Why do scammers specifically target small businesses?
Small businesses handle regular financial transactions, may lack dedicated fraud teams, and must respond quickly to supplier and client communications — all of which create exploitable opportunities.
Last reviewed: 10 June 2026
Explanation
Small businesses are attractive fraud targets for structural reasons that have nothing to do with the intelligence or vigilance of the people running them. A sole trader or small team handles all functions: buying, selling, payroll, and banking. There is no separate finance department to verify transactions and no dedicated IT security team. This means that a convincing fraudulent invoice or payment instruction can travel from receipt to payment without the layered checks that exist in larger organisations.
Invoice redirection fraud is one of the most common approaches. A scammer who has observed a business's supplier relationships — often through compromised email or social engineering — sends a fraudulent invoice that appears to come from a genuine supplier, with updated bank details. The business pays the invoice to the new account, not realising the payment has gone to a fraudster rather than the real supplier.
Fake supplier fraud works in the opposite direction. A scammer approaches a small business as a new potential customer, places an order on credit, and then disappears without paying. Sometimes stolen credit card details are used to place large orders that are later charged back, leaving the small business with lost goods and a reversal of funds.
Domain spoofing and business email compromise are particularly effective against small businesses because they rely on the personal trust between known counterparties. An email that appears to come from the business owner's accountant, solicitor, or major customer requesting an urgent payment change can be very convincing in the context of an existing relationship. The fraud exploits familiarity rather than manufacturing it from scratch.
Common red flags
- A known supplier sends updated bank details by email with no prior phone call
- An email from a senior colleague requests an urgent wire transfer, bypassing normal process
- A new customer places a large first order with an unusual urgency
- Payment instructions are sent by a slightly different email domain to the one you normally use
- A supplier calls to say they have not received a recent payment you made
What to do now
- Establish a verbal confirmation rule for any new or changed payment details
- Train all staff who handle payments to treat changed bank details as high-risk events
- Use email authentication tools to flag messages that do not pass sender verification
- Register your business domain with DMARC, SPF, and DKIM records to reduce spoofing
- Report business fraud to your national fraud authority and your bank immediately
- Review cyber liability insurance options appropriate to your business size
Frequently asked questions
Does cyber liability insurance cover business email compromise losses?
Some policies do; others have specific exclusions for fraudulently authorised transfers. Review the policy terms carefully and speak to a broker about coverage that specifically addresses social engineering and funds transfer fraud.
How do scammers learn enough about a business to make invoice fraud convincing?
Publicly available information — company websites, LinkedIn, Companies House filings, and social media — can reveal supplier names, key staff, and financial relationships. Some scammers also compromise email systems to monitor actual correspondence before striking.