How To Protect Your Small Business From Scams
Practical steps to protect your small business from invoice fraud, impersonation, and cyber scams that target smaller organisations.
Last reviewed: 1 June 2026
Small businesses are prime targets for scammers precisely because they often lack the dedicated fraud teams of large organisations. Invoice redirection, impersonation of suppliers or HMRC, fake directory listings, and phishing attacks can drain cash fast. The good news is that simple process controls — verifying payment changes over the phone, separating financial approvals, and training your team — stop the vast majority of attacks before any money leaves. Building these habits early costs little and protects everything you've worked for.
Invoice and payment fraud
Criminals intercept or forge invoices, changing the bank details to their own account. A single fraudulent payment can run to thousands. Always verify any payment-detail change by calling the supplier on a number you already hold — not one on the invoice itself.
- Never update supplier bank details without a voice call to a known number
- Set up a dual-approval rule for payments above a threshold
- Treat any 'urgent' payment request with extra caution
- Check email domains carefully — one letter off is a common tactic
Impersonation of HMRC and regulators
Scammers pose as HMRC, Companies House, or trade directories demanding urgent fees or threatening penalties. HMRC will never demand immediate payment by phone or threaten arrest.
- Verify unexpected HMRC contact by calling HMRC directly
- Be sceptical of any directory or 'official listing' invoice you didn't request
- Share this guidance with anyone who handles invoices
Cyber and phishing risks
Phishing emails, fake login pages, and malicious attachments target business email accounts to access finances or client data. Keeping software updated and using multi-factor authentication closes most doors.
- Enable multi-factor authentication on all business email and banking
- Use a password manager and unique passwords per service
- Train staff to pause before opening attachments or clicking links
- Back up data regularly to an offline or separate cloud account
Build a scam-aware culture
A team that feels safe flagging a suspicious email without fear of embarrassment is one of your best defences. Make it normal to pause, verify, and ask.
- Agree a no-blame policy for raising concerns
- Run a brief scam-awareness session with staff at least once a year
- Nominate a point person for scam queries
Frequently asked questions
We received a convincing invoice — how do we know if it's real?
Call the supplier on a number stored in your own records (not the invoice) and ask them to confirm the bank details. Never rely solely on the contact details provided in an email or invoice you received unexpectedly.
What if an employee already made a fraudulent payment?
Contact your bank immediately using the official number on your banking app or statement — the faster you act, the greater the chance of recovery. Then preserve all evidence and report to Action Fraud or your local equivalent.
Do small businesses need to train staff formally?
Formal training is valuable but not essential. A short, plain-language briefing on current scam types and a clear 'pause and verify' rule covers most scenarios for small teams.