How To Protect Your Small Business From Scams
Practical steps to protect your small business from invoice fraud, impersonation, and cyber scams that target smaller organisations.
Last reviewed: 1 June 2026
Small businesses are prime targets for scammers precisely because they often lack the dedicated fraud teams of large organisations. Invoice redirection, impersonation of suppliers or HMRC, fake directory listings, and phishing attacks can drain cash fast. The good news is that simple process controls — verifying payment changes over the phone, separating financial approvals, and training your team — stop the vast majority of attacks before any money leaves. Building these habits early costs little and protects everything you've worked for.
Invoice and payment fraud
Invoice fraud usually starts when criminals gain access to an email thread with a supplier, then send an update claiming the business's bank details have changed, asking future payments to go to a new account they control. Because the message often comes from a genuine-looking, even hijacked, email address and references real invoice numbers, it can look completely legitimate at first glance. A single payment sent to the wrong account is very difficult to recover once it clears. The reliable defence is a strict rule: any change to payment details, however it arrives, must be confirmed by phone using a number you already have on file for that supplier — never a number printed on the invoice itself, which the criminal controls.
- Never update supplier bank details without a voice call to a known number
- Set up a dual-approval rule for payments above a threshold
- Treat any 'urgent' payment request with extra caution
- Check email domains carefully — one letter off is a common tactic
Impersonation of HMRC and regulators
Scammers frequently impersonate HMRC, Companies House, or official-sounding trade directories, contacting a business by phone, text, or email to demand an urgent fee or threaten penalties, fines, or even arrest if payment isn't made immediately. These messages are built to trigger panic in a business owner who is genuinely worried about compliance, and the fake caller ID or official-looking letterhead can make them convincing. In reality, HMRC will never call demanding instant payment over the phone or threaten arrest for a tax matter, and genuine penalty notices arrive by post with an appeals process attached. If you receive one of these, don't call any number provided — instead look up the organisation's official contact details independently and check directly.
- Verify unexpected HMRC contact by calling HMRC directly
- Be sceptical of any directory or 'official listing' invoice you didn't request
- Share this guidance with anyone who handles invoices
Cyber and phishing risks
Small businesses are attractive targets for phishing because a single compromised email account often gives criminals access to invoices, client data, and banking details all at once, with fewer of the security layers a larger company might have. A typical attack arrives as an email that looks like it's from a supplier, courier, or software provider, linking to a fake login page designed to capture a password the moment it's typed in. Malicious attachments disguised as invoices or delivery notices carry the same risk. Multi-factor authentication is the single most effective defence, since it stops a stolen password alone from granting access, and keeping software and email filters updated closes off many of the technical routes attackers rely on.
- Enable multi-factor authentication on all business email and banking
- Use a password manager and unique passwords per service
- Train staff to pause before opening attachments or clicking links
- Back up data regularly to an offline or separate cloud account
Build a scam-aware culture
Technology alone won't stop every scam — the businesses that cope best are the ones where staff feel genuinely comfortable pausing on a suspicious email or phone call and asking a colleague before acting, rather than worrying that flagging it will look foolish. Say explicitly to your team: 'If anything feels off, stop and check with me, even if it turns out to be nothing — I'd rather deal with far more false alarms than miss one real loss.' Run through a real example occasionally in a team meeting so people recognise the tone of these messages. Make verifying payment changes and unusual requests a normal, expected step in the process, not an exception, so no one feels awkward for asking.
- Agree a no-blame policy for raising concerns
- Run a brief scam-awareness session with staff at least once a year
- Nominate a point person for scam queries
Frequently asked questions
We received a convincing invoice — how do we know if it's real?
Call the supplier on a number stored in your own records (not the invoice) and ask them to confirm the bank details. Never rely solely on the contact details provided in an email or invoice you received unexpectedly.
What if an employee already made a fraudulent payment?
Contact your bank immediately using the official number on your banking app or statement — the faster you act, the greater the chance of recovery. Then preserve all evidence and report to Action Fraud or your local equivalent.
Do small businesses need to train staff formally?
Formal training is valuable but not essential. A short, plain-language briefing on current scam types and a clear 'pause and verify' rule covers most scenarios for small teams.