Rick Li’s heating and cooling business has been the target of its share of scams: First it was a foreign buyer that wanted him to send the goods and get paid later. Then it was a credit purchase that went through but was clawed back after the merchandise had left the shop. Then there was a spear-phishing scam, where fraudsters created a fake e-mail account for his business and used it to get his client to wire nearly $20,000 to the wrong account. (Fortunately, the client caught the error and was able to stop the transfer in time.)
Now, after 15 years in business, Mr. Li – who co-owns Markham, Ont.-based High Efficiency Heating and Cooling with his wife Gloria Deng – is extra cautious. He won’t ship a product without cash or an e-mail payment upfront or take credit cards over the phone. He also takes more time to verify the identity of anyone who calls, texts or e-mails.
“Pretty much every day we get something,” he says, pointing to a recent increase in text-message scams. “I get one or two a day, asking you to click a link or saying it’s your bank.”
Mr. Li feels like the number of scams is increasing, and he’s right. The Canadian Anti-Fraud Centre (CAFC) says it received 2,317 reports of fraud targeted at businesses last year, according to data provided to the Globe and Mail, up from 2,263 in 2018. Financial losses from reported business frauds have skyrocketed in that time: from $17.5-million to $27.6-million.
The real impact is likely much larger, the CAFC says, noting that Canadians – both businesses and individuals – only report an estimated 5 per cent of actual fraud cases.
Among the reported business frauds, spear-phishing was the second-most frequent scam but the costliest, dinging Canadian businesses for at least $12.1-million last year alone. Extortion was the most frequent scam targeted at businesses, the CAFC says, which it defines as using coercion to obtain money, goods or services. Some popular extortion scams include ransomware attacks or phone calls that purport to be from Canada Revenue Agency and threaten a severe consequence if money isn’t paid.
A recent KPMG survey also identified spear-phishing as a major concern for Canadian businesses. It collected data from 253 small- and medium-sized Canadian companies in early September and found 41 per cent of those polled had been victims of spear-phishing or compromised business mail during the pandemic. It found 38 per cent were the target of malware, which is malicious software placed on a user’s computer or phone.
The poll also found that while many businesses have appropriate tools for cybersecurity, they are not using them to their potential, with only 39 per cent of respondents saying they were “very confident” in their ability to detect and respond to a cyberattack.
Toronto-based KPMG cybersecurity partner Alexander Rau says there are several steps businesses can take to avoid being victimized. He recommends using contractors known to protect client data and consider hiring outside security help for companies too small to employ an expert in the field.
Other best practices, according to Mr. Rau, include; implementing multi-factor authentication on all consumer or client accounts, providing security awareness training for employees, regularly backing up data (including somewhere that isn’t accessible online), getting fraud insurance, keeping software up to date; and practising the company’s response to a security breach in advance with key personnel.
There are also many manual procedures small businesses can put in place to prevent and detect scams, adds KPMG partner Myriam Duguay, the company’s national leader of investigation and fraud risk management based in Montreal. Her top advice for a business that suspects a targeted scam such as spear-phishing is to verify the request through a different communication channel.
A common example is a fraudster impersonating a company’s chief executive officer over e-mail and asking the controller to send money for an urgent, secret transaction. She says that responding over e-mail won’t help confirm that it’s the CEO at the other end but calling them on the phone will. Ms. Duguay says companies should train employees to respond this way to any unusual requests.
“For a small business, it’s really good because it’s cheaper and it’s not complicated,” Ms. Duguay says. “If someone is writing you an e-mail and you’re not sure about [what they’re asking you to do,] you need to change channels.”
Ensuring two different people have cheque-signing ability is another easy-to-implement fraud-prevention practice, says Toronto forensic accountant Jennifer Lynch. She says asset misappropriation or stealing by employees is one of the most common types of fraud she encounters.
“For example, a controller who works for a small family business could try to manipulate accounts receivable or cheques to steal money,” she says, noting she often sees cases where the thief has created fake accounts payable, or buys personal items on the company credit card.
To prevent such internal frauds, she recommends creating an environment that encourages whistleblowers and spreads out control of the finances between multiple people. If that is not possible, small businesses should hire external auditors to look at the books at surprise intervals, Ms. Lynch adds.
She notes many entrepreneurs mistakenly believe they can tell who is trustworthy by their outward behaviour, but that simply isn’t true.
“Most of the people who commit these frauds don’t have a history of fraud,” she says. “They look like normal, honest people.”