Monday, 17 December 2012

Tips for spotting online B2B scams for SMEs

Most SMEs know that there is plenty of valid business to be done online, from simple networking via social media through to developing your own point of sale interface. But we all know that there are plenty of rip-offs and scams out there as well, and while many of these are the same as/similar to B2C scams, there are some important differences. So how do you sort the wheat from the chaff?

I first got involved in the online marketing business in the late ‘90s. Since then the core of our business has been promoting products and services online across multiple languages. Approximately 90% of my customers I have never met (even when their office is only a couple of blocks from mine!); everything is done remotely. Over the years I have seen a plethora of online scams, and now tend to be pretty rigorous when checking our potential business partners.

So I would like to outline a few of the most common B2B scams here I get in my inbox, and then how I audit potential new business partners wherever they may be, at zero cost to me other than about 10 minutes online.

First, to the top 3 scams I see in my inbox.

1. The request for quote, because I don’t know how much to charge.
This is perhaps the most common scam. A newcomer in your industry gets the opportunity to quote on a contract. Being new, they have no idea how to price the service/product on this scale. So, they pose as a buyer and ask you to quote; no doubt you will also ask a bunch of highly relevant questions and end up supplying a whole raft of extra information such as terms and conditions, parameters for products/services sold etc. So you have just given them everything they know to get the contract, and they have basically scammed the knowledge you have spent years building.

2. The purchase and overpayment so please send me back the difference scam.
I order a product/service from you and pay upfront via a wire transfer. But I pay too much (by accident). So I ask you to send the goods/provide the service, and refund me the difference (typically via Western Union or an online payment processor). Note sometimes I will ask you to hold the funds as a credit and then send a second quick fire re-order, but repeat the overpayment on the second purchase and then ask for the refund (double or nothing, as they say). Unfortunately those funds were sent through a hijacked account. You send the goods/complete the service, pay the refund, and you are doubly out of pocket.

3. The absolute faker claiming to be who he/she is not.
It is incredibly easy to create an entire business identity online that does not exist in reality.  Within 72 hours you can buy a domain name, have a whole other company’s website cloned and up and running, with a Linked In profile, a Facebook page, a phone number in the country of choice which redirects to anywhere etc. Basically you can position yourself as a very legitimate looking operator and away you go.

OK, onto the scam busting.

Being an SME, we generally don’t have the time, scale or the cold hard cash to deal with international credit checks, letters of credit, checking business references/referees (and those are easily faked anyway) etc. etc. Most contact comes via email, so I will start with this and then move on to other things to look out for.

The things I check typically take me about 10 minutes maximum, and have kept me and my business out of harms way for 10 years now.

1. Free email addresses.
The use of hotmail, gmail addresses etc. generally raises a red flag. If someone contacts me B2B from I tend to err on the side of caution immediately. However, in some areas (China and SE Asia especially) “freemail” is used quite commonly in business, so it isn’t an automatic disqualification.

2. The “from” address and the “reply to” address are different.
What a lot of people don’t know is that it is actually very easy to scam a sending email address. With a compliant SMTP server I can send an email purporting to be from your email address, and you would have no idea I had done it. But of course there is no point if the reply to said email then goes to you! So I will set up my email sending preferences to send from XYZ@yourdomainname but the “reply to” email address will be to my own email account. This is one of the biggest red flags. How to spot? I could tell you to expand the headers and look at the source code of the email blah blah blah, but all you need to do is click “reply” (don’t send!) and compare the email address you received the original email from to the email address the reply is going to. If they are different beware!

3. Their name
Anyone that does not provide their full name, position and full company contact details in their email footer gets a big fat question mark. Had one today, which was just signed off as “Nick” on a potential contract worth quite a lot of money. We will wait and see how legit it is.

4. Check the website
Probably your greatest tool in verifying an identity is checking details on their website. Here are some of the basics I use when approached by a potential customer.
a. Check that the website holds full contact details and real people’s names. The website should have the company physical address, phone number, as well as at least an introduction to some of the actual people behind the business. If it doesn’t I proceed with caution.
b. Read the website. Look for examples of bad grammar, spelling mistakes, incomplete sections.
c. Whois. All domain registrars provide a whois tool (or just go to Enter the prospective client’s website address. Key information to look for:
i. Creation date: this tells you the date the domain name was first registered. So if Bob from claims to have been in business for 12 years, but the domain was registered just last month, you have to ask why?
ii. Date billed/date registered to: many scammers register their domain name for the minimum time possible, because they know the domain name has a limited use by date (i.e. until they get busted and move onto the next one). While I personally do tend to wait until the reminder notice comes to renew my domains, keep an eye on this.
iii. Registrant contact name: Make sure this is filled out completely, and usually the registrant name will be one of the owners of the company. Check website, companies office details etc. and compare. If you are worried because of scam 3 above, drop the registrant an email to verify.
iv. Registrant phone number: That phone number will have a country code. So again, if Bob claims is a UK company, but the phone number points to Poland, questions should be asked.

5. If you are worried about scam 3 above, copy a complete sentence from somewhere inside their website (don’t use the homepage as this is the one scammers typically customise for their needs). Try to copy a sentence from the first paragraph of a page, as the further down a page of text you go, the less complete search engine indexing is. Paste into your search engine of choice and search. See what websites pop-up with the exact same text. Recently there was a discussion on Linked In about a company that claimed to be a legal firm in Australia; turns out the scammers had bought a domain name and cloned an entire website from a US firm and were sending out those wonderful “You have just received an inheritance from long lost Aunt Bethel” emails. Note this should be something you do fairly regularly for your OWN website as well, to make sure your website isn't being scammed.

6. The Companies Office.
Many jurisdictions provide online access to a register of companies. Search. Compare names/addresses between company register and whois results.

7. Western Union.
Any business offering to pay, or wanting to be paid by Western Union, should be seriously questioned. Western Union is untraceable. Once the money is sent, there is no way of tracking where it actually ends up.

8. Social media checking.
Here, much like on the website, you are again looking at age of profile (not number of connections, as these days you can pretty much buy as many connections/likes as you want). But look back over posting history to see how much and how frequently the user posts. Scammers are as lazy as the rest of us, they will generally do the absolute minimum to get away with it.

9. Social media joining.
For many industries there are groups within social media (e.g. Linked In). Within those groups there are often scam alert pages. Join up and share. Perhaps the best way to nip some of these scams in the bud.

10. Language
For many non-native English speakers, it is a bit of a struggle to communicate well in the international business language, English. So we should all give benefit of the doubt. But a bit of knowledge about the potential business partner’s first language can go a long way. For example, I had contact in English recently from a potential business partner who claimed to be Japanese. Looked fairly legit, until he started referring to himself as Matsuyama kun and Matsuyama san. Anyone who knows Japanese knows you would never append “kun” or “san” to your own name; they are “honorifics” for use with other peoples' names, never your own. So if you receive enquiries from an e.g. French person in English, show them to a French speaker to see if they look like they were written by a native French speaker.

Finally, if I have been through all this, and although the prospect seems legit, I still have a bad vibe, I set up a video Skype to discuss the details, with the proviso I would like to record the video (I use an add on app called Call Recorder from ECamm Network). Even though the chances of me (or law enforcement) identifying someone half way around the world from a grainy video recording are almost zero, scammers are terribly reticent to show their faces. On the other hand, most legitimate business people welcome it.

Thanks for reading, and hope it has been of use. If you have any tips on how you flush out the fakes, please email me or post a comment and I will update this page for future readers.