Small businesses lose more money per fraud incident than consumers, and they have fewer ways to claw it back. The legal protections that apply to your personal checking account mostly do not apply to your business account. Small business fraud cases often move through the same support channels as other banking issues, which is why fast reporting and clear documentation matter as much as the financial provider you choose.

Small business owners should know how common banking scams appear in real work: a changed vendor invoice, a fake bank text, a washed check, or a payroll change request sent right before payday. This page covers each one, the single verification step that stops it, and what to do in the first 24 hours if you sent money to the wrong place.

Why are small businesses prime targets for banking scams?

Three things make small businesses easier marks than either consumers or large enterprises.

First, the controls are thinner. A 200-person company has an accounts payable team, a CFO, and approval thresholds. A four-person general contractor has the owner approving wires from their phone between job sites. There is no second set of eyes.

Second, public records make impersonation easier. Your LLC filing lists your registered agent and address. Your website lists your team, vendors, and sometimes your accountant. A scammer can build a convincing pretext in 20 minutes using only public sources.

Third, and this is the one most owners do not know, business deposit accounts do not get the same statutory fraud protections as personal accounts. Regulation E, the federal rule that caps your liability on unauthorized consumer electronic transfers at $50 if you report quickly, does not cover most business accounts. If a fraudulent ACH or wire leaves your business checking, recovery depends on your financial provider's discretion, your account agreement, and how fast you call.

Business accounts generally have weaker statutory fraud protections than consumer accounts, so prevention matters more.

How does Business Email Compromise work?

The mechanics of Business Email Compromise are simple: an attacker either compromises a vendor's email account or spoofs an address that looks close enough (think accounting@vendor-co.com instead of accounting@vendorco.com), then sends an invoice or payment update.

The signal that should stop you cold is a last-minute change to payment instructions. A vendor you have paid for two years suddenly emails new wire instructions because of a "bank change" or "audit." A contractor's final invoice arrives with a different routing number than the W-9 on file. A buyer at a known company asks you to wire the deposit to a new account "for tax reasons."

Business Email Compromise typically succeeds through a last-minute change to payment instructions from a trusted contact.

A real pattern playing out right now: a remodeler gets an email that looks like it's from their drywall supplier, attaching what looks like a normal invoice PDF. The only difference from last month's invoice is the routing number. The remodeler pays $14,000 by wire. The supplier calls a week later asking where the payment is.

The verification step is the same every time, and it works on every variation of this scam:

Call the vendor at a phone number you already had from a prior invoice, your contacts, or their website typed into a browser. Do not use the number in the email.

Calling a known vendor phone number, rather than the number in an email, helps prevent BEC attempts that rely on changed payment instructions.

No financial provider, including Novo (a fintech, not a bank), can fully prevent BEC. Wire-processing systems see a wire to a valid US account; they cannot read your contract with your supplier. The human verification step is the control that matters.

Can wire transfers and ACH payments be reversed?

Wires and ACH transfers fail differently, and the recovery windows are very different.

Wires settle the same day and are functionally final once the receiving bank credits the account. There is a process called a "wire recall" or SWIFT recall, but it requires the receiving bank's cooperation and only works if the money is still sitting there. In practice, fraudulent wires get pulled out by money mules within hours.

ACH transfers work differently in two scenarios. If your business originated an ACH to the wrong account, Nacha rules allow reversals only for specific reasons (duplicate entry, wrong amount, wrong account), and you have to act within five banking days. ACH reversal is not a general "I changed my mind" button. If an unauthorized ACH debit hits your business account, contact your financial provider immediately, because commercial return deadlines can be much shorter than the 60 days consumers get under Regulation E.

Wire transfers are difficult to reverse once sent, and reporting fraud within the first 24 hours can materially improve recovery odds.

What to do in the first 24 hours after a fraudulent wire:

1. Call your financial provider's fraud line immediately and request a wire recall. Do this before you investigate further. Every hour cuts your odds.
2. File an IC3 complaint at ic3.gov. The FBI's Recovery Asset Team can freeze funds at US receiving banks if the report comes in fast enough.
3. Notify the receiving bank directly if you can identify it from the wire instructions.
4. Preserve everything: the email thread, the wire confirmation, IP headers, and any voice messages.

Two structural controls keep wire fraud from being a single-click disaster: dual approval on payments above a set threshold, and payment limits that cap any one transfer. A one-person business cannot do dual approval, but it can set a low default wire limit and require a manual increase for each large payment, which forces a pause.

How does check fraud affect businesses?

Paper checks remain risky for small businesses because each check exposes account and routing numbers and can be stolen, washed, or counterfeited. Every check you mail puts those numbers in front of postal workers, mail thieves, the recipient's office staff, and the recipient's bank.

There are three common attacks:

Check washing. A thief steals mail, soaks the check in solvent to remove the ink, then rewrites the payee and amount. The MICR line at the bottom is untouched because it is magnetic ink, so the check still clears.

Counterfeit checks. A scammer prints checks using your real account and routing numbers, pulled off a check you wrote, on blank check stock. These can clear if the bank does not catch them.

Forged endorsements. A check sent to the right payee gets intercepted and deposited by someone else who signs the back.

The bank-side defense is Positive Pay, where you send the bank a list of checks you've issued (number, payee, amount) and the bank only clears checks that match. Many small business banking providers offer some version of this, though it can be clunky for businesses that write checks irregularly.

Check fraud remains one of the most common business banking scams because paper checks expose account and routing numbers.

If you must use checks, mail them from inside a post office, not a residential mailbox. Better, switch the recipient to ACH or virtual cards for recurring payments. Reviewing check images in your account app the day they clear catches washing fast enough to dispute.

How do phishing and fake bank messages target small businesses?

Phishing attacks against business banking have gotten markedly better. Modern phishing messages often look like normal account security workflows:

• A text from a number that displays as your financial provider's real customer service line, asking you to confirm a "suspicious $4,200 transaction."
• An email with your financial provider's exact branding, a real employee's name, and a link to a login page that is a pixel-perfect copy of the real one.
• A phone call, often right after the text, from someone claiming to be the fraud department who needs you to "verify" a one-time code to "stop" the fraudulent transaction.

The third one is the most dangerous because it combines urgency with authority. The code they want you to read out is the one that lets them into your account.

Novo, a fintech (not a bank), will never ask for your full password, full PIN, or a one-time authentication code by phone, text, or email. No legitimate bank or fintech will. If a message or caller asks for one, stop and contact Novo through the Novo app or the number on your card.

If you get a message that might be real, hang up or close it and call the number on the back of your debit card or in the Novo app. That habit reduces the risk of handing credentials or codes to an impersonator.

How does account takeover happen, and how do you stop it?

Account takeover happens after a credential theft. The attacker gets in, then drains the account or sets up ACH pulls to an account they control. The two common paths in:

Reused passwords. Your bookkeeper used the same password on a marketing tool that got breached two years ago. The credentials are now in a list being tried against account login pages.

Malware on a business computer. A "shipping notification" attachment installs an info-stealer that grabs saved browser passwords and session cookies. The attacker logs in from your session, bypassing the password entirely.

Two-factor authentication helps, but not all 2FA is equal. App-based authentication, such as Google Authenticator, Authy, or your provider's own app prompt, is generally safer than SMS codes, which can be intercepted via SIM swapping. Passkeys and hardware security keys provide stronger phishing-resistant protection where available.

App-based authentication is stronger than SMS-based two-factor authentication for business banking logins.

Signs your business account may have been taken over:

• A new device shows up in your login history.
• Your email or phone number on the account has been changed without your action.
• You see small test transactions ($1 to $5) to unfamiliar accounts.
• A scheduled transfer or new payee appears that you didn't add.

If you see any of these, lock the account from your account app, change the password from a clean device, revoke all active sessions, rotate the password on the email tied to the account, and call your financial provider.

What do fake invoice and overpayment scams look like?

Fake invoice scams and overpayment scams target different parts of a business.

Fake invoices arrive as unsolicited bills for services or subscriptions you never ordered: a domain renewal that isn't yours, a directory listing, an office supply order, or a "business filing" service that mimics a government agency. The bill looks routine enough that an accounts payable clerk pays it without checking. Some of these are technically legal because the fine print says it's a solicitation, not a bill, but the design is meant to fool you.

Overpayment scams target freelancers and e-commerce sellers. A "buyer" pays with a check or wire for more than the agreed amount, then asks you to refund the difference. The original payment bounces or is reversed days later; your refund is gone. The variant for freelancers: a new client sends a check for the first month of work plus "equipment costs" and asks you to forward the equipment money to a vendor.

The verification step for both is the same: never pay an invoice or refund an overage to a payee you have not separately confirmed exists. Look up the vendor independently. For overpayments, wait until the original payment has fully cleared, which for a check can be 10 business days, not the one or two days your provider shows the funds as "available."

What is payroll diversion, and how do you prevent it?

Payroll diversion is BEC pointed at your HR or payroll process. The attacker emails whoever runs payroll, posing as an employee, and asks to update their direct deposit account before the next pay cycle. Two patterns:

• During onboarding, when no one has heard the new hire's voice yet and the legitimate forms look just like the fake one.
• Right before payday for an existing employee, often Friday afternoon, when there is pressure to process the change before cutoff.

The control is a written policy: direct deposit changes must be verified in person, on video, or by phone call to the number on file — never by replying to the email request. A second control: send any deposit change confirmation to both the old and new email addresses, so a compromised account doesn't fully hide the change.

For businesses using a payroll provider, lock down who in your team has the permissions to edit bank details, and require 2FA on that provider.

How can Novo help you spot scams faster?

Novo account features can help owners spot unusual activity faster when they review alerts and transactions regularly.

Transaction alerts in the app. If Novo alerts are enabled for the transaction type, a push notification can help you spot unusual activity sooner than waiting for a statement review.

App-based login with biometric unlock. Face ID, fingerprint access, and device-based login can reduce the risk from a stolen password, though businesses should still use unique passwords and review account alerts.

A clear transaction history. Novo charges a $0 monthly fee, and a clear transaction history can make unfamiliar charges easier to notice. A $39 charge from a vendor you don't recognize stands out when the rest of your activity is your real business.

Integrations with Stripe, Shopify, and QuickBooks. Your bookkeeping reconciles against the systems where revenue actually originates. If a fake payment shows up in your account but not in Stripe, you can spot the mismatch in QuickBooks the next day instead of months later.

Novo charges a $0 monthly fee, integrates with Stripe, Shopify, and QuickBooks, and does not accept cash deposits.

One honest tradeoff: Novo does not accept cash deposits. Because Novo does not accept cash deposits, Novo customers avoid some branch cash-deposit risks, but cash-heavy businesses such as a food truck, a barber shop, or a market vendor still need a safe process for handling cash before converting it to a depositable form, such as a money order, a partner retail bank, or a cash-to-ACH service.

What should you do if your business has been scammed?

The first hour matters more than the next month. Work the list in order.

1. Call your financial provider immediately. For Novo, use the in-app support or the number on the back of your card. Ask for a wire recall, an ACH dispute, or an account freeze, whichever fits. Get a case number in writing.

2. File with the FBI's IC3. Go to ic3.gov and file a complaint with every detail you have: transaction IDs, receiving bank info, dollar amount, timestamps, the email or phone number the scammer used. The FBI's Recovery Asset Team has recovered funds from US receiving banks when reports come in within 72 hours, though calling your financial provider within the first 24 hours is often what determines whether the funds are still there to freeze.

3. File with the FTC at ReportFraud.ftc.gov. This does not directly recover your money but it feeds the federal record that supports investigations and refund programs.

Fraud should be reported to the bank immediately and also filed with the FBI's IC3 and the FTC.

4. Notify the impersonated party. If the scam involved a fake vendor email, tell the real vendor — their email is likely compromised and other customers are about to get the same invoice. If it was a payroll diversion, tell the affected employee so they can lock down their email.

5. Document everything. Save every email with full headers, screenshot every text, export the transaction record, write down the times of every phone call you made. If your provider investigates or your insurance covers cyber fraud, this is what they will ask for.

6. Check your cyber liability or crime insurance. Many small business policies have a "social engineering" or "funds transfer fraud" rider. Coverage limits vary by policy. Read the policy before you assume you're not covered.

Scams against small businesses are not going to slow down. The defense that actually works is unglamorous: a written verification rule for any payment change, app-based 2FA on every financial login, transaction alerts you actually read, and a habit of calling people back on a number you already had. Those practices, taken together, would stop most of the fraud that hits small businesses this year.

Frequently asked questions

What is the most common business banking scam right now?

There is no single public source that ranks every business banking scam by frequency. Business Email Compromise is one of the highest-loss cybercrime categories reported to the FBI's IC3, and check fraud remains widely reported because many B2B payments still move on paper.

Are business bank accounts covered like personal accounts if I get scammed?

Generally no. Regulation E protections for unauthorized electronic transfers apply to consumer accounts, not most business accounts. Your account agreement and your provider's discretion govern recovery.

Can a wire transfer be reversed?

Sometimes, if you report it within hours and the funds have not been withdrawn from the receiving account. The wire recall process requires the receiving bank's cooperation and is not guaranteed.

Does Novo offer fraud protection on business debit cards?

Eligible unauthorized purchases on the Novo Mastercard business debit card may be covered when reported promptly under Mastercard's zero liability policy, subject to Mastercard's eligibility conditions, and you can lock the card from the Novo app.

What's the single best habit to prevent BEC?

Call the vendor or employee at a phone number you already had, not the one in the email, to verify any change in payment instructions, no matter how small.

Disclosures

Novo Platform Inc. ("Novo") is a fintech, not a bank. Banking services provided by Middlesex Federal Savings, F.A., Member FDIC. Eligibility subject to final Novo determination.

Novo Platform Inc. ("Novo") is a fintech, not a bank. Banking services provided by Middlesex Federal Savings, F.A., Member FDIC. The Novo Debit Card is issued by Middlesex Federal Savings pursuant to licenses from Mastercard International Incorporated. Mastercard is a registered trademark of Mastercard International Incorporated and can be used everywhere Mastercard is accepted. Eligibility subject to final Novo determination.

Novo Platform Inc. ("Novo") strives to provide accurate information but cannot guarantee that this content is correct, complete, or up-to-date. This page is for informational purposes only and is not financial or legal advice nor an endorsement of any third-party products or services. All products and services are presented without warranty. Novo Platform Inc. does not provide any financial or legal advice, and you should consult your own financial, legal, or tax advisors.