FTC Advice for Small Businesses

The Federal Trade Commission (FTC) is sharing advice for small businesses on how to avoid scams. Below are a few of their most common scams and how to thwart them.

  • Fake invoices
  • Directory listing or advertising
  • Tech support scams
  • Fake checks with overpayment
  • Social engineering and phishing

One surefire way to beat the scammers at their game? Define procedures on how to handle these situations and train your employees on them.

Protecting your business from scams

Fake invoices

Before paying ANY invoice, confirm the invoice is for goods or services ordered. Before changing payment information for a vendor, call the vendor’s POC (using a previously established contact method) to confirm the request.

The City of El Paso fell for a scam like this in 2016. While many of the details were not publicized, it seems a scammer impersonating a vendor requested the bank routing information for payment be changed. Two payments were made for $300,000 and $2,900,000.

Trusting an email request without verification could lead to being defrauded. Email can be faked and hacked, which is why it is critical to use an established contact method other than email.

Directory listing or advertising scam and other “free” offers

Offers to be listed in a directory (even for free) that arrive by phone, mail, email, or fax, should be scrutinized before consenting or sharing information.

The FTC website notes that sometimes scammers will call to offer a free listing and confirm publicly available information like the business address. Then, they’ll send a bill for the listing and claim you agreed by phone–even providing the phone recording.

In communications (e.g. phone, email), make it clear that you aren’t agreeing to be listed. Ask for a written request and then research the listing/advertising medium and company.

Tech Support Scams

Let your employees know whom to contact should they see any messages about computer problems including virus/malware notifications. Scammers create pop-ups that claim urgency: “Call this number within five minutes or your files will be erased.” REAL virus or malware notifications should be handled by your tech support team (whether onsite or off) anyway and this process helps users avoid interacting with scammers claiming to be certified technicians who really just want access to your wallet and your computer.

Fake checks with overpayment

If a customer overpays using a check and asks you to send them the difference, note the request as a giant red flag, no matter their reason given. The FTC warns that even after the check clears and funds are deposited, the bank may later find that the check is bad. Implement (and enforce!) a payment policy that the check amount must reflect the same amount owed and payments made in excess will not be accepted.

Social engineering and phishing

Recognize that scammers will send you and your employees online messages (through email, LinkedIn, and any other platform where they can reach you). These online messages could be attempts to steal employee passwords, download malware to gain access to computers, or even send sensitive information like W-2s.

Last year, Russian hackers posted a seemingly innocuous link on Twitter to a family-friendly vacation package and a Pentagon official clicked on it, compromising the account and network. Over 10,000 Department of Defense employees were also specifically targeted by Russian hackers in 2017 via social media.

To protect accounts, enable a second login step wherever possible. This option can often be found near your password setting and requires a phone application or physical token. The easiest option may be an app like Google Authenticator.

To protect against malware, have an anti-malware or antivirus application on all network computers. Also, train your employees to confirm the sender address (not just the name!) and to be wary of unexpected messages with attachments, links, or downloads (like fonts and plug-ins).

To protect against disclosing sensitive information, implement a policy that any valuable or sensitive information requests be verified with the requester through a previously established channel (such as a phone call) and possibly cleared with another individual in the business.

Train your employees

The FTC recommends that you train your employees. No surprise that we recommend this, too! Educating your employees on common scams and tactics used, and providing them the procedures to handle the situation, will help your organization stay ahead of the scammers. Keep in mind that online scams are expanding and changing all the time. That’s why we recommend bite-sized security awareness training that can be tailored to your organization and include current threats.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s