Skip to main content

5 Common Scams and How to Avoid Them: A Small Business Cybersecurity Checklist

Published Date

Two colleagues, one pointing at code on a computer screen, collaborating on software development

 

These days, avoiding financial fraud and cybercrime is a persistent concern for small businesses. As artificial intelligence (AI) technology evolves, scammers are finding new ways to work, making it more critical than ever for small business leaders to stay vigilant.1 In fact, cybercrime is projected to increase rapidly over the next few years, rising from a global loss of $9.2 trillion USD in 2024 to an estimated $13.8 trillion USD by 2028.2

As scammers use technological advancements to perpetrate more and more sophisticated fraud, those working to protect businesses from cyberattacks are also evolving. “We’re steadily adapting to the growing needs around risk management in the financial ecosystem to stay ahead of these cybercriminals,” says Andrew Stucchio, global head of network payments pricing, analytics, and controls at Discover® Network.3

He goes on to explain how Discover Network is expanding on processes to proactively assess risk. “We’re doing this by leveraging our advanced analytics to detect authorization or settlement data anomalies that could suggest fraudulent behavior. We are combining these very powerful data analyses with other technical advances so that we can more quickly detect the fraud, investigate it, remediate it, and prevent it.”3

Read on to learn about five common scams that affect small businesses. Learn how to recognize them and what merchants can do to protect themselves.

 

1. Phishing

From a global perspective, the most common cybercrime is phishing,4 a type of scam in which attackers deceive their targets into revealing sensitive information, such as passwords, payment details, or personal data. They do this by impersonating trustworthy entities through emails, messages, or fake websites.

Phishing is common worldwide, and a 2023 study found it to be by far the most reported cybercrime in the U.S., with nearly 300,000 incidents that year.5 For comparison, there were less than 60,000 incidents of personal data breach, the next most common cybercrime in the U.S., making phishing roughly five times more common than its closest competitor.5

Another study shows that 74% of U.S. companies were victims of phishing in 2020. The U.K. was the second most targeted country, with 66% of companies being impacted, and 60% of Australian companies experienced phishing attacks that year.6

Technological advancements are making phishing—already a formidable threat—even more effective. For example, scammers are using generative AI to make phishing more scalable and more convincing. Using AI removes the manual effort and eliminates the grammar mistakes that often give scams away. It can also enable highly realistic deepfakes that can imitate an executive’s voice or appearance well enough to fool even careful employees.1

 

How merchants can protect themselves

Small businesses can avoid phishing attacks by instructing all employees to be wary of unsolicited messages and warning them not to click on unknown links. It is also helpful to install firewall and other computer protection software.

 

A man looking thoughtfully at his laptop, with his hand to his mouth, possibly contemplating a problem or decision.

 

2. Business email compromise

Business email compromise (BEC) fraud is a specific form of phishing that targets the person in charge of paying bills for a business, such as an accountant or chief financial officer (CFO).

The impact of BEC is significant. In 2023, BEC resulted in $2.9 billion in losses in the U.S. alone, making it the second costliest cybercrime to American businesses that year.7 BEC was also identified as a major concern by the European Union Agency for Cybersecurity, which highlighted it as part of a report to educate the EU’s transport sector about common scams.8


How merchants can protect themselves

Watch out for emails and other messages from accounts posing as vendors. They may ask for money, gift cards, or personal information. Make sure to check the sender’s email address for accuracy, looking for spelling errors or small inconsistencies in domain names.

 

3. Ransomware attacks

Ransomware is a type of malware that takes control of a target’s device and then demands a ransom in exchange for returning control to the device owner. These attacks happen when cybercriminals gain access to the same network as the vulnerable device, enabling them to plant malicious software. The ransomware then encrypts files saved on the device, locks out the owner, and steals or deletes the data. In some cases, the criminal party threatens to leak the stolen data if the ransom is not paid.9

Like other types of cyberattacks, some regions are more vulnerable to ransomware attacks than others. A 2023 study found the U.S. to be the country most affected by ransomware attacks, followed by the U.K., Germany, Canada, and Italy.10

The same study found that vulnerability to ransomware varied by company size, with small- and medium-sized companies being the most often targeted.10 Over the course of a year, companies with 51–200 employees experienced the most ransomware attacks (395 cases), followed by those with 11–50 employees (281 cases), and those with 201–500 employees (232 cases).10


How merchants can protect themselves

Small businesses can steer clear of ransomware attacks by ensuring software is updated regularly, and implementing layered security tools, as well as access control on all sensitive documents.11

 

Two colleagues looking at a screen and discussing work.

 

4. Fake invoices

Recently, fake invoices were named by the U.S. Federal Trade Commission as one of the most common cybercrimes targeted at small businesses.12 To pull off this kind of scam, malicious actors typically create an invoice detailing products or services which, in reality, were neither ordered nor delivered, tricking small businesses into paying the bill.

One way scammers of this type operate is to pose as a genuine vendor their target has worked with—but with subtle differences in invoice information, such as bank account numbers. An even more sophisticated method of invoice fraud involves monitoring a merchant’s inbox and intervening on email threads with the real supplier to update payment information.13

Fake invoices pose a real threat to small businesses. According to the Association of Certified Fraud Examiners, corruption—a category that includes fake invoices—accounted for nearly half of the occupational fraud seen in their recent study.14


How merchants can protect themselves

Small businesses can avoid falling prey to this kind of scam by double checking all invoices against actual goods and services rendered, as well as comparing the vendor contact and payment information to past invoices to ensure they match.13

 

5. Advertising scams

Alongside fake invoices, advertising scams were cited by the U.S. Federal Trade Commission as one of the top cybercrimes small businesses should be aware of.12 Advertising fraud happens when scammers reach out to business owner via unsolicited emails or phone calls, offering to provide advertising services for an up-front payment. Typically, the proposed advertisements take the form of mailings and online placements or listings in directories or coupon books.15

By one measure, 22% of ad spend was lost to advertising fraud in 2023.16 What’s more, the impact of advertising scams is on the rise, with total loss predicted to reach $172 billion USD per year by 2028.16


How merchants can protect themselves

As with phishing, small business leaders should encourage employees to be suspicious of all unsolicited messages. Asking for payment up front for advertising services can also be a red flag.

 

 What to do in case of an attack

When a merchant becomes a victim of a scam, the first step is to contact the business’s bank or payment provider to alert them of the fraud. After that, merchants can report the cybercrime to legal authorities and any applicable trade commissions.

It’s also important to take stock of security protocol and implement tools to help catch and stop fraud before it happens again. The world is evolving, says Stucchio, and it’s no longer possible to rely on a single technological tool, or to take fraud-fighting initiatives wholly in-house. According to him, it’s up to the financial services sector to leverage some of the same technologies cybercriminals are using—AI and machine learning—to fight fire with fire.3 “We’ve really come a long way and continue to invest in machine learning and AI technology to help us in managing against fraud,” says Stucchio.3

 

Explore the Fraud Management Tools that Discover Network offers to help merchants monitor and protect their businesses.

 

Download Article

 

  1. Davis, N. (2024, October 23). How AI is reshaping cybersecurity as we know it. CNBC. Retrieved 15 April, 2025.
  2. Fleck, A. (2024, February 22). Cybercrime Expected To Skyrocket in Coming Years. Statista. Retrieved 12 March, 2025.
  3. PYMNTS. (2024, November 14). Discover Global Network: Advanced Analytics Forges Proactive Approach to Battling Fraudsters. Retrieved 12 March, 2025.
  4. Griffiths, C. (2025, January 1). The Latest 2025 Phishing Statistics (updated January 2025). AAG. Retrieved 12 March, 2025.
  5. Petrosyan, A. (2024, October 10). Most commonly reported cybercrime categories in the United States in 2023, by number of individuals affected. Statista. Retrieved 12 March, 2025.
  6. Tanti, R. (2024, October). Study of Phishing Attack and Their Prevention Techniques. International Journal of Scientific Research in Engineering and Management, 8(10). Retrieved April 15, 2025.
  7. IC3. Federal Bureau of Investigation Internet Crime Report 2023. Retrieved 12 March, 2025.
  8. The European Union Agency for Cybersecurity. ENISA Threat Landscape: Transport Sector. Retrieved 6 May, 2025.
  9. Kochan, N. (2024, August 25). How to defend against the cyber spiders holding firms to ransom. The Times. Retrieved 13 March, 2025.
  10. NordLocker. Ransomware statistics: Who is targeted the most? Retrieved 12 March, 2025.
  11. Heaslip, E. (2023, January 9). 11 Things You Can Do Right Now to Protect Your Business from a Ransomware Attack. U.S. Chamber of Commerce. Retrieved 12 March, 2025.
  12. Federal Trade Commission. (2023, July). Scams and Your Small Business: A Guide for Business. Retrieved 12 March, 2025.
  13. The Ohio Society of CPAs. (2023, August 7). The tips to spotting a fake invoice. Retrieved 6 May, 2025.
  14. Association of Certified Fraud Examiners. Occupational Fraud 2024: A Report to the Nations. Retrieved 6 May, 2025.
  15. The Office of Minnesota Attorney General Keith Ellison. Small Business Advertising Scams. Retrieved 12 March, 2025.
  16. Juniper Research. Research report: Quantifying the cost of ad fraud: 2023-2028. Fraud Blocker. Retrieved 12 March, 2025

The information provided herein is sponsored by Discover® Network. It is intended for informational purposes, and is not intended as a substitute for professional advice.