As small businesses (SMBs) heighten their awareness of fraud and cybercrime, fraudsters add to their own lists of tactics to steal money. Recent years have shed light on the Business Email Compromise (BEC), ransomware and phishing (just to name a few), with cybercriminals taking advantage of vulnerabilities in the B2B payments process to score.
Rising awareness means growing investments in cybersecurity tools. Sometimes, though, the most effective tactic to steal funds from a small business is one that doesn't use sophisticated technology, but plays on human emotions.
Such is the case in utility scams, a growing threat to small businesses, according to Terry Roberds, director of corporate security for Missouri-based power company Ameren. The company is currently positioning itself as an unlikely fighter on the front lines against SMB fraud.
How The Scam Works
In an interview with PYMNTS, Roberds explained that fraudsters are calling up business owners, pretending to be from the utility company, demanding payment and threatening to cut off a business' power. There are a few elements to this fraud, he noted, that make it so compelling. One is the fact that these calls often come ahead of a major rush for a small business.
"You get a phone call on a Friday afternoon at 2:00 from someone claiming to be from Ameren, telling you that — for whatever reason — your payment hasn't been received, and someone is going to come out within the next 30 to 40 minutes and disconnect your service," he said. "They're really counting on you to panic."
It's a type of social engineering that plays off human emotions to manipulate a person into doing something irrational. According to Roberds, this strategy works particularly well on small business owners who stand to lose significantly if their power is suddenly cut off ahead of a weekend evening rush. Once a fraudster has hooked a business owner, they reel in the money by directing that owner to a local CVS, Walmart, Walgreens — any store that sells loadable prepaid cards.
"They instruct you to buy a prepaid card, and once you do that, they want you to call them back and give [them] the PIN number off the card," Roberds said. "Once you do that, the money is gone, for the most part. That's the crux of how the scam works."
Prepaid Card Scams
Part of what makes this utility scam so effective is its simplicity, relying on human emotion, the telephone and loadable prepaid cards to steal business' money, rather than using sophisticated ransomware or hacking tactics.
Prepaid card scams are nothing new. Last year, ahead of the holiday shopping season, the Federal Trade Commission (FTC) issued a warning that scammers were targeting consumers by demanding payment via prepaid gift cards.
"We found that from January through September of this year, gift cards and reload cards (like MoneyPak) were reported as a payment method in 26 percent of the fraud reports in which people told us how they paid, up from just 7 percent in 2015 — a 270 percent increase," the FTC said in its notice last October. "Con artists favor these cards because they can get quick cash, the transaction is largely irreversible and they can remain anonymous."
Most commonly, the FTC said, victims reported an imposter scam, in which fraudsters act as government agencies or well-known businesses, or even family members, to entice a target to purchase a prepaid card and send the PIN.
Shifting the crosshairs from individual consumers to small businesses can mean larger payouts and a higher success rate, with SMBs standing to lose significantly if the power were to actually get cut. Roberds said this is a "nationwide scam," one that has been occurring for several years, though exact figures on instances and losses related to utility scams are scarce.
Roberds said there are a few red flags that should signal something isn't right, including the demand to purchase a prepaid card or a fraudster urging a small business owner to call back at a different number.
"Unfortunately, these folks are very good at what they do," he said, "and use social engineering to get information from people who unwittingly give it to them."
If a small business does fall victim, he continued, it becomes a matter for the police to handle, and, unfortunately, money is rarely recuperated. While law enforcement, regulators and security industry players press to boost awareness of various frauds targeting small businesses, Roberds said there is also a place for non-security businesses — indeed, for the utility companies themselves — to combat this risk.
"In a sense, I think we can all certainly play a role in trying to keep information secure, and not unknowingly giving that out to people over the phone," he said. Awareness is key, he noted, to preventing losses in the first place. "Once you fall for this, once you send money, your money is gone."