Canada | Fraud

Watch out for these common—and costly—business scams

Companies are just as vulnerable to tricksters as individuals are. Here are some of the most recurrent schemes.

A Facebook IconFacebook A Twitter IconTwitter A Linkedin IconLinkedin An Email IconEmail

Confused business women on smart phone in her office, holding her credit cardCard Not Present fraud involves the unauthorized and/or fraudulent gathering, trade and use of payment data (Shutterstock/Antonio Guillem)

Extortion, spear phishing, email fraud: businesses are just as prone to scams as individuals are. In 2018 alone, the Canadian Anti-Fraud Centre (CAFC) received 2,263 reports of business fraud of various kinds, with a total reported loss of $17,501,617.

While these figures are high, it’s possible they could be even higher. That’s because many businesses who fall victim to fraud choose to absorb the cost rather than report it. According to Jeff Thomson, manager of the fraud prevention and intake unit at the CAFC, this has to do with a variety of factors, including protecting their brand and reputation. But Thomson also notes that many companies don’t report simply because they don’t have a proper business process and plan in place. 

“Every business should have a plan to follow if a crime occurs—and this includes knowledge of where and why to report,” he says. 

Here are some of the most common scams currently targeting Canadian businesses in the order of most money lost.


Complaints: 273*
Victims: 70
Amount lost: $11,121,222.70 

Canadian businesses are currently being targeted by two types of wire fraud:

1. Business executive scam (also known as the business email compromise): Here, an employee authorized to make wire transfers receives an email that looks like it came from an executive in the company. (In some cases, the CEO or CFO’s email address will have been mimicked; in other cases, the executive’s actual email will have been compromised.) The message will often say the executive is working off-site and has identified an outstanding payment that needs to be paid right away. The executive provides a name and a bank account where the funds—usually a very large amount— are to be sent. Losses typically exceed $100,000.00. 

2. Supplier swindle: This scam targets businesses that have existing relationships and accounts with suppliers, wholesalers or contractors. Claiming to represent their regular supplier or existing contractor, the fraudster usually sends a spoofed email informing the business of a change in payment arrangements. The email notice provides new banking details and requests that future payments be made to this new account. 


Complaints: 277*
Amount lost: $875,989.08

These scams involve any kind of merchandise or service that is being sold—usually online. Most of the time, it’s through business websites and online classified ads, says Thomson. 

Typically, the scammer contacts the seller, retailer or online merchant to buy their product or service. The scammer will then make payment to the seller’s account using compromised credit cards or fraudulent financial instruments. Currently, there are two types of scams in this category:

1. Card Not Present (CNP)   

CNP fraud involves the unauthorized and/or fraudulent gathering, trade and use of payment data (card numbers, expiry dates and passwords). By definition, it occurs in cases where the card and cardholder are not present during a transaction.

A fraudster places an order for a product or service by phone, email, fax, or through the vendor’s website, intending to make the payment using a stolen or compromised payment card. The merchant, thinking this is a legitimate purchase, processes the payment on the stolen payment card(s) and delivers the product(s) or provides the service(s). Eventually the real cardholder finds out about the charge and disputes it. The merchant receives a chargeback and is responsible for paying back the amount charged on the stolen card.

In another version of CNP, the scammers use stolen credit cards to purchase tickets for entertainment or travel from targeted merchants. Then they resell the tickets for a cheaper price on classified ad sites and/or social media. In cases like this, the merchant is not the only victim; so is the person who buys the tickets being resold. In most cases, they won’t be able to use the tickets because the merchant cancels them once fraud is confirmed. As CAFC explains, the travel industry was the hardest hit by this scam for a long time—and this still might be the case. 

2. Purchase-order scams

In this variation, scammers posing as legitimate organizations such as hospitals or universities will look to acquire products by setting up accounts with a supplier. These scams are then facilitated through the use of fake purchase orders, which will never be paid.


Complaints: 78*
Victims: 34
Amount lost: $263,219.79

Like individuals, businesses can be targeted by spear phishing. Typically, someone within the business receives a spoofed request that appears to come from a known sender such as a boss, co-worker or client. The email asks them to buy prepaid gift cards, such as iTunes, Google, Amazon, etc., and email the prepaid card numbers back to the sender. In other instances, the fraudsters may request them to send money via e-transfer. (This scam is similar to wire fraud in terms of the tactics used; but in this case, the scammers ask for gift cards or other forms of payment rather than a wire transfer.)


Number of complaints: 347*
Victims: 28
Amount lost: $105,865 

Extortion scams include ransomware, hydro extortion and email extortion campaigns.

Ransomware: This is the most common type of extortion scam targeting businesses. Ransomware is a kind of malicious software that will block access to a computer until a sum of money is paid. Often, a computer is infected when a victim clicks on a link or attachment received through a phishing email. Once infected, the computer will show a “ransom” note clearly designed to extort the victim into paying the sum demanded.

Hydro extortion scam: According to CAFC, hydro extortion scams are almost identical to the well-known Canada Revenue Agency scam, where a business gets a call from someone claiming to be from the provincial hydro utility. The fraudster says the business has an unpaid bill and unless it pays up right away, power will be cut off.

Email extortion campaign: This involves businesses receiving emails from alleged hacking groups. The email will claim they’ve been hired to “ddos” the business website (i.e., perform a distributed denial of service attack on the site) and demand payment in the form of virtual currency for the business to avoid the attack. 


Complaints: 211*
Victims: 18
Amount lost: $12,759

In these types of scams, fraudsters call a business asking to confirm its address, telephone number and other details. The business then receives an invoice for a directory, publication or listing it never ordered or authorized. Often, the accounting department will make the payment, not realizing the company never made the order. The fraudster might record the initial conversation and use that against the company as verification of the purchase.

While these are some of the main scams currently targeting businesses, the landscape is in constant evolution, with new scams and variations appearing all the time. That’s all the more reason to be constantly watchful for signs of unusual activity of any kind. 

*Source for all figures: Canadian Anti-fraud Centre (2018)


CPA Canada has a number of resources that can help, including The big scammers can ruin your life and your business and How to protect your smart phone. You can also organize a fraud protection session in your community with a CPA Canada volunteer.