Protecting your small business from scams

Protecting your small business from scams | Prospa

From fake invoices to your data being held hostage, small businesses face a number of threats. Here are some common scams to watch out for.

“Small businesses are a popular target for scammers,” says Prospa’s Cyber Security Manager, Charn Tangson. “While you may think you’re not big enough to be a target, in reality it’s often easier for a criminal to scam 50 small businesses than one or two large ones.”

Also be prepared that scammers can be more active at certain times of the year, particularly when they know small businesses are going to be busy.

“Specific times of the year may be higher risk, such as when you’re doing your quarterly BAS, EOFY and Christmas,” says Charn.

“Cyber criminals tend to take advantage of lack of time as well as certain activities (like a tax refund) to craft personalised scams.”

So, to protect yourself, you need to know the risks. Charn shares some of the top small business threats and scams to watch out for:

Fake invoices, bills or refund requests

Receiving invoices and bills online is a common thing for many small businesses. However, all may not be what they seem. Attackers are frequently crafting invoices that may be incredibly similar to ones usually received by your business, but are fake and direct funds to a different bank account. They also might send you an email telling you you’re due a refund because you’ve overpaid.

These emails can happen if your supplier has been hacked or it may just be an educated guess. And if your supplier has been hacked and you click on the link, you may have just let hackers into your system.


If you click on a malicious link in an email containing a fake invoice, for example, or on a website that’s been hacked, you may download malicious ransomware to your computer and the entire system. Ransomware essentially encrypts all of the files on your computer and holds them hostage until you pay money to unlock it. And, of course, there’s no guarantee they’ll be released.

False awards or directories

You’ve no doubt heard about this or experienced it for yourself: “Congratulations, you’ve been nominated for the ‘best small business award’! Just pay $500 to enter…”

Emails or calls letting you know you’ve won an award or your listing is missing from a major business/contact directory that all of your competitors are in are relatively common.

To win an award, you need to enter or be nominated in the first place. Any payment is made at the time of entry, rather than when you’ve won. So, as nice as it is to hear, take it with the proverbial pinch of salt until you know it’s genuine.

If you’re asked to pay for a directory listing, sometimes the directory doesn’t exist – or if it does, it’s likely to be ineffective. Make sure you do your research.

False threats or extortion

Along similar lines are emails claiming you’ve broken laws or regulations – it could be anything from fake parking tickets to unlicensed software. Also common are recorded phone calls purporting to be from the ATO telling you you’re in breach and threatening legal action, with a request to call back on the number that called you. Don’t.

Fake services

From SEO experts to business consultants, there are many people out there trying to get your money. And some of them may be well worth it. Others, however, are not.

So, if you’re approached by anyone offering services to help your business, make sure you do your research, speak with their clients and only pay once they’ve delivered. And, if it’s a service you genuinely need, approach others to quote on the job to ensure what you pay is fair market price.

Tips to minimise your scam potential

  • Never click on a link to pay or open the invoice until you’re certain it’s genuine.
  • Check the send email address is from the domain it should be from and check the bank details are the same as they usually are.
  • If you need to query the invoice, use the phone number on the sender’s website, not on the invoice. If it’s a fake, the number will go through to the scammer, pretending to be from that business.
  • Always backup your data to a second location. In the event of a ransomware incident, you will have peace of mind that there is at least one fallback to recover your systems and data.
  • Always question services and emails before actioning – if in doubt, call the sender to verify the legitimacy.
  • Always research companies offering awards, directories or services.

Sign up to the Prospa Blog Newsletter for more tips and tricks delivered straight to your inbox.

The information in this post is provided for general information only and does not take into account your personal situation. Nothing contained in this post constitutes advice or an endorsement or recommendation of any kind by Prospa. Any links to third party websites are strictly for informational purposes only. You should consider whether the information is appropriate to your needs, and where appropriate, seek professional advice from financial, legal and taxation advisors. Although every effort has been made to verify the accuracy of the information as at the date of publication, Prospa, its officers, employees and agents disclaim all liability (except for any liability which by law cannot be excluded), for any error, inaccuracy, or omission from the information for any reason, including due to the passage of time, or any loss or damage suffered by any person directly or indirectly through relying on this information.