Chykalophia Docs
Security

Common email scams targeting businesses

The most common email scams used against small businesses, explained in plain English so you and your team can recognize and avoid them.

securityphishingemailbeginner

Small businesses receive a disproportionate number of targeted email scams. Attackers know that small teams often don't have a dedicated IT person reviewing unusual messages, and that decisions — especially financial ones — often come down to one or two people.

Knowing what these scams look like is your best protection.

Quick summary

The most common scams targeting small businesses involve fake invoices, impersonation of your boss or suppliers, fake account security alerts, and fraudulent payment requests. The common thread: they create urgency and ask you to act without verifying. Always verify unusual financial requests through a separate channel (call the person directly) before taking action.

The most common scams

1. Fake invoice scam

You receive an invoice that looks professional — often from a real company name, or a company similar to one you use. The invoice asks you to pay for something plausible (software, advertising, a supply order).

Red flags:

  • You don't recognize the vendor
  • The invoice number or amount looks slightly off
  • The payment details (bank account, address) are different from what you have on file

What to do: Never pay an invoice that arrives unexpectedly. Call the vendor using a number you already have — not one listed on the suspicious invoice.

2. CEO fraud / boss impersonation

An email appears to be from your CEO, manager, or business owner asking for something urgent — usually a wire transfer, gift cards, or login credentials.

"Hi, I'm in a meeting. Can you quickly buy $500 in Google Play gift cards and send me the codes? I'll explain later — very urgent."

Red flags:

  • The request is urgent and asks you to keep it quiet
  • It asks for gift cards, wire transfers, or credentials
  • The sender's actual email address is slightly different from your boss's real one

What to do: Call the person directly using their known phone number. Do not reply to the email or use contact details from the suspicious message.

3. Supplier payment redirect

Your supplier (someone you actually do business with) appears to send an email saying their bank details have changed. Could you update your records and send the next payment to the new account?

This scam often follows a real supplier email breach — the attacker has read genuine email threads and knows exactly what to say.

Red flags:

  • A change in payment details, even from a known contact
  • The email comes right before a large payment is due

What to do: Always verify payment detail changes with a phone call to a number you already have on file. Never use contact details from the email requesting the change.

4. Fake account security alert

An email claims that your account (Google, Microsoft, WordPress, hosting, etc.) has been accessed from an unusual location, and you need to verify your identity immediately by clicking a link.

Red flags:

  • The link URL doesn't match the real service's domain
  • The email creates extreme urgency
  • The sender's email address is slightly off

What to do: Don't click the link. Open your browser and go directly to the service's website by typing the URL yourself. Check your security activity from there.

5. Package delivery scam

An email or text claims a package could not be delivered and asks you to click a link to reschedule. This is especially effective because many businesses receive deliveries regularly.

Red flags:

  • You weren't expecting a delivery
  • The link URL doesn't match the real carrier's website
  • The tracking number is vague or non-specific

What to do: If you are expecting a delivery, go directly to the carrier's website (UPS, FedEx, USPS, DHL) and enter the tracking number there. Don't click the link.

6. Fake domain or hosting renewal notice

You receive an official-looking email saying your domain or hosting is expiring. It asks you to pay to renew — but the payment goes to the scammer, not your real provider.

Red flags:

  • The renewing company is not your actual registrar or host
  • The price is unusual
  • The link goes to an unfamiliar URL

What to do: Log into your real registrar or hosting account directly to check renewal status. See Securing your domain name.

The golden rule for financial requests

Any request that involves money, payment details, or credentials should be verified through a completely separate channel — not by replying to the email.

Call the person. Use a phone number you already have. Don't use the number in the email.

This single habit stops the majority of financial email fraud.

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

How to recognize phishing attempts

Learn to spot fake emails, texts, and websites before you click — practical warning signs explained in plain English.

Business email compromise explained

What business email compromise (BEC) is, how it works, and the steps every small business can take to prevent it.

On this page

The most common scams1. Fake invoice scam2. CEO fraud / boss impersonation3. Supplier payment redirect4. Fake account security alert5. Package delivery scam6. Fake domain or hosting renewal noticeThe golden rule for financial requestsCommon questionsRelated guidesLearn more
Common email scams targeting businesses | Chykalophia Docs