Small businesses are attractive targets for fraud because they often have fewer checks in place than large companies, and the person handling payments may also be juggling sales, hiring, and customer service. The good news is that most schemes that hit small firms follow a small number of patterns. Once you recognize the pattern, a few simple habits close off most of the risk.

Fake or duplicate invoices

A common scam is sending an invoice for something you never ordered — office supplies, a directory listing, a domain renewal, or a service that sounds plausible. The invoice looks official, sometimes even references a real product you use, and relies on someone in accounts payable approving it without checking.

  • Match every invoice to a purchase order or a named person who requested it.
  • Keep a short approved-vendor list and question anything from outside it.
  • Train whoever pays invoices to flag anything unfamiliar rather than pay first and ask later.

Vendor and supplier impersonation

Fraudsters research a real supplier you already work with, then email or call pretending to be that supplier's accounts team, saying their bank details have changed. If you update your records and pay the new account, the money goes to the criminal instead.

  • Never change payment details based on an email alone.
  • Call the supplier on a phone number you already have on file — not one given in the message — and confirm verbally before changing anything.
  • Be extra cautious around large or overdue invoices, since these are prime targets for this trick.

Business email compromise (CEO fraud)

Here the scammer either hacks or spoofs the email of an owner, manager, or executive and sends an urgent request to a colleague — usually to wire money, buy gift cards, or pay an invoice quickly, often while claiming to be traveling or in a meeting.

  • Set a rule that payment requests by email always need a second confirmation, ideally by phone or in person.
  • Be suspicious of urgency, secrecy ("don't tell anyone yet"), and requests to change normal procedures.
  • Use email authentication and look closely at sender addresses — spoofed domains often differ by a letter or two.

Overpayment and fake customer scams

A "customer" pays you with a check or transfer for more than the agreed amount, then asks you to refund the difference — often urgently. The original payment later bounces or is reversed, and you're out both the goods and the refunded money.

  • Never refund an overpayment before the original payment has fully cleared and settled.
  • Be wary of buyers who overpay and then rush you to send money back.
  • Verify unfamiliar large orders, especially from new customers who want fast shipping and are indifferent to price.

Phishing and fake official notices

Emails or texts pretending to be your bank, a tax authority, a shipping company, or even this kind of business directory may ask you to "verify" your account or click a link to avoid a suspended service. The link leads to a fake login page designed to steal credentials.

  • Don't click links in unexpected messages — go to the official site directly by typing the address yourself.
  • Check for spelling mistakes, generic greetings, and mismatched sender domains.
  • Enable two-factor authentication on banking, email, and any account tied to payments.

Payroll and employee-impersonation fraud

Similar to vendor impersonation, but the target is your payroll: someone posing as an employee emails HR asking to change their bank account for direct deposit, redirecting future paychecks to themselves.

  • Require any payroll bank-detail change to be confirmed by phone or in person with the actual employee.
  • Keep a simple log of who requested changes and when.

Fake registrations, listings, and directory scams

Some outfits contact small businesses claiming they must pay to "renew" a business listing, trademark, or registry entry that either doesn't exist or is free through official channels.

  • Before paying any registration-style invoice, check the sender against the official business registry or the real organization's own contact details.
  • Search the company name plus words like "complaint" or "scam" to see what others report.

Habits that prevent most of this

  • Separate duties: the person who approves a payment shouldn't be the only one who can send it.
  • Verify changes independently: new bank details, new contacts, new urgent requests — always confirm through a channel you already trust, not the one the request came from.
  • Slow down urgent requests: legitimate business rarely requires you to skip your normal process.
  • Check unfamiliar counterparties: look up the company or person in the official registry, read independent reviews, and check how long they've been operating before sending money or sensitive data.
  • Keep records: save emails, invoices, and confirmations so any dispute is easier to resolve with your bank or the authorities.

None of these habits require expensive tools — just a consistent routine and a moment of skepticism before money or data moves. Most small-business fraud succeeds because someone was rushed or trusted a message at face value; slowing down and verifying independently closes the door on the majority of these schemes.