Discerning between what is and isn’t a scam these days is getting harder and harder, as cybercriminals refine their tactics and leverage/use AI. Using cybersecurity tools and methods will only get you so far; you need to know when you’re getting scammed or when something is legitimate.
To protect your business, let’s look at ways scammers try to trick you and get access to your information and accounts.
Phishing Vs Spear Phishing
When encountering cyber scams, you will hear a lot about phishing or spear phishing. These terms are used to specify the scope of a cybercrime, whether it is a broad opportunistic attack or targeted against a specific individual.
Phishing scams
A phishing scam is a trap used by cybercriminals with no specific target in mind. A ‘wide net’ is used to lure a group of people, and isn’t particularly sophisticated in approach. While it has a lower success rate, phishing scams are often employed by cybercriminals due to the large number of people they target. For scammers, phishing tactics are a numbers game; the more people they target, the bigger pool of unsuspecting victims they’ll capture. It only takes one misclick to succeed.
Phishing characteristics:
- Goal: Target a large group of people to increase the odds of success (unspecified)
- Method: Use a range of messaging platforms (email, phone, sms, social media) and impersonate a legitimate source (government and businesses)
- Success rates: low success rate, but due to a large number of targets a significant number of people can fall victim.
Spear phishing scams
Spear phishing attacks are tactics used to target a specific individual or organisation. These scams are more sophisticated in approach since the scammer, in most cases, has researched their target.
Spear phishing characteristics:
- Goal: target scam directed toward a specific individual or business/organisation
- Method: Scammers typically use multiple forms of communication to impersonate a supplier or coworker, gaining further access to a company or requesting money.
- Success rates: High success rates are achieved as targets are specified and information is more detailed.
Social engineering
Scammers use psychological manipulation to deceive people into falling for their scams. This is what social engineering is in cybercrime: creating a sense of urgency or pressure to coerce a victim into complying. For instance, a common phishing scam on WhatsApp is the ‘Hi Mum’ trick, where scammers impersonate the recipient’s child, pretending to have broken their phone to solicit money.
By exploiting the fears of their victims, scammers increase their chances of success. To reduce your chances of falling victim to manipulation, do the following:
- Stop and think about the message you have received that is pressuring you to do something, and
- Look into their claims. You’ll find their ploy falls apart with simple research.
Scams aimed at businesses
Since 2020, Aussie small businesses have lost approximately $10 million per year to cyber scams, with an estimated $4,443 cost per loss reported in 2024. These losses add up for businesses as the cost of a cyber scam can seriously cripple a business. For instance, in 2024, 50 investment scams were reported to ScamWatch, resulting in a combined total of $3,714,097 in losses. This reinforces the need to be aware of what scams are used against businesses.
Investment scams
Investment scams are by far the most costly, as cybercriminals will entice their victims with the promise of recouping their money and more by simply investing more. What scammers do is they advertise (phishing) or contact you impersonating a friend or business (spear phishing) and promise great returns with convincing marketing about a new technology or opportunity.
Investment scams red flags:
- Fake news and ads claiming legitimacy by a well-known figure
- Online contact you have never met reaches out about investment opportunities
- Over-the-top testimonials sent via email, text or advertised
- Social engineering pressure: “Don’t miss out”, “once in a lifetime”, and “You can’t pass this up”.
- ‘Advisers’ that claim they don’t need an Australian financial services licence (AFS) to sell you the investment
- You are pressured to increase your investment through collecting money from family and friends
Common investment scams involve Ponzi schemes, online dating scams, superannuation scams and more recently, crypto scams. To avoid these or spot them, remember that these scams are too good to be true and that Australia has stringent regulations around investment advice. Research and look into the legitimacy of these scams. Also, when in doubt, MoneySmart is a financial education agency in Australia that helps businesses spot scams. If the company being sold to you is on their list, it’s a scam.
False billing
False billing is another scam that targets many small businesses, as the scam is designed to catch a billing or invoice department off guard. Scammers pose as buyers or sellers, using fake websites or impersonating a supplier, and ask for payment for a bogus invoice or for an item that is too good to be true. These scams often work because of the nature of paying invoices and how we have automated the process. We assume that the bill we received is legitimate until we take a moment to think.
False billing red flags:
- Getting an invoice for goods and services you haven’t ordered or bought
- No terms and conditions, ABN, and or privacy policy on their website
- Overpaying for and requesting a refund for the difference, then the payment bounces due to fake credentials
- Payment details don’t match the business or person you’re talking to
- Requesting payment via payids, pre-loaded cards or several accounts
False billing scams are common because they are effective. To avoid these scams, be diligent when running your accounts payable, billing and invoices. For instance, cybercriminals can ‘intercept’ invoices from companies, take the details and change them, and then send them to the original destination to scam payment. No one is the wiser until the invoicing company notices that no payment has been made.
Make sure to check ABNs, be wary of new social media stores with very low prices, double-check payment details, and also research the ‘businesses’ you are buying from. To verify the legitimacy of a website, scan its URL for red flags and assess its credibility. You can do this on sites like ICANN. If it’s not registered, it isn’t legitimate.
Protecting your small business from cyber scams
To protect your business from scams, you need to know how to spot one. By educating yourself on the latest cyber grifts on MoneySmart and ScamWatch, you’ll have the tools to know when something isn’t right. With knowledge about the red flags for scams and effective cybersecurity measures, your personal and business information, as well as your accounts, will be all the safer.
