The Toner Scam is slightly misnamed, but it’s the most common name for this kind of scam. This type of scam often involves copier toner (and these particular scammers may be called “toner phoners” or “toner pirates”), but it’s also a general office supply scam that can catch both businesses and nonprofits alike.
This has nothing to do with whether or not printer cartridges are a scam, so if you’re looking for that, you’re in the wrong place (though you might find other parts of this site useful).
While high-tech scams get all the attention nowadays, these lower-tech scams are still around. These scams use simple social engineering - that is, tricking a person into saying something they shouldn’t. Nowadays, a scammer may use Internet-based OSINT (Open Source INTelligence - that is, openly available information on the internet) to do some initial reconnisance before approaching a potential victim, such as obtaining information from the company’s own website, press releases, information about the company from other websites, and so on. However, the scam can survive without that.
The scam goes as follows:
A scammer first gets some information about the product the company buys as well as the person responsible for purchases. Some of this may come from online research, but it’s often still done via phone.
They then may call back using the information they gained and convince someone either that they are their normal office supplier/copier company and they want to confirm a standing order or offer a discount, or they want to send a catalog or free sample. Note that this contact nowadays may come via email.
The scammer sends low-quality items that the company didn’t order at marked-up prices.
An invoice is sent for the items. Some scammers slip this invoice in the mail several weeks later in the hopes that the company feels compelled to pay since they received the product; others are aggressive about being paid for items the victim didn’t agree to order.
Note that there are multiple versions of this scam and commonly related scams. For example, a scammer may not send you anything at all but send you a “past due” invoice.
How to protect yourself
The initial stage of this scam involves social engineering that you can teach staff to guard against. When I learned about this scam way back when (pre-internet - well, at least before most people got onto it) it was not to provide any equipment about our staff or our equipment. If there was a sales pitch, we were to get the person’s phone number and pass it along to the purchasing person.
If for some reason you’re required to provide information about your staff - particularly your purchasing staff - provide some kind of compensating control. Have a list of approved office/copier/printer supply vendors with contacts. Require all offers to be in writing - for example, use a purchase order.
Teach your receiving staff not to accept items blindly.
Needless to say, don’t pay invoices blindly without verifying the purchase was made and the items received. If the price is greater than what was agreed upon, definitely don’t pay it.
In the United States - and presumably other countries with similar legal systems - you are not required to pay for items that were sent unsolicited or not sent at all.