Now reading:

Scam Prevention for SMEs

Scam Prevention for SMEs

  • 1 April 2023
  • By OCBC Business Banking
  • 10 mins read

When scams become recurring headlines, businesses cannot ignore the risks and write it off as an expense of doing business.

According to the Royal Malaysia Police (PDRM), a total of 71,833 scams were reported from 2020 to May 2022, amounting to more than RM5.2bil lost. One reason for this rise is that criminals are now exploiting the phenomenon of increased online transactions triggered by the Covid-19 pandemic.

While scams affect businesses of all sizes, SMEs are especially vulnerable as they often lack the tools or resources to deal with scams. Small business owners also tend to focus on generating revenue and other competing priorities to keep the business running, inadvertently neglecting fraud prevention and securities.

Even when scammers are caught, recovering the stolen money is never a guarantee, which is why the most cost-effective way to deal with fraud is prevention.

Common types of business scams to watch for

1. Impersonation Scams

The most common scam is phishing, in which scammers impersonate a trusted entity through e-mail or text messages.

One form of phishing is Business E-mail Compromise (BEC), which happens when scammers impersonate a business stakeholder in an e-mail that directs the business to send money to a “new” account. In addition, phishing scams are also done through fake orders and invoices.

Apart from stealing money, scammers might impersonate higher-ranked employees to steal passwords, account numbers, or other sensitive business information. Other common impersonations include suppliers, business partners, banks, credit card companies, utility companies, Inland Revenue Board of Malaysia and service providers.

2. Malware

Another common scam is malicious software (Malware), designed to compromise digital devices or networks.

These are usually caught through downloads, e-mail attachments and links. Apart from stealing sensitive information, some hackers may block access to the business device or information and demand ransoms to unlock it.

3. Payroll Fraud

This fraud involves stealing money from the business using its payroll system. In most cases, culprits are involved in human resources (HR), payroll, finance, taxation, or third parties impersonating staffs from these departments.

When payroll fraud is done by top management, it usually involves illegal classification to avoid tax and insurance costs, which can result in legal penalties for the business. On the other hand, the common cases for employee payroll fraud are ghost employees created by HR staff to withdraw funds, minor alterations to increase one’s hourly pay rate, and also changing time on the timesheet.

4. Tampered Point-of-Sale (POS) systems

Digital POS systems can be targeted by hackers to access customer data and payment information. Warning signs may show up as failed login attempts or slow service. Physical POS equipment are also susceptible to tampering, as criminals might steal credit card numbers by using a hidden recording device or card skimmer.

5. Employment Scams

These are false job listings posted with the intention to steal personal information or money from job applicants. In most cases, employment scams happen online in fake websites and social media platforms like LinkedIn and Facebook.

Warning signs include: interviews that are not done in-person or through secure video calls, payment requirements for screenings, credit card information requests by employers, and communications through non-company e-mail domains. Employment scams do not just affect applicants, but also negatively impact the business reputation and its hiring efforts.

Tips to protect your business from scams

1. Learn to identify scammers

SMEs must first familiarise themselves with the common tactics employed by scammers.

Scammers tend to pretend to be a trusted party, create a sense of urgency, use intimidation and fear, and use untraceable payment methods. Recognising and resisting these tactics is the responsibility of business owners, thus they are encouraged to practice professional scepticism.

The application of professional scepticism means that SMEs should continuously question what they are presented with and assess all documents and statements critically. Entities looking to deal with the business should be vetted by running background checks, requesting for important information, asking for authenticity certifications, and checking the database of Securities Commission Malaysia. Besides, SMEs should also be wary of scammers’ preferred payment methods, such as wire transfers, prepaid debit cards, gift cards, and cryptocurrency.

2. Nurturing an informed workforce

SMEs should incorporate a fraud policy into their handbook to foster the right attitude towards scams and fraud among the employees. Employees should be trained to be vigilant and conduct the best practices to catch inconsistencies and prevent scams.

Examples of practices are communication with co-workers, not sharing sensitive information by e-mail, routine password changes, and others. Experts can also be brought in to conduct scam awareness training.

For the long run, SMEs should build a culture of honesty within their organisation, which would prevent internal fraud and also strengthen the internal control against scams. Business owners must lead by example to promote honesty and integrity, consequently cultivating positive attitudes and behaviours within the organisation.

3. Strengthening internal controls

Internal controls should be monitored and reviewed regularly to ensure its effectiveness.

Good financial bookkeeping is essential as documentation is an internal control to detect scams and theft. Hiring a professional accountant ensures good records, and they can also help to review and devise internal policies. SMEs can also hire external consultants to conduct surprise audits, which include reviewing documents and conducting data analysis to catch inconsistencies. Other internal controls include implementing clear procedures on approving expenditures, and limiting people who are authorised to place orders and pay invoices. SMEs should also shred documents containing sensitive information that are no longer needed.

In the case of payroll fraud, SMEs can lower the risks by employing a diverse team, implementing HR software or outsource it to an external HR company.

4. Enforcing equipment security

SMEs should strive to be more tech-savvy and learn to secure their files and devices. Protection measures include backing up files, using strong passwords, using two-factor authentication, keeping software up-to-date, connecting to secure networks only, and refraining from downloading or opening attachments and links from unsolicited sources.

Security is not always convenient, but a little inconvenience can be the difference in long-term security or a painful payout.

OCBC helps to mitigate some of the risks for business banking (and also individual) customers by making sure transactions you make through our platforms are as secure as possible. Not only that, we make business banking convenient for you and your customers by providing several payment options – all online! Together, we can work to nurture a good prevention mindset to counter scams and protect ourselves, and to grow your business in a healthy financial environment.

The difficulty of combating scam is not restricted to SMEs, as some established businesses face the same issues due to the complexity of new scam patterns that emerged post-Covid. Stay vigilant.


The information provided herein is intended for general circulation and/or discussion purposes only. Before making any decision, please seek independent advice from professional advisors. No representation or warranty whatsoever in respect of any information provided herein is given by OCBC Bank and it should not be relied upon as such. OCBC Bank does not undertake any obligation to update the information or to correct any inaccuracy that may become apparent at a later time. All information presented is subject to change without notice. OCBC Bank shall not be responsible or liable for any loss or damage whatsoever arising directly or indirectly howsoever in connection with or as a result of any person acting on any information provided herein. Any reference to any specific company, financial product or asset class in whatever way is used for illustrative purposes only and does not constitute a recommendation on the same.