Please ensure Javascript is enabled for purposes of website accessibility

Barbara Weltman

Big Ideas for Small Business, Inc.

eBook cover, 150+ Tax Deductions for Small Business A to Z

Subscribe and download for Free our newly-updated eBook, "150+ Tax Deductions for Small Business A to Z" Revised to reflect changes in the One Big Beautiful Bill

This field is hidden when viewing the form
Get the:

Recognizing Scams and Important Actions to Take

/ By

Recognizing Scams and Actions to TakeThe news frequently runs stories about the elderly being tricked into handing over their life savings. But these aren’t the only victims of scams. Small businesses are prime targets, and according to one source, face a cyber attack every 11 seconds. An even worse statistics from this source: “60% of small businesses that experience a cyber attack go out of business within 6 months.”  What to do? Recognize the types of scams you face and take action to avoid becoming a victim.

Scams you face and what to do

Types of scams

Scamsters are continually devising new and insidious approaches designed to get information they can use to defraud you. They may seek bank account information or try to gain access to payroll information (your employees’ Social Security numbers).

The IRS created a list of the various scams currently being run:

  • Phishing/smishing. Phishing emails or SMS/texts (known as “smishing”) attempt to trick the recipient into clicking a suspicious link, filling out information. or downloading a malware file. Often, phishing attempts are sent to multiple email addresses at a business, increasing the chance someone will fall for the scam.
  • Spear phishing. A type of phishing scam that targets a specific victim and delivers a more realistic email known as a “lure.” These scams can be trickier to identify since they do not occur in large numbers.
  • Clone phishing. A newer type of phishing scam that clones a real email message and resends it to the original recipient pretending to be the original sender. The new message will have either an attachment that contains malware or a link that tries to steal information from the recipient.
  • Whaling. Whaling attacks generally target leaders with access to large amounts of information at an organization or business. Whaling attacks can also target people in payroll offices, human resource departments, and financial offices.
  • New client scam. Criminals use the label of “new client” to try to trick recipients into opening email links or attachments that infect computer systems to steal existing client information.

There’s even a scam specifically targeting tax professionals, making their clients’ information vulnerable. According to the IRS, scamsters aim to collect tax practitioners’ Electronic Filing Identification Numbers (EFINs). The scammer poses as a tax software provider and emails the tax pro with a request to provide their EFIN information by fax. If the tax pro faxes back their EFIN information, the scammer can use the information to steal client data.

Warning signs of a scam

Stay vigilant and look for warning signs.

The following list is adapted from IRS warnings to tax practitioners:

  • An unexpected email or text claiming to come from a known or trusted source, such as a colleague, bank, credit card company, cloud storage provider, tax software provider, or even the IRS and other government agencies.
  • Receiving a duplicate email from what appears to be a known trusted source that contains a new attachment or hyperlink.
  • A message, often urgent in tone, pressuring the receiver to open a link or attachment. These messages have a false narrative, such as to update an expired password or some other urgent action is needed.
  • An email address, number or link that is slightly misspelled or has a different domain name or URL (irs.com vs. IRS.gov). A closer look at these email addresses can show slight variations on legitimate addresses.

What to do for protection

Use the IRS’ “Security Six” protections to protect your offices, computers, and data thieves and hackers:

  1. Anti-virus software. This is a first line of defense. Be sure you keep software up to date.
  2. Firewalls. These are necessary to shield computers and networks from malicious or unnecessary web traffic.
  3. Multi-factor authentication (MFA). The Federal Trade Commission (FTC) requires it for all tax professionals to avoid cloud-based schemes, and small business owners should do the same even though not required by the FTC. It poses an extra hurdle for scamsters to scale when trying to get into your system.
  4. Backup software or services. Be sure to routinely do this to protect critical files against theft in a cyberattack and loss in case of device failure, ransomware, or a natural disaster.
  5. Drive encryption. This transform sensitive data on the computer into protected files that are unreadable to outsiders. If you store customer credit card information, this is a must.
  6. Virtual Private Network (VPN). This provides a secure, encrypted tunnel to transmit data between a remote user over the internet and the company network.

Final thought

While large corporations have in-house IT departments that are supposed to guard against scams, small businesses have to be proactive in finding the right help and implementing protections. Engage an outside IT specialist or company that can regularly monitor the world of scamsters and ensure that all possible protections are being deployed on your behalf.

There are numerous tools that can be used to help, which IT people can suggest. AI-powered email filers are already built into Microsoft 365 Defender and Google Workspace. They detect suspicious communications and flag them as “business email compromise” scam.

Also, use DNS filtering, such as Cloudflare Gateway and Quad9, blocks access to harmful websites by preventing you from trying to make a connection.

Find more information concerning cyber security in this list of blogs.