Skip to main content

Protect your business from 5 common scams

Here’s how you can safeguard your company’s finances from scam tactics

As a business owner, chances are you wear many hats. While you’re focused on the big stuff like customers, employees and the bottom line, it’s easy to overlook things that can make you more vulnerable to scams.

A scam or cyber incident could be devastating to your bottom line, not to mention the cost of losing your customers’ trust if their personal information is compromised. That’s why it’s important to establish and train employees on business security measures to minimize vulnerabilities, keep business operations running smoothly and, ultimately, to maintain customer confidence in your reputation.

Here are the top five scams targeting businesses and tips to help you protect yourself and your company.


Business email compromise

Cyber criminals will try to harm your business by sending phishing emails to your employees. The criminal will typically use a compromised or fake email address that appears to come from a legitimate source such as a senior executive or a familiar vendor to trick you into changing account information or conducting a fraudulent financial transaction.

Scan for suspicious emails

Invest in a strong antivirus software program and other security software that can flag suspicious emails. Also, make sure email addresses are spelled correctly or can be verified through alternative methods like a known good phone number.

Keep employees informed

Create a detailed cyber awareness program that’s specific to your company’s needs. You can start by using the Federal Communications Commission’s online cyberplanner tool. Then educate employees and regularly update them on cyber security best practices like changing passwords often and using secure and complex configurations.



Cyber criminals infect your computers, mobile devices and networks with ransomware, a type of malware that locks out users until you pay for the release of the data or return of service.

Update systems

Avoid clicking on links or attachments from untrusted sources because they may contain malware, which infects your device to capture personal and financial information. Update your company’s computer and security software systems regularly with the latest malware and virus protections. Also, encrypt mobile device data and make sure people with access to your records and finances use only company-approved devices.

Back up data

Back up data often and consider storing your company data on multiple media types and at least one that’s off network. To keep that data protected, remember to secure and monitor your network to deter unauthorized access or theft.


Internet sales

Cyber criminals set up fake online businesses that claim to help you run your company more efficiently, such as by offering small business loans or products that can help your brand stand out on social media. They may also ask for payment via untraceable methods such as a wire transfer or gift card.

Do background checks

Verify that companies you work with are who they claim to be by doing your own background check (does it list partners or other businesses it has worked with that you can contact?) and confirm that it has a real physical address and phone number.

Get references

Before working with a new vendor or business partner, talk to peers in your industry to see if they’ve used the company. You can also check the Better Business Bureau’s scam tracker.


Fake invoices

Similar to a business email compromise, an unknown company sends an invoice that appears to be for something critical or from a regular vendor. What’s really happening is the criminal hopes you’ll be too worried or busy and that you—or your employee—will pay the invoice immediately.

Verify invoices before paying

Don’t blindly pay the invoice. Take the time to verify that services or items were actually ordered and fulfilled by the billing company. Also, consider limiting the number of employees with access to records and finances as much as possible, as well as requiring multiple users to initiate and approve transactions.

Look out for phishing attempts

As with other scams, remind your employees about email security best practices so that they don’t click any “Pay now” links in the email or download suspicious invoice attachments. Also, double check that the invoice is not a spoof, or impersonation, of a vendor, regardless of whether you’ve used that vendor before.


Overpayment of goods

Your company receives an overpayment for an item you’re selling, immediately followed by a request to deposit the check (which turns out to be a bad check) and then send them the difference via a wire transfer or gift card.

Consider the request

Be suspicious if someone varies from the normal way to pay for goods, such as via wire transfer.

Assign financial responsibility

Just like with fake invoices, decide if more than one person should be required to approve financial transactions (segregation of duties is a key best practice for businesses of any size), and use a dedicated machine for processing payments. It’s also a good idea to require multiple-person approvals for account and financial change requests.

Close Disclaimer

The material provided on this website is for informational use only and is not intended for financial, tax or investment advice. Bank of America and/or its affiliates, and Khan Academy, assume no liability for any loss or damage resulting from one’s reliance on the material provided. Please also note that such material is not updated regularly and that some of the information may not therefore be current. Consult with your own financial professional and tax advisor when making decisions regarding your financial situation.

Up Next

Contact Us

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.