Protect your business
Here are some of the most common scams used against business in Canada and some tips about what to look for and how to protect your business.
Business grants and loans scamHow it worksYou are searching online for small and medium-sized business financing, and you find a website for what claims to be a government department helping small businesses access grants and loans. The site says that, for a fee, you will get "special access" to government funding programs—it may even imply that funding is guaranteed. The website might be designed to mimic that of a government department, right down to the use of the Canadian flag identifier or other official government logos and wordmarks.
Buying into this kind of offering is a sure way to lose your money.
How to spot itThere are three main points to keep in mind when looking for a business grant or loan. The first thing to remember is that government departments or agencies do not charge for services and information to help you apply for government grants and loans. Secondly, no one can ever guarantee that your business will receive such funding. Third, no private sector companies are involved in the process of approving government applications for business financing.
Protect your businessBe skeptical, and never allow yourself to feel pressured to commit.
Closely examine the website and any related advertisements and take the time to research the source before subscribing to any newsletters, sending money, or providing any credit card or bank account details. Also, visit the website of the government department by going there directly (not via an email link).
Call 1-800 O Canada (1-800-622-6232) for general information on Government of Canada programs and services.
Further readingDirectory scamHow it worksYou’re contacted by a seemingly legitimate business directory supplier wanting to confirm your address and contact information. The caller may imply that your company has purchased the listing in the past for an ad in a magazine, journal, business directory, or an online directory listing. They say that the call is simply to update your company contact information. Simple. You confirm. This is called the “Assumed Sale” technique.
Then you receive a second call to "confirm" that you have agreed to purchase the directory listing and, a few weeks later, you receive an invoice for several hundred dollars for online advertising you never agreed to. The online directory is of little or no commercial value, isn't searchable, and offers nothing more than the results of a standard web search.
When you call to dispute the charge, they say they have a recording of you agreeing to the services. If they play you the recording, you can tell that they have edited your words from one of their real calls to suit their purposes. They threaten to send your file to a collection agency. If you don't pay, you receive aggressive collections calls during which the callers threaten you, saying that your company's credit rating will be affected.
How to spot itIf your business really does have a history with a supplier, then the supplier will be able to provide the address they have on file, along with other proof of a previous purchase. Also, even if things get so far as the scammer sending you an invoice or contract, it is important to remember that because they are neither a legitimate source nor your usual supplier, they have no actual grounds to report your business to a credit bureau.
A twist on the directory scam is a notice sent to your business, usually by email, asking you to confirm company information. At the bottom of the page is a signature line followed by fine print that often gets ignored, stating that by signing the notice you have agreed to purchase a two-year directory listing for a fee like $1,500 per year. Such notices often use symbols or logos that resemble those of familiar legitimate directory companies, such as the "walking fingers" logo used by the Yellow Pages.
Protect your businessBefore providing any information to a third party trying to get a commitment for a directory listing, always check their legitimacy by taking a few simple steps:
Don't rush to agree to a listing.
Hang up and call your usual contact to confirm that the request is real.
Confirm that the caller is an actual supplier by asking for their company contact information.
Ask to see the service contract or purchase request.
Carefully review any invoices
Verify logos to make sure they are real. For example, if a logo looks like the Yellow Pages symbol, refer to the Yellow Pages website to confirm their actual logo—are the “walking fingers” walking in the correct direction?
Check with colleagues to confirm whether an order was indeed placed and verified.
Check the Better Business Bureau website to help determine whether you should engage the company.
If the caller claims that they’ll report you to a credit bureau, ask which credit bureaus they belong to and then confirm what they tell you.
If you receive an unsolicited offer from a company wanting to sell you services:
be skeptical
never feel pressured to commit right away
ask for the company’s contact information, then research both the company and the person who contacted you
ask for a written contract and thoroughly inspect it, along with any invoices, before making a payment
If you are threatened verbally or in writing, call your local police and the Canadian Anti-Fraud Centre.
Further readingOffice supply scamHow it worksIn a typical office supply scam scenario, you or your buyers receive an email or a call from someone who creates the impression of being your regular provider of specific office supplies. The scammer might imply there is a government requirement for you to replace an "expired product," that the government has contracted them to supply that product, and that you could face a fine if you don't comply with the requirement. The hope seems to be that they will catch a new or lower-level employee who isn't aware of how things work, or they may use "spoofed" emails that look like they originated from your usual supplier.
Another type of office supply scam is when a training company convinces you to sign up for specialized training for employees, citing government regulations requiring the training. The scammer may not actually provide the training after being paid to do so, or they may provide inferior training that isn't properly authorized but, either way, your business is on the hook for the cost.
When you refuse to pay the invoice, you get aggressive calls threatening to report you to credit bureaus and local business associations to damage the reputation of your business.
How to spot itOffice supply fraudsters ask you to verify information such as your company address, banking details, the person to be invoiced, or other information associated with ordering supplies. In the case of emails, they might go so far as to provide you with new banking details and request that future payments for supplies be made to this "new" account. They might also ask for seemingly irrelevant information like the number of employees in the organization. These inquiries are designed to trick you into giving up key information so they can fine-tune the trap.
Sophisticated fraudsters will later follow up to gather even more information or try to mislead your colleagues into believing that you or a manager agreed to place an order and that everything is already settled; they only need payment.
Protect your businessEnsure that employees in your business are trained to recognize and report office supply scams.
Educate yourself, your employees and your coworkers to be cautious of unsolicited calls:
create a list of companies that are typically used by your business
limit the number of staff who can approve purchases and pay bills
clearly define procedures for verification, payment and management of accounts and invoices
contact your province’s regulator to know your legal obligations
Before providing any information to a third party:
don't rush to agree to anything
get in touch with your usual supplier contact to confirm that the call or email is legitimate
ask for the caller's business contact information and confirm that the caller represents an actual supplier
Before making any payment:
ask to see the service contract or purchase request
check with colleagues to confirm that an order was indeed placed and verified
inspect invoices carefully before making any payments as fraudsters will use company names or logos similar to those of known businesses to make their invoices seem real
If you receive supplies that you didn't order:
know that it is not your responsibility to return the product; the sender can pay for return shipping if they wish
send a certified or registered letter to the sender requesting proof of the order
if they can produce proof, follow your company's established procedures for receiving and paying for ordered goods
if they can't produce proof that the goods were ordered, indicate that you will be keeping the supplies as a gift
If you receive supplies that you ordered but they are of inferior quality or overpriced:
inspect the supplies and reject those that don't conform to the contract, are overpriced, or have defects
send a certified or registered letter to the sender to notify them that their supplies don't conform and they have a month to retrieve them or you'll dispose of the products and will not accept any subsequent orders
If you receive threatening collection calls or letters from a lawyer or law office about payment, check with the provincial law society to verify whether it is from a legitimate lawyer or law office.
If you are threatened, call your local police and the Canadian Anti-Fraud Centre.
Contact the government authority directly to check your legal obligations. Calling 1 800 O-Canada (1-800-622-6232) or going to your provincial government's information line will get you to the right place.
Further readingPhishing, spear phishing, whaling, vishing, smishing Definitions Spear phishing is when fraudsters are looking for one specific piece of information. Whaling occurs when fraudsters try to catch big targets through a malicious phishing attack aimed at high-ranking bankers, executives or others in powerful positions or job titles in the organization to siphon off money or access sensitive information. Vishing refers to phishing by Voice over the phone or VoIP. Smishing refers to phishing conducting using text messaging, also known as SMS (Short Message Service).How it works
All of the terms related to this group of scams refer to the same broad practice in which someone tries to trick you into giving up sensitive business information, such as credit card numbers, bank account numbers, and passwords.
In a typical phishing scam, you are contacted via email, social media, telephone, or text. The scammer masquerades as a financial institution, a service provider, a client, a supplier, a prospective business partner, or even a government organization.
How to spot itThere are several subtle but consistent ways to spot a “phishing expedition”. In the following example, scammers are trying to mimic your bank’s email address using the services of a fictitious email service provider, “yourbankltd.ca”.
From: loandept@yourbankltd.co
The catch: Did you notice that it comes from a ".co" rather than ".ca"? Or this one…
From: rnoneywise@yourbankltd.ca
The catch: Can you see that the first "m" is actually an "r" and an "n" stuck together? Or this one…
From: yourbank@yourbankltd.ca
The catch: Hover your mouse over the hyperlink and you will see that it actually links to yourbank@thisisascam.ca. This is a clever way to mask the actual sender.
Be vigilant!
Test your flair for detecting fraudulent emails
Most people are familiar enough with spam that they treat most incoming emails and various websites with some degree of suspicion. But take a look at these examples:
Example 1:
To: "undisclosed recipient"
Date: January 22, 2019
Re: Special offer — ACT NOW!!!
Dear Pat Quick,
Account number: 070004623
What if I told you that you can get 35% off toner? Take advantage now of our special offer!
Download our order form and remit it ASAP by email to ensure rapid delivery.
Please note: You will need to provide us with your name, shipping address, and credit card number (with expiry date) and we will send you your toner.
Order now! Supplies are limited.
Yours truly,
Edward Mitchum
Business Solution Depot
Let's consider:
Is it legitimate? Be careful because there are signs that suggest it is a scam:
They want your coordinates and credit card number, but what are they promising in return?
There are more details here about what you need to provide than about what they are providing you.
There are few details here on what product is being offered and whether or not this company even offers toner made for your office equipment.
The toner is being offered at a rebate, but what is the price? A 35% reduction sounds like a good deal, but 35% off what amount? Be sure to find out before you order.
Many scams have a very professional appearance and are well presented; however, this does not mean that all scams are slick—the spelling and grammatical errors are a tipoff that this message might not be from a credible and legitimate company.
Example 2:
To: "undisclosed recipients"
Date: Nov. 10, 2018
Re: Letter of intent
Hello,
I am a Civil Lawyer. I have a Client that has Interest in Investing in Your Company, can You be of Assistance?
I shall give Details when you reply.
Yours Faithfully,
Barr. Joel Kazeel.
Cell Phone: 2348272783469
Telephone: 23418879801
Consider: Is it legitimate? This email has many features that suggest it is not:
The email is not personally addressed to you, it is sent to "Undisclosed recipients," which suggests it has likely been sent to hundreds of recipients—not just you.
There are spelling, grammar, and punctuation errors, all of which are common in scam emails.
The contact number is an international phone number, which is common in scams originating from other countries.
The email is short on details: How did this person get your name? What do they know about your business? Why did they not call you first?
Look at these types of messages with a skeptical eye.
Protect your businessAlways be wary of unsolicited emails, text messages, or phone calls from individuals or organizations prompting you to click on an attachment or link to provide information. The link will lead to a website that looks legitimate, like your banking login page, but that is actually only an extremely convincing imitation designed to trick you into entering your confidential information.
Take the following steps to protect your business from these types of scams:
Check embedded links in emails by hovering your mouse over the link to verify the address.
Do not take for granted that website addresses starting with "https" (where "s" used to mean "secure") are safe—scammers have learned and are now using these types of assumptions to lure unsuspecting victims.
Do not click on any email attachments; attachments can contain malicious software (commonly referred to as malware).
Do not share attachments unless you created them or you know the sender and know the attachments are safe.
Do not reply to suspicious emails—your reply confirms to the spammer that your email address is functional, marking it a potential target.
Further readingCEO scamHow it worksThe CEO scam (also known as the "business email compromise") is a type of spear phishing in which the fraudster impersonates your company's CEO or other senior employee using a legitimate-looking email. They may have lifted email addresses from your company's website or hacked into your business email system to get information about key employees, clients, suppliers, and bank accounts.
The fake CEO scam depends on a form of psychological manipulation called "social engineering" to get around the regular control procedures within a company, taking advantage of normal human tendencies and feelings. With this approach, when the scammer connects with a company representative, their first goal is to make the individual feel the need to:
return a favour
honour a prior commitment
do what others are doing
obey an authority figure
want something because it is hard to find, or
trust someone because they seem likable.
How to spot itThere are many different scripts that scammers might use to carry out a fake CEO scam. For example, pretending to be the CEO they might direct an employee in accounting to make a money transfer. Or they might say that a contract is in danger if a supplier isn't paid immediately and give you specific electronic payment instructions. Or they might impersonate an important supplier, claim that payment is overdue, and threaten to escalate the issue to your CEO if payment is not made immediately following the new payment instructions they provide.
What to doThere are several things you can do to protect your business from the fake CEO scam. For example, you can:
avoid putting too much detailed information about employees online—fraudsters use it to find potential victims and to time their approach accordingly
ensure that your business computer systems are secure with up-to-date, reputable antivirus software and strong employee passwords to protect email accounts from hackers
establish a standard process that requires multiple levels of approvals for money transfers
learn more about the various "spear phishing" scams
train all employees on how spear phishing works and what they can do to protect the company—for example, it can make a big difference if your employees know to:
stop and take a second look at any email that claims to come from the CEO or another senior executive of the company
examine the sender's email address with the knowledge that it may be very similar to the real one with only one or two different characters
confirm with the supposed author of the email or their administrative assistant to verify the request or instruction
validate all transfer requests either on the phone or in person with executives making email requests for money transfers, even if these look legitimate
never reply to or use the contact information provided in the request email unless the appropriate authority has fully and directly confirmed it is legitimate.
Further readingIntellectual property renewal notice scamHow it worksIn this scam, you receive a letter or an email that looks like it is from the Canadian Intellectual Property Office (CIPO). This message pretends to be a reminder that your company's intellectual property (IP) rights must be renewed. The message might contain images of patents or trademarks, contact information, registration numbers, and other publicly available information but is so specific and familiar that it makes the reminder appear authentic.
The instructions are for you to pay a specific amount to renew your IP rights, and that payment must be made following the instructions provided in the message. If you make the payment as instructed, you could end up paying much more than the real renewal fee—and on top of that, you will still need to pay the real fee to CIPO when the actual renewal date comes up.
How to spot itWhen you receive a reminder email or letter from the CIPO, check where it came from:
legitimate emails from the CIPO come from an address ending in @canada.ca or @ised-isde.gc.ca
the return address on a legitimate CIPO letter is always 50 Victoria Street, Gatineau, QC K1A 0C9
If the notice comes from elsewhere, you know it is not from the CIPO.
Protect your businessTake the following steps to protect your business from intellectual property scammers:
Further readingMalware and ransomwareHow it worksMalicious software, commonly known as “malware”, refers to computer programs specifically designed to damage the normal operation of a computer or network. You can accidentally “catch” malware when you download email attachments, click links in emails, visit less reputable websites, or download music, videos, or programs. Malware can also infect your computer through pop-up ads.
Malware is a security issue and is never good news. Fraudsters can use malware to send spam, access your computer, find personal information, and disable your security settings. Malware can even reinstall itself after you remove it.
"Ransomware" is a form of malware that blocks access to your business computer by locking your screen or encrypting your information while the scammer demands payment to unlock it.
How to spot itThe following sources provide up-to-date information and techniques for spotting malware on your company systems:
What to doThere are many ways to prevent and avoid malware. Protect your computer and network with security software, back up your data externally, and stay vigilant.