Business Solution Depot

    Let's consider:

    Is it legitimate? Be careful because there are signs that suggest it is a scam:

    • They want your coordinates and credit card number, but what are they promising in return?
    • There are more details here about what you need to provide than about what they are providing you.
    • There are few details here on what product is being offered and whether or not this company even offers toner made for your office equipment.
    • The toner is being offered at a rebate, but what is the price? A 35% reduction sounds like a good deal, but 35% off what amount? Be sure to find out before you order.
    • Many scams have a very professional appearance and are well presented; however, this does not mean that all scams are slick—the spelling and grammatical errors are a tipoff that this message might not be from a credible and legitimate company.

    Example 2:

    To: "undisclosed recipients"
    Date: Nov. 10, 2018
    Re: Letter of intent

    Hello,

    I am a Civil Lawyer. I have a Client that has Interest in Investing in Your Company, can You be of Assistance?

    I shall give Details when you reply.

    Yours Faithfully,
    Barr. Joel Kazeel.
    Cell Phone: 2348272783469
    Telephone: 23418879801

    Consider: Is it legitimate? This email has many features that suggest it is not:

    • The email is not personally addressed to you, it is sent to "Undisclosed recipients," which suggests it has likely been sent to hundreds of recipients—not just you.
    • There are spelling, grammar, and punctuation errors, all of which are common in scam emails.
    • The contact number is an international phone number, which is common in scams originating from other countries.
    • The email is short on details: How did this person get your name? What do they know about your business? Why did they not call you first?

    Look at these types of messages with a skeptical eye.

Protect your business

Always be wary of unsolicited emails, text messages, or phone calls from individuals or organizations prompting you to click on an attachment or link to provide information. The link will lead to a website that looks legitimate, like your banking login page, but that is actually only an extremely convincing imitation designed to trick you into entering your confidential information.

Take the following steps to protect your business from these types of scams:

  • Check embedded links in emails by hovering your mouse over the link to verify the address.
  • Do not take for granted that website addresses starting with "https" (where "s" used to mean "secure") are safe—scammers have learned and are now using these types of assumptions to lure unsuspecting victims.
  • Do not click on any email attachments; attachments can contain malicious software (commonly referred to as malware).
  • Do not share attachments unless you created them or you know the sender and know the attachments are safe.
  • Do not reply to suspicious emails—your reply confirms to the spammer that your email address is functional, marking it a potential target.

Further reading

CEO scam

How it works

The CEO scam (also known as the "business email compromise") is a type of spear phishing in which the fraudster impersonates your company's CEO or other senior employee using a legitimate-looking email. They may have lifted email addresses from your company's website or hacked into your business email system to get information about key employees, clients, suppliers, and bank accounts.

The fake CEO scam depends on a form of psychological manipulation called "social engineering" to get around the regular control procedures within a company, taking advantage of normal human tendencies and feelings. With this approach, when the scammer connects with a company representative, their first goal is to make the individual feel the need to:

  • return a favour
  • honour a prior commitment
  • do what others are doing
  • obey an authority figure
  • want something because it is hard to find, or
  • trust someone because they seem likable.

How to spot it

There are many different scripts that scammers might use to carry out a fake CEO scam. For example, pretending to be the CEO they might direct an employee in accounting to make a money transfer. Or they might say that a contract is in danger if a supplier isn't paid immediately and give you specific electronic payment instructions. Or they might impersonate an important supplier, claim that payment is overdue, and threaten to escalate the issue to your CEO if payment is not made immediately following the new payment instructions they provide.

What to do

There are several things you can do to protect your business from the fake CEO scam. For example, you can:

  • avoid putting too much detailed information about employees online—fraudsters use it to find potential victims and to time their approach accordingly
  • ensure that your business computer systems are secure with up-to-date, reputable antivirus software and strong employee passwords to protect email accounts from hackers
  • establish a standard process that requires multiple levels of approvals for money transfers
  • learn more about the various "spear phishing" scams
  • train all employees on how spear phishing works and what they can do to protect the company—for example, it can make a big difference if your employees know to:
    • stop and take a second look at any email that claims to come from the CEO or another senior executive of the company
    • examine the sender's email address with the knowledge that it may be very similar to the real one with only one or two different characters
    • confirm with the supposed author of the email or their administrative assistant to verify the request or instruction
    • validate all transfer requests either on the phone or in person with executives making email requests for money transfers, even if these look legitimate
    • never reply to or use the contact information provided in the request email unless the appropriate authority has fully and directly confirmed it is legitimate.

Further reading

Intellectual property renewal notice scam

How it works

In this scam, you receive a letter or an email that looks like it is from the Canadian Intellectual Property Office (CIPO). This message pretends to be a reminder that your company's intellectual property (IP) rights must be renewed. The message might contain images of patents or trademarks, contact information, registration numbers, and other publicly available information but is so specific and familiar that it makes the reminder appear authentic.

The instructions are for you to pay a specific amount to renew your IP rights, and that payment must be made following the instructions provided in the message. If you make the payment as instructed, you could end up paying much more than the real renewal fee—and on top of that, you will still need to pay the real fee to CIPO when the actual renewal date comes up.

How to spot it

When you receive a reminder email or letter from the CIPO, check where it came from:

  • legitimate emails from the CIPO come from an address ending in @canada.ca or @ised-isde.gc.ca
  • the return address on a legitimate CIPO letter is always 50 Victoria Street, Gatineau, QC K1A 0C9

If the notice comes from elsewhere, you know it is not from the CIPO.

Protect your business

Take the following steps to protect your business from intellectual property scammers:

  • Know what you owe. The fees requested in fake solicitations are usually much higher than actual CIPO fees.
  • Know your due dates. IP rights need to be renewed at very specific times; for example, patent maintenance fees are due annually, whereas fees for trademarks need to be renewed every 15 years.
  • Read the fine print. It may state that the solicitation does not come from the CIPO, but if you are still unsure, contact the CIPO to confirm that the solicitation is legitimate.
  • Verify the source. If you receive an email or correspondence regarding the renewal of your trademark or patent, verify that it is legitimate by contacting the CIPO Client Service Centre at 1-866-997-1936, or by email at ic.contact-contact.ic@canada.ca

Further reading

Malware and ransomware

How it works

Malicious software, commonly known as “malware”, refers to computer programs specifically designed to damage the normal operation of a computer or network. You can accidentally “catch” malware when you download email attachments, click links in emails, visit less reputable websites, or download music, videos, or programs. Malware can also infect your computer through pop-up ads.

Malware is a security issue and is never good news. Fraudsters can use malware to send spam, access your computer, find personal information, and disable your security settings. Malware can even reinstall itself after you remove it.

"Ransomware" is a form of malware that blocks access to your business computer by locking your screen or encrypting your information while the scammer demands payment to unlock it.

How to spot it

The following sources provide up-to-date information and techniques for spotting malware on your company systems:

What to do

There are many ways to prevent and avoid malware. Protect your computer and network with security software, back up your data externally, and stay vigilant.

Further reading