Choose your settings

Choose your language
Cybersecurity

Main fraud schemes

May 6, 2025

Any business, regardless of its size, can become a target for fraud. Learn to recognize the most common schemes and adopt secure behaviours to protect your business.

1. Phishing

Phishing is a common tactic used by many scammers. They can target anyone in an organization, from the average employee all the way up to the big boss. Phishing starts with a fraudster sending emails or text messages that look legitimate or contacting their target by phone or on social media. The goal is to get you to act impulsively and click a link, open a file or download a document. Once you click, the scammer can install malware on your device and ultimately obtain your personal or financial information. Phishing can lead to other scams and cyberattacks. According to Cybereco,1 more than 90% of cyberattacks around the world start with a phishing email. 

What does a phishing attempt look like?

One common technique scammers are using is phishing with a phone call. A person pretending to be a bank representative calls a company employee and says that there’s a problem with the company’s bank account. They ask the employee to enter *21 or *72 on their phone, followed by a series of numbers that’s actually the scammer’s phone number. But doing that causes the company’s incoming calls to be redirected to the scammer!

2. Ransomware

Ransomware is a type of malware that can be installed during phishing attacks. It’s then used to hijack your company’s data and take it hostage. The cybercriminal asks for a ransom to restore your data. According to the Canadian Centre of Cybersecurity, "Ransomware can have severe impacts including core business downtime, permanent data loss, intellectual property theft, privacy breaches, reputational damage and expensive recovery costs.2"

3. Impersonation fraud

Fraud by impersonation is when a scammer pretends to be someone trusted (like a manager or a supplier) to trick employees into transferring money to an unusual account or provide access to confidential information. It’s a manipulation technique known a social engineering. To successfully get what they want, scammers do extensive research on the business or person they plan to impersonate. They often make their attempt when the actual person is out of the office or on vacation. Think carefully before you share anything about your company on social media. Scammers can copy the visual and graphic identities of well-known companies and financial institutions you do business with. 

CEO fraud

CEO fraud, also known as "business email compromise," is a type of scam where scammers usually start by hacking into the CEO's account. Using their email address as a cover, the scammer contacts an employee from the organization who's authorized to carry out transactions, like an administrative assistant, procurement officer or accounts payable clerk. They claim that there’s some kind of emergency or major acquisition that requires money to be sent to another account, often in a foreign country.

Fake supplier scam

After hacking into the email account of one of your regular suppliers, the scammer asks that payments intended for that supplier be sent to a new bank account. The scammer (still pretending to be your actual supplier) asks you to change the banking information. The payments are never made to your real supplier.

Fake technician scam

A scammer pretending to be an IT technician calls you or one of your employees on the phone. They claim that they need to do something on your computer like update some software, clean up files or fix something. To convince you, the fake technician says your software version is obsolete (or corrupted) and that you'll soon lose access to it. Then, they ask you to connect remotely to your computer to do an "update". But what the scammer really wants to do is get your usernames and passwords, as well as the company’s banking information. Once they have your personal information, they’ll be able to perform fund transfers.

4. Overpayment scam

One of your customers sends a payment by cheque for more than what they owe for the goods or services they received. Instead of writing you a new cheque for the correct amount, they suggest that you go ahead and deposit their original cheque and just transfer them the amount they overpaid. You later discover that the cheque was fraudulent. By then, you've lost the goods and services, along with the amount refunded.

Help protect your company from fraud

1. Be vigilant

Stay aware of the latest scam techniques and immediately report any fraud attempts to law enforcement agencies such as the Canadian Anti-Fraud Centre External link. and your local police. Also be sure to report any fraud, suspicious activities or unusual transactions in your bank accounts to your financial institution.

2. Set up stringent procedures for transfers

Set up clear procedures for transferring funds, including amount limits and approval levels. Make sure that all authorized individuals understand the potential risks and the procedures they need to follow.

3. Educate and train your staff

Train your employees about fraud risks, the procedures they need to follow, and warning signs. Organizations like Cybereco have documentation about best practices you can use as well as tools to help raise awareness..

4. Make sure transactions with your suppliers and clients are secure

Confirm any changes to supplier banking information verbally with a reliable source, using the phone numbers you have on file.

5. Check the origin of text messages or emails

Check where calls and messages are coming from. For example, when you receive an email, pay attention to the information after the at sign (@) in the sender’s email address. If the address looks fake or if you don’t recognize the sender, there’s a good chance that it’s a fraudulent message.

And never click on any link or attachment from an unknown sender! To check whether a hyperlink is legitimate, you can hover your mouse over the link but do not click on it. If you have any doubts about what shows up onscreen, do not click that link.

And finally, no matter what, never reveal personal information.

6. Use strong passwords

Use complex passwords, such as passphrases, and learn how to use a password manager to keep track of your passwords (rather than a spreadsheet). It’s more secure. Make sure your computer system is up to date and fully protected. 

To learn more, check out the tools in the cybersecurity awareness kit.