It’s one of the oldest tricks in the book — a company receives an invoice that says it is past due and must be paid immediately, only it’s a fake designed to defraud the business — and it’s still one of the most effective, especially as fake invoices probably look better today than they did 25 years ago.
One well-known fake invoice was from a Yellow Pages impostor. If you spent any time looking at it, you would have noticed that the fingers that do the walking were actually upside down, says Rosalind Scott, president and CEO of the Better Business Bureau that services Vancouver Island. In that case, the “invoice” sent the recipient to a website where the company was signed up for a product that it didn’t want, and probably couldn’t even use. But most fakes aren’t that obvious, and that makes it easy for business owners to become victims, especially when they are juggling deadlines, distractions and unfamiliar technology.
A Multibillion-dollar Industry
Between January 1 and October 31, 2024, Canadians lost more than $500 million due to fraud, with more than 28,000 people falling victim to scammers, according to the federal government’s Canadian Anti-Fraud Centre (CAFC). That number is probably much higher as it is estimated that only about five to 10 per cent of victims report being defrauded.
“It’s a multibillion-dollar industry,” Scott says.
The fake invoice scam is just one of many that businesses can fall victim to. Here are some of the others out there, ready to take your money or worse.
Government compliance notices. These usually include government department logos, a font that resembles government letters and a reference or file number. The business is directed to a website where it can get “help” filing their report — and provide information that will enable the scammer to compromise the company’s network and banking information and even steal the company’s identity. No company wants to ignore a letter from the government and risk an audit or worse, which is why these are so effective.
Other government notices. Another common government impostor scam offers grant money to companies in exchange for a fee. According to the CAFC website these scammers offer “special access” to government funding programs, may have official-sounding names and may use. Government of Canada logos. The site asks you to pay an upfront fee, either to receive a list of available grants or to complete the application. In some cases, the site may ask that you open a new business bank account to receive the money. Once you provide the banking details, the scammers may use the account for purposes such as laundering money.
Fake loan scams. These scams direct people to a website that looks like a legitimate financial institution, but the “loan applications” are used to collect personal information that can result in identity theft and fraud.
Identity theft. Many think identity theft only applies to individuals, but it can also affect businesses. According to the BBB, criminals can steal a business’s identity by gaining access to financial or other sensitive information through hacking, malware, phishing emails, swiping credit card info or even finding sensitive documents that have been improperly discarded.
Ransomware attacks. In these situations, hackers get access to a company’s computer network and hold it for ransom, asking for money to return the data or return access to the company. For instance, earlier in 2024, Richmond-based retailer London Drugs shut down its stores for a week after being attacked. But this is also happening to small companies, Scott says. “And they don’t want $20. They want a lot more.”
AI-generated deep fakes. Artificial intelligence has made scams even more sophisticated, says Simone Lis, president and CEO of the Better Business Bureau for the Lower Mainland. She heard a story of an accountant who thought they were talking to their CEO on a video conference call, but it was a scam artist who had created AI videos of what looked like the boss. AI can also be used to mimic voice messages, she says.
In all of these cases, the key to protecting yourself is education. Because if you track back a breach or scam, it’s probably something that is relatively minor that someone did. And that “someone” would be an employee. “The most important thing for businesses to do is educate their employees because all security breaches are tied to a vulnerability that a well-meaning employee has inadvertently caused,” Scott says.
How to Protect Your Business
How to Protect Your BusinessWhile scammers are getting very good at being copycats, nine times out of 10 they make mistakes that suggest something’s not quite right. Here are just a few things to look for:
- Check for typos, grammatical errors or even formatting errors on letters and emails, and make sure every invoice requires at least two sets of eyes on it before it gets paid.
- Confirm the email address any communication is coming from. Beware of phishing, the practice of sending scam emails to a wide swath of people; “spear fishing” is a newer form of phishing that targets specific employees.
- For more warning signs and ways to protect yourself, visit the BC Securities Commission website investright.org. Look closely at websites, especially when accessing them with a QR code. Does it start with “https://”?
- The “s” is key and shows the
- website is secure. Keep in mind that all public-facing Government of Canada websites use the domain canada.ca and British Columbia
- websites include “gov.bc.ca.”
- Hire a really good IT provider, advises the BBB’s Scott. “It may seem like a big investment at the time, but the safety of your company is really paramount.”
Most importantly, she says, train your employees from day one on the safety procedures that need to be followed. That includes things like discouraging them from browsing websites where they could inadvertently click on a malicious link that compromises the whole system.
“Small businesses are very vulnerable to being scammed because quite often they don’t have the full-meal-deal cyber security that big businesses most likely have,” says Scott. “But all businesses have employees, and quite often it’s not the owners and the people at the top end, but it’s the brand new employee, or the young employee that doesn’t understand all the procedures yet. That is a primary target of scammers when they’re looking to scam.“
The BBB has a scam tracker on its website where people throughout Canada and the United States can report scams they have been exposed to and others can look at the list and be on the lookout. There is also a scam prevention guide, with links that can help a business assess what scams it might be most vulnerable to, as well as quizzes and games and a scam survival kit.
“You can test your knowledge and see how much of a scam expert you are,” Lis says. “Because often our confidence is one area that can make us vulnerable.”
Beware Of Investment Scams
Beware Of Investment ScamsOne way people lose money is through investment scams and although there are always new twists, they have been around for a long time. Charles Dickens even included what would eventually be called Ponzi schemes — where early investors are paid out by subsequent investors, rather than from business gains — in two of his novels, Martin Chuzzlewit (1844) and Little Dorrit (1857). Now technology is adding sophisticated twists to age-old scams, such as AI-generated deep-fake videos and voices that clone recognized experts and even family members.
“We’ve seen people lose millions of dollars,” says Sammy Wu, manager of investigations for the BC Securities Commission, who adds that the foundation of every investment scam is trust.
Here’s one way that trust can be gained online through a Facebook group.
A scammer joins your group pretending to have the same interests and then starts one-on-one comments with some of the group members. Over time, conversations move from Facebook to texts or WhatsApp.
Once trust is established — which can take months — your new “friend” will mention a great investment they made. When you ask about the investment, you are directed to a website that looks like a legitimate investment site, with investment packages to choose from and a number to call to set up an account.
An account representative will offer to join your computer to help set up the account, often using the remote desktop application AnyDesk. Once that’s done, the scammers have access to your computer and all your information. The “account” on the website will show good returns at the beginning and you may even be allowed to withdraw small amounts of money at first. But when the money you put in starts building up, it gets harder to take it out. There will be excuses, like money has to be paid up front to cover the capital gains tax. When you start asking too many questions and demand your money back, all communication is cut off and your money is gone.
Worse, the scammer, which is usually offshore organized crime, may have also drained your bank account and even taken out loans in your name.
If you are considering investing in an exciting opportunity, be on the lookout for these red flags:
- If it sounds too good to be true, it probably is.
- There is some urgency that you will miss out.
- The investments involve cryptocurrency.
- When you ask questions about the investment, it sounds very sophisticated — for instance, using offshore trusts — but without any real details.
For more warning signs and ways to protect yourself, visit the BC Securities Commission website investright.org.
