Business Scams

There has been a significant rise in the number of cyber attacks targeting businesses and people working from home during the Covid-19 pandemic.

Employees working from home are particularly vulnerable to email fraud and should remain wary of unexpected emails which request private business information or payments, even if they appear to come from someone within the company. A study by IBM in June showed that almost half of those working from home during the Covid-19 pandemic are concerned about cybersecurity risks.

Some of the most frequently reported business scams are:

  • Scam emails offering grants or requesting information and financial details linked to grants. The emails often claim to be from clients or employees of the business and may ask for account or business rate reference numbers for retail outlets;
  • Legitimate-looking emails using UK Government branding which say that the recipient has been awarded a business grant and asking them to click on a link to access the payment;
  • Fake invitations to conference calls on Zoom. The scam emails ask the recipient to click a link to ‘review the invitation’. The link leads to a fake login page which asks for usernames and passwords. If you are invited to join a genuine Zoom call, you should NOT need to enter your password.
  • ‘Spoofing’ attacks where emails appear to come from trusted colleagues or IT departments. Our own colleagues have received emails supposedly from a former employee, asking them to provide their phone number so that they can be updated on a pending task. The emails were sent from a suspicious-looking Gmail account which did not match the name of the supposed sender.
  • Fake Office 365 emails which appear to be from your organisation’s IT department. You are asked to click on a link to update your connection to the company network. When you click on the link, you are directed to a fake Office 356 login page where you are asked to enter your details. This allows the scammers to access your Office 365 account
  • Scam emails which appear to offer training materials to staff returning to offices after lockdown. Some of these emails ask recipients to click on a link to register for a training session – they are taken to a fake website which asks them to enter their Microsoft login details.

Case Studies

A dental practice in Aberdeen was targeted by scammers who called and claimed to be from the NHS. The caller said that their list of dental practices needed to be updated urgently and that they would email a contract to update.
When the email arrived, employees noticed that it was in fact a two-year contract for entry in a directory, which would have cost the practice £35 a month. If staff had completed the contract, they would have received monthly invoices with the practice stamp on them.

A large hospitality chain received an email which used the official company branding and read: “As you will be aware all of our pubs and hotels are presently closed, along with the head office. We are unable to obtain certain information from our Head Office. Please could you provide our NNDR refererence numbers for the following locations…[list of properties].”

Similar emails have been sent to large retailers, restaurant and cafe chains, all stating that their Head Office is closed or that they have staff shortages and asking for information about business accounts for various sites.

Useful Guidance for Businesses

Find Business Support
Latest advice for businesses in Scotland from the Scottish Government

Business Gateway
A regularly updated variety of resources, webinars and online tutorials and links to virtual support for businesses

Business Companion
Business guidance from the CTSI, including guidance for travel and tour operators, food businesses and the housing and home improvement sector during the Covid-19 pandemic

Scottish Business Resilience Centre
A variety of resources to support and protect Scottish businesses, including guidance on using Zoom for business, video conferencing basics and recordings of webinars on subjects such as counterfeit goods and cyber scams

National Cyber Security Centre
A variety of resources including security guidance to help organisations choose, configure and safely use video conferencing services, guidance for businesses who have had to move from physical premises to online working and guidance on preparing your business and staff for home working

The Law Society of Scotland
Links to business support available to members, including a guide to using electronic signatures, using technology to work remotely and cyber security

What to Do
  • Question unexpected emails which request private business information or payments, even if they appear to come from someone within your company
  • Think about what you are being asked to do – if in doubt about financial transactions or changes to Direct Debits get a second opinion from a colleague or manager
  • Be cautious when working from home if you receive cold calls offering tech support for your IT system. Only deal with your official IT support desk, if you have one
  • Confirm requests for payment or sensitive information with the person or company who has supposedly sent them, using contact information that you know to be correct
  • Remember that scam emails and texts can look genuine and can appear to come from Government agencies, people within your organisation and trusted companies
  • Check the domain name on any website before entering personal details. For example, the real Zoom domain name is “zoom.us” and it will have a valid security certificate when you click on the padlock to the left of the address bar.
  • Do not click links in pop-up adverts on your computer and never allow an unsolicited caller to access your computer remotely
  • Report business scams to Advice Direct Scotland
  • You can also report scam business emails to the National Cyber Security Centre