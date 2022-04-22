You’ve seen the schemes before: a phony email offering a deal on office supplies, an invoice impersonating a business-to-business partner, or a fake notification to an up-and-coming small business that they’ve won an obscure award.
While the consistent attacks are recognizible to some, in 2022 scammers are exploiting small businesses in a novel way — leveraging struggles related to the pandemic, said Adah Rodriguez, vice president of development and operations for the Better Business Bureau of Southern Colorado.
Scammers now weaponize inflation, supply chain issues and reliance on remote work, and it’s important for companies to refamiliarize themselves with new iterations of the attacks, she said.
Perhaps a company has been waiting on a backordered office item for weeks, as a result of overseas shipping delays, and receives a “too good to be true” quote on supplies from an unknown vendor.
Or a small business has been grinding all year to come back from the COVID shutdowns, and is notified it’s being recognized with an award — when really, a scammer is milking sensitive information and several hundred dollars out of an excited manager.
“Especially now, as small businesses are digging themselves out for the last couple of years, and there’s maybe more competition and more of this challenge to strive, they may be more vulnerable” to this type of so-called “vanity scam,” Rodriguez told the Business Journal.
Springs-based cybersecurity consultant Terry Bradley says most common phishing attacks he’s seeing lately are emails impersonating a company’s cloud-based software, which prompt recipients to follow a link to a fake Microsoft Office 365, Google or another login page.
The recipient is asked to enter their username and password on the fake login page — and voila, a scammer has access to the victim’s work documents, emails, calendar and other company files.
At first glance, a fake email from Microsoft Office 365, as pictured, can look legitimate. This was sent to one of Bradley’s clients at Mile High Cyber, the cybersecurity consulting firm for which he is co-founder and president.
“It’s certainly more sophisticated than people are expecting,” Bradley said. “These criminals do this all the time — and they spend all day every day practicing and getting better at what they do.”
But Bradley pointed out key red flags in the email that give the scam away, like an abnormal reply-to email address and domain name for the login page.
Businesses should also reorient themselves with attempts by impersonators of Internal Revenue Service officials and tax preparers to score financial information, after this week’s federal filing deadline.
Marjorie Noleen, marketing and growth director for accounting firm Stockman Kast Ryan + Co., said tax partners at the company haven’t spotted any new tax-related scams, but warned of phone calls from impersonators, which tend to spike this time of year. The IRS posted a reminder on its website that its officials will not contact taxpayers via email, text message or social media, or call to demand an immediate payment.
Bradley said companywide education about the latest scams — which are “constantly being updated and repackaged” — is the most important step businesses can take to protect themselves.
Trainings should be held annually, he said, and include every employee. Anybody with a company computer and account could wind up letting criminals onto a secure network, and with work-from-home arrangements now a norm, employees’ phones and other personal devices could be exploited, too.
“As an employee with a computer account and a laptop or a desktop computer, you can hold the keys to the kingdom for your organization,” Bradley said. “The employees are oftentimes the weakest link.”
Rodriguez encouraged heads of small businesses to read a refresher on the top 10 scams targeting them, outlined in an April 12 news release from the BBB. The list, and more tips for how to avoid scams, can be found at bbb.org/us/news.
Businesses are also asked to report scams to the BBB Scam Tracker, at bbb.org/scamtracker, or the FBI’s Internet Crime Complaint Center at ic3.gov.