Small Business Scams: Invoice Fraud, CEO Fraud
Small businesses lost $6.7 billion to fraud in 2025, according to the Association of Certified Fraud Examiners. The median loss per incident was $150,000 — enough to bankrupt many small operations. Unlike large corporations with dedicated fraud teams, small businesses often lack the personnel, training, and systems to detect and prevent sophisticated scams.
The FBI ranks Business Email Compromise (BEC) as the most financially damaging cybercrime, with losses exceeding $2.9 billion in reported cases alone. Here's how these scams target small businesses and how to defend against them.
Received a suspicious invoice or vendor request? Paste it into our free scanner →
Business Email Compromise (CEO Fraud)
BEC attacks impersonate company executives, vendors, or clients through compromised or spoofed email accounts. The most devastating variant is CEO fraud:
"Hi Sarah, I need you to process an urgent wire transfer of $47,000 to our new vendor. I'm in meetings all day and can't discuss on the phone. The account details are below. This needs to go out before 3 PM today. — Sent from my iPhone"
The email appears to come from the CEO's address (through spoofing or an actual compromised account). The urgency, the instruction not to call, and the authority of the sender combine to pressure the employee into acting without verification.
Variations include:
- CFO requesting W-2 or tax documents for all employees (identity theft)
- Executive requesting gift card purchases for "client appreciation" (gift card scam)
- Attorney claiming to represent the company in a confidential deal requiring immediate payment
Defense: Implement a policy that all wire transfers and payment changes require verbal confirmation through a known phone number (not one provided in the email). This single control prevents the majority of BEC attacks.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
Invoice Fraud
Scammers send fake invoices for products or services your business never ordered. The invoices look professional and often mimic real vendors your business uses — sometimes discovered through data breaches, public records, or social engineering.
Common fake invoice types:
- Office supply invoices for toner, paper, or equipment you didn't order
- Directory listing and advertising invoices for services you didn't request
- Domain name renewal invoices from registrars you don't use
- Annual "license renewal" invoices for software you don't own
The invoices are often for small amounts ($200-$500) designed to slip past approval processes. Over time, these add up significantly.
Defense: Maintain an approved vendor list. Require purchase orders for all expenditures. Train accounts payable staff to verify invoices against actual orders before payment.
Vendor Payment Redirect Scams
A scammer impersonates one of your actual vendors (through email compromise or spoofing) and notifies you that their banking details have changed:
"Please be advised that our banking information has changed effective immediately. All future payments should be sent to the following account: [scammer's account details]. Please update your records accordingly."
Businesses that process the change without verification end up sending payments to the scammer's account. The real vendor eventually asks about overdue payments, and by then recovery is unlikely.
Defense: Always verify banking detail changes by calling the vendor at a known phone number — not a number provided in the email. Many businesses now include a standard disclaimer: "We will never request banking changes via email."
IsThisAScam's 6-layer detection system can analyze suspicious vendor emails and invoices, identifying the characteristics of BEC attacks and invoice fraud.
Fake Government Agency Scams
Small businesses receive fake notices from "government agencies" demanding payment:
- Fake OSHA fine notices requiring immediate payment to avoid penalties
- Fake IRS notices demanding back taxes with threats of seizure
- Fake trademark or patent renewal notices at inflated prices
- Fake state compliance filings that look like official government forms
Real government agencies send notices through official mail, provide clear case numbers and appeals processes, and never demand immediate payment through wire transfer or gift cards.
Online Advertising and SEO Scams
Unsolicited calls and emails promising to "get your business to #1 on Google" or offering "guaranteed leads" are overwhelmingly scams or, at best, dramatically overpriced services. Common tactics include claiming to be from Google (they're not), threatening that your listing will be removed if you don't pay, and locking you into long-term contracts for minimal or no actual work.
Employee-Facing Scams
Scammers also target your employees:
- Fake payroll emails asking employees to "update" direct deposit information (redirecting paychecks to scammer accounts)
- Phishing emails impersonating HR or IT departments requesting credentials
- Fake benefit enrollment portals harvesting personal information
Building a Fraud-Resistant Business
- Dual authorization for all wire transfers and payment changes over a threshold amount
- Verbal verification of any payment instruction changes, using known contact information
- Employee training on recognizing BEC, phishing, and social engineering — at least annually
- Approved vendor list maintained by accounts payable, with verified contact information
- Email security: DMARC, SPF, and DKIM records to prevent email spoofing of your domain
- Separation of duties: The person who approves payments should not be the same person who processes them
- Cyber insurance: Consider a policy that covers BEC and social engineering fraud
- Incident response plan: Know who to contact and what steps to take when fraud is detected
For more on email security, see our guides on securing email accounts and understanding phishing.
Received something suspicious? Check it now for free →