With the holiday shopping season in full swing, small business owners may be more focused on meeting the demands of patrons than their ongoing vigilance against potential fraud.
"The holidays can be busy for business owners, especially if they're involved in retail operations," said Mike McCauley, director of cyber threat management and response at BOK Financial®. "Scammers will take advantage of uncertain and difficult economic times by evolving their attempts to gain financially at your expense."
But as the holiday season heats up and business is booming, it's more important than ever for business owners to be aware of the potential risks of cybercrime. To combat risks such as ransomware and business email compromise (BEC), business leaders must continually update, refine and test their cybersecurity defense strategies.
Be on the lookout for these scams targeting small businesses:
Small business grants as phishbait
In this scam, cybercriminals posing as the U.S. Small Business Administration (SBA) are handing out grant applications to receive funds for COVID-19 relief.
"In this scenario, many small businesses that legitimately applied for relief may be fooled into thinking they're eligible for additional coverage, but that has ended," said McCauley.
Scammers send business owners a link to a Google form that asks the user to submit personal and financial information to see if they qualify, which gives the criminals access to accounts and even a person's Social Security number and driver's license information.
How to spot the fake: Keep an eye out for typos/grammatical errors in the email text, as well as the absence of key elements of a legitimate Google form (including the "Report Abuse" button and a message under the "Submit" button that says, "Never submit passwords through Google Forms)."
Ongoing email scams
Business email compromise—or BEC—continues to plague businesses large and small. This tactic might ramp up during the holiday season.
"We continue to see instances of BECs internally and externally as phishing scams get more sophisticated in nature," said McCauley.
In a BEC scam, criminals send an email that appears to be from a legitimate source making a request, such as a vendor requesting an account number change or a CEO asking for a batch of gift cards to be purchased with serial numbers sent. Criminals are successful when an employee mistakes these emails for legitimate requests, often compromising account information, personal identifiable information, and other data.
How to spot the fake: Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
Ways to protect your business
While fraud attempts are happening every day, there are ways to protect yourself and your business from becoming a victim. Here are some tips:
- Create a fraud prevention policy that is regularly reviewed internally and also part of ongoing training for your staff.
- Be wary of any site that asks you to share personal or account information with a third-party.
- Don't click on suspicious links in an email, on a website or on social media.
- Set up two-factor authentication that protects your login information and requires you to sign in using two different methods.
- Check payment or purchase requests using established contact information that can be verified. Ensure this is a standard practice for anyone working at the organization.
- Ensure your business accounts are regularly monitored for any fraudulent transfers or payments to unknown sources.
- Remain vigilant around peak shopping seasons, including the holidays.
Whether you're new to the small business world or have an established presence, it's important to remain vigilant throughout the year and especially throughout the holiday season. Follow the Federal Trade Commission resources for more details about small business scams.
Learn more about BOK Financial's online security or call 844-517-3308 to report suspicious activity on BOK Financial-related accounts. The Cybersecurity and Infrastructure Security Agency also keeps an up-to-date list of current threats.