How to avoid small business payment scams

May 9, 2018
5 minutes read

There’s an elephant in the room. Small businesses all over the world are getting scammed. It’s a Catch 22: people are too embarrassed that they got taken in by a scam to tell their stories; yet, the only way to spare others from becoming victims is to build awareness.

But here’s the thing: scams targeting small business owners are really common. The Association of Certified Fraud Examiners (ACFE), reported in 2014 that the typical organization loses 5% of revenues each year to fraud. Scams are happening on a wide scale, and they’re becoming more and more sophisticated.

The good news? We can stop being embarrassed about scams and start talking about them. I’m going to share two of the biggest scams we see in the risk department at Wave, and tips on how to prevent them.

Scam #1: The third party scam

One of the most common scams we see is what’s known as the “third party scam.” This is where the fraudster contacts a business owner who’s offering a service—like an event planner or photographer—asking to add an additional cost onto the fee for the services and charge it to their credit card.

Here’s an example. Joe, a photographer, gets an email through his website from a prospective client:

Hi Joe,

I found your website for wedding photography. I’m looking for someone for my wedding in two weeks. It’s very last minute—our friend was supposed to do it, but now she can’t. I’d like to know if you’re available to work on August 15th, and if you take credit cards? Also what do you charge for a wedding package?


Joe answers the email with a quote for a wedding package and an agreement. Freddie writes back:

Hi Joe,

That’s amazing—this works out great. There’s only one thing that I need to ask. We just got a last minute agreement this morning from the DJ that my fiance really wanted, but he can’t take credit cards. Is there anyway you could help me out by charging an extra $2,000 to my card in addition to the fee for photography, and then transfer it over to the DJ for me? He said he’s fine with that, I just need to confirm right away or we’ll lose him. And I’ll give you an extra $200 and pay for your services in advance if you can make it work today.


Joe feels bad for the guy—he probably doesn’t want his fiance to know he’s low on cash, especially if the DJ only accepts checks or cash. Joe's an empathetic guy, so he agrees to transfer the money, but when he gets the credit card info he notices it’s not Freddie’s name on the card. Freddie explains that his brother-in-law offered to pay for the photographer as a wedding gift, so Joe goes ahead and processes the payment, transferring the $2,000 to the DJ.

A few days later, Joe follows up with Freddie to see if they can set up a date to talk through the different shots they want at the wedding, and other logistics. No response. He picks up the phone and tries calling—it’s out of service. It slowly dawns on Joe that he’s just been the victim of a scam.

Sure enough, Joe gets a chargeback notification from the payment processor saying the cardholder claims the transaction wasn’t authorized. He calls the provider, and the representative he talks to tells him the credit card was stolen and used by a scammer. Remember, when a credit card is approved, it just means it’s active and funds are available. If the real cardholder didn’t authorize the transactions, they’ll issue a chargeback and you’ll be financially liable to return those funds.

In Joe’s case, he had to return the funds that he transferred to the fake DJ—in addition to the money he received for his photography services—back to the real cardholder. He didn’t get the job, and now he is out thousands of dollars.

Preventing the third party scam

A lot of businesses fall for the third party scam. It’s easy to see how it’s possible from Joe’s story. He’s a good person who sees the best in other people. He wants the job, and he also wants to help Freddie out on his big day. Freddie plays on Joe’s emotions, getting Joe to agree to something he wouldn’t normally do—and it could happen to any of us.

That being said, there are some red flags you can look for to protect you.

Pay attention to the email address

Look at the email address and ask yourself if it looks legit. Does the name match the customer or cardholder’s name? Does it look automatically generated?

There are sites that generate fake emails people can use temporarily, and these often include random letters or numbers. Another example would be if you saw an email like The “2018” makes it seem like a newly created email, yet it has the gmx domain which is foreign.

Look deeper into the content of the email

Another thing to pay attention to is how the message is written. Does the font look strange? Does it sound unprofessional or poorly written? If there’s something fishy about the way the email comes across, try copying and pasting it into Google to see if it brings up search results for a common scam. Often scammers will re-use emails over and over, so you might find someone has already encountered the scam.

Question the urgency of the transaction

Is the customer communicating a sense of urgency? Are they in a rush, trying to get you to process the payment fast? In Joe’s case, Freddie seemed to be panicking because his photographer fell through, and his DJ confirmed last minute and needed the money now. Compare this to your typical wedding, where services are booked far in advance. Also, Freddie didn’t ask for any details about Joe’s experience or to see his portfolio. Most people would ask these types of questions of the person providing a key service on their big day.

While these things alone don’t necessarily mean fraud (some people do plan things last minute and not everyone has great grammar), the final red flag here was Freddie asking Joe to transfer money to a third party.

Scam #2: The USB scam

There’s also a new “USB scam”, which we’re seeing a lot lately targeting small marketing companies that offer custom branded printing.

Here’s how it happens. Martha gets a request online from a customer, Jessica, who wants 2,000 USB keys branded with their company logo as part of a swag bag for attendees at an upcoming corporate event. It’s a normal request, the type of order that Martha gets all the time.

The email looks legit with a company domain (, and when Martha calls the phone number she’s able to reach her customer. The order comes with image samples showing what Jessica wants the product to look like—it’s very professional. Jessica even signed contracts for the sale and sent photo ID to confirm her identity. Everything appears to be in order.

Martha finalizes the order and confirms everything with Jessica. She processes the payment and ships the product out. And then it all goes wrong—Martha gets a chargeback notification from the credit card provider.

Preventing the USB scam

This one is tough, because there weren’t any obvious red flags for Martha. She did so many things right—having a contract, requiring ID, and checking the email and phone number for her customer. How could she know that this was a scam?

Guess what? There were red flags here that Martha missed—and now you won’t repeat her mistake.

Question the simplicity of the order

The first red flag was that Jessica was a first-time customer, apparently from a corporation, looking to make a large order from Martha’s company. Yet, she didn’t ask the normal questions that other customers usually ask Martha. For example, she didn’t ask to see a catalogue of different options, with customization options and prices. She simply told Martha what she wanted and trusted that Martha’s company would produce a quality result.

Identify the location

Secondly, Jessica’s business is located in a different city far away from where Martha’s company is located. That’s suspicious, because services like Martha’s are available in any city. Why would a company not take the opportunity to save on the shipping costs by ordering the products in their own city? Because Jessica’s company is fake, and it would be easier for Martha to realize her company was fake if Jessica used an address in Martha’s city.

Take note of the branding

Another red flag to look for is if the company is ordering a large number of items without including their logo on the items. Or, if they’re asking for just a colour, or really simple, basic branding, like a single letter. Most companies have a unique logo, and the whole point of ordering branded items in bulk to give away is to showcase that logo. If they’re going logo-less, or with something really simple, they might be intending to resell or use the items for something other than what they’re saying. The transaction has a high risk of being processed on a stolen credit card.

Five things you need to know to prevent scams

  1. A successful transaction isn’t the end of the story: I think the biggest thing to understand is that just because a payment goes through doesn’t mean you haven’t been scammed. When a credit card is active and has available funds, the transaction will go through. Getting paid quickly by a potential client is a great feeling. But that doesn’t automatically mean the payment is legit. You need to prevent the scam from happening before you process the payment, transfer any funds or ship any product.
  2. You need to weigh the financial risk: To prevent being the victim of fraud, you have to think longer term than making this sale right now. You are liable for any fraud chargeback up to 120 days after the date of the payment. Even though it’s tempting to accept that large sale, are you going to be able to recover the funds if it turns out to be a scam down the road?
  3. Think about your customer’s behavior logically: When you get a request from a new customer, put yourself in their shoes. If you were the customer buying products or services like yours, is this how you would behave? Are there questions you would ask? Checks and balances you’d follow? Assess whether this customer is behaving like you—and similar customers you’ve had—would behave?
  4. Always listen to your gut: We have an uncanny ability to ignore our instincts when a large sum of money is at stake. But if you feel your spidey sense tingling, pay attention. If the customer really wants to buy your service, they’ll provide you with the information you need to validate their story. If you’re unsure or have suspicions, you can always reach out to your payments processor and consult the risk experts.
  5. Report the scam and warn others: If you do become the victim of a scam, remember the statistic I shared at the start of this blog post. There’s no reason to be embarrassed, and speaking out could help someone else in a similar position. If you suspect fraud, report it and tell your story to others in your network, through your blog, or on social media (just make sure not to publish any private details online, or you might open yourself to more scams!).

By Edmund Lavado

The information and tips shared on this blog are meant to be used as learning and personal development tools as you launch, run and grow your business. While a good place to start, these articles should not take the place of personalized advice from professionals. As our lawyers would say: “All content on Wave’s blog is intended for informational purposes only. It should not be considered legal or financial advice.” Additionally, Wave is the legal copyright holder of all materials on the blog, and others cannot re-use or publish it without our written consent.

Create your truly free Wave account today.

Let's do this