How do I protect my small business from scams?
Train staff to verify payment requests by phone before acting, implement dual-approval for wire transfers, and watch for invoice fraud and fake government compliance notices.
Last reviewed: 10 June 2026
Explanation
Small businesses are highly attractive targets because they move real money, often have thinner security protocols than corporations, and staff may feel pressure to act quickly on payment instructions from someone claiming to be the owner. Business email compromise (BEC) — where a scammer impersonates a CEO or finance director and instructs an employee to wire funds — costs small businesses more than any other scam category.
The single most effective control is a verbal-confirmation rule: any wire transfer, change in vendor banking details, or unusual payment request must be confirmed by calling the requester on a known number (not a number provided in the email). This one step defeats most BEC attacks. Pair it with dual-approval for transfers above a threshold you define based on your cash flow.
Fake invoice fraud is also common: scammers register lookalike domains (your-supplier.com vs. yoursupplier.com) and send invoices with their bank details instead of the real vendor's. Before adding a new payee or updating banking details, call the vendor's main number from your existing records, not from the email or invoice.
Other common small-business scams include fake directory listings and SEO services, phoney government compliance notices demanding fees, and fraudulent supplier deals. Train every staff member who handles money or vendor relations on these patterns annually, and report incidents to the FTC at ReportFraud.ftc.gov.
Common red flags
- Email from the CEO asking for an urgent wire transfer — especially if they are 'travelling' and cannot talk
- Vendor updating their banking details by email without a prior phone confirmation
- Invoice for services your business never ordered
- Government-looking letter demanding an immediate compliance fee to avoid penalties
- New supplier offering unusually low prices requiring upfront full payment
- Caller claiming your business domain or listing is about to expire and demanding immediate payment
What to do now
- Implement a verbal-confirmation rule for all wire transfers and banking-detail changes
- Set dual-approval thresholds for payments in your accounting software
- Train all finance and admin staff on BEC and invoice fraud patterns
- Register your business domain for email authentication (SPF, DKIM, DMARC)
- Audit active vendors and flag any with recently changed bank details
- Report suspected scams to the FTC and your local FBI field office for BEC
Frequently asked questions
What is business email compromise (BEC)?
BEC is when a scammer impersonates a company executive or trusted vendor via email and tricks an employee into wiring money or sharing sensitive data. The FBI considers it one of the costliest cybercrime categories globally.
How do I check if a vendor invoice is genuine?
Compare the sender email domain character-by-character against the domain you have on file. Call the vendor on a number from your existing records — never use a phone number printed on the suspicious invoice — and confirm the payment details verbally.
Do small businesses need cyber insurance?
Cyber insurance can cover losses from BEC and ransomware, but policies vary widely. Many require that minimum controls (multi-factor authentication, email filtering, staff training) are in place or claims may be denied. Consult a broker and read the exclusions carefully.