The 3 Scams Targeting Small Businesses Right Now (And How to Avoid Them)
Current scams that are hitting small businesses hard—and simple ways to protect yourself.
Every week, I hear from another small business owner who got hit by a scam they'd never seen before.
The tactics are always evolving, but right now, there are three scams that are absolutely hammering small businesses. If you run a company, you need to know about these.
Scam #1: The Fake Vendor Invoice
How it works:
You receive an invoice that looks completely legitimate. It's for something your company actually uses—office supplies, software subscriptions, advertising services. The amount is reasonable. The formatting is professional.
But it's fake. The "vendor" doesn't exist, or they've impersonated a real vendor and changed the payment details to their own account.
Why it works:
Most businesses receive dozens of invoices. Nobody has time to scrutinize every single one. If it looks right and the amount isn't suspicious, it gets paid.
Scammers know this. They send invoices for $200-$500—amounts that don't trigger extra scrutiny but add up fast when sent to thousands of businesses.
Real example:
A marketing agency paid three months of "Google Ads" invoices before someone noticed they weren't from Google at all. The invoices were $487 each—just under the threshold where someone might look twice. Total loss: $1,461.
How to avoid it:
- Maintain a list of approved vendors and their legitimate payment details
- Verify any new vendor before making a first payment
- If payment details change, confirm through a known phone number (not the one on the invoice)
- Have a second person approve payments over a certain threshold
- Train your accounts payable team to spot inconsistencies
Scam #2: The CEO Urgent Request
How it works:
An employee receives an urgent email that appears to come from the CEO, owner, or another executive. The message asks them to handle something quickly and discreetly—usually a wire transfer, gift card purchase, or sharing of sensitive information.
The email might say: - "I'm in a meeting and can't talk, but I need you to handle something urgently" - "Please keep this confidential—I'll explain later" - "Can you purchase some gift cards for client appreciation? Send me the codes."
Why it works:
Employees want to be helpful, especially when the request comes from leadership. The urgency and confidentiality requests prevent them from verifying through normal channels.
Real example:
A dental practice office manager bought $2,000 in Amazon gift cards after receiving an "urgent" email from what she thought was the practice owner. She scratched off the backs and sent photos of the codes. By the time the real owner found out, the cards were drained.
How to avoid it:
- Establish a policy: unusual financial requests always require verification by phone
- Train employees that legitimate executives will never ask them to keep requests secret
- Create a culture where verifying requests from leadership is expected, not disrespectful
- Use code words or verification procedures for large transactions
- Be especially suspicious of any request involving gift cards—that's almost always a scam
Scam #3: The Compromised Supplier
How it works:
Your real vendor has their email compromised. Hackers monitor their communications, learn how they invoice you, and then send you a message saying "Our banking details have changed. Please update your records and send future payments to this new account."
Because it comes from a legitimate email address you've communicated with before, there's no obvious red flag.
Why it works:
You have an established relationship with this vendor. You've paid them before. The email is actually from their real email address (which has been hacked). Everything checks out—except the bank account belongs to the criminals.
Real example:
A construction company had worked with the same electrical contractor for years. When they received an email from the contractor's actual email address with new banking information, they updated their records. They made three more payments—totaling $34,000—before the real contractor called asking about overdue invoices.
How to avoid it:
- Verify all banking changes by phone using a number you already have on file (not one from the email)
- Call your contact directly, don't just reply to the email
- Establish a policy that payment details can only be changed after verbal confirmation
- Be suspicious of any request to change payment methods or destinations
- Consider requiring signed authorization for any banking changes
The Common Thread
Notice what all three scams have in common:
They exploit trust. They take advantage of established relationships, authority figures, and routine processes.
They create urgency. They push you to act fast, before you have time to think or verify.
They look legitimate. The formatting is professional, the amounts are reasonable, the scenarios are plausible.
They target humans, not technology. Your spam filter won't catch these because they often come from legitimate (or nearly-legitimate) sources.
The Best Defense
The single best defense against all of these scams is a team that knows what to look for.
When your employees understand how scams work, they start asking the right questions: - "Why the urgency?" - "Can I verify this through another channel?" - "Is this request unusual in any way?" - "What happens if I take five minutes to confirm this?"
These questions are the difference between catching a scam and falling for one.
What To Do Right Now
- Share this article with your team. Awareness is the first step.
- Establish verification procedures. Any unusual financial request should require a phone call to a known number.
- Create a culture of caution. Make it clear that taking time to verify is always the right choice.
- Train regularly. Scams evolve constantly. One-time training isn't enough.
Stay ahead of the scammers
PrymoSec trains your team to recognize and avoid the latest scams. Our modules cover real scenarios your employees will actually encounter, with practical guidance they can use immediately.
New scams emerge constantly. Training helps your team spot them all.