Latest scams affecting small businesses

Types of scams

Phishing emails

Phishing continues to be the most common cyber-attack on businesses. In these scams, fraudsters pose as trusted organisations – such as banks, HMRC, or suppliers – and send emails designed to trick staff into clicking malicious links or revealing sensitive login details. Other variants include vishing (fraudulent phone calls) and smishing (deceptive text messages), all designed to manipulate employees into sharing information or making payments.

Invoice fraud & fake supplier scams

Also known as mandate fraud, this scam involves criminals impersonating a regular supplier and requesting a payment to a new bank account. Often, they use hacked email accounts or convincing lookalike invoices, making the request appear legitimate. The business only realises something is wrong when the real supplier later contacts them about a missing payment. This category also includes fake purchase orders or bogus procurement schemes – scams that cost small businesses millions every year and are among the most frequently reported.

Business identity theft

This involves criminals hijacking or imitating a legitimate business to commit fraud. It could mean altering official registration details, setting up a similarly named sham company, or even cloning a company website or social media profile. The goal is typically to take on debt, order goods, or mislead customers and partners. Aside from financial losses, these scams can cause lasting damage to a business’s reputation and credit rating.

CEO and impersonation scams

In these attacks, scammers pretend to be someone in authority – such as a CEO, director, client, or bank official – and instruct staff to make urgent payments or share sensitive data. Known as CEO fraud, this tactic relies on employees’ trust and the pressure to act quickly. A common example is a fake email from a senior executive demanding an urgent transfer outside of normal protocols. These scams exploit human behaviour rather than technology – making them particularly dangerous.

Cyber fraud and malware

Not all scams rely on social engineering. Some involve more technical threats like ransomware, viruses, or direct hacking. For example, fraudsters may gain access to a business’s phone systems and make premium-rate calls, or hack into email systems to redirect payments. While less common than phishing, these incidents can cause significant disruption and financial harm, particularly when critical data is compromised or lost.

Cost of scams

The financial impact of fraud is significant. According to UK Finance, a total of £1.17 billion was stolen through fraud across the UK in 2023. Small businesses are a major part of this figure. In just the first half of 2023, businesses lost £42.6 million through authorised push payment (APP) scams – where companies are tricked into sending money to fraudsters.

On average, UK SMEs that fall victim to fraud lose around £3,800, according to Visa’s survey, but this can be much higher in complex scams. The average cost of a cybercrime incident is estimated at £1,120, though 6–8% of cases result in losses of over £10,000.

Scale of scams to small businesses

Prevalence

Fraud targeting small firms is widespread. The Federation of Small Businesses (FSB) reports that 37% of SMEs experienced fraud or cybercrime over a 12-month period. A separate survey by Visa in late 2024 found that 41% of UK small and medium businesses had been affected by fraud in the past year – a clear sign that this threat is not going away.

Top tactics

Phishing is still the most common form of cyber-attack – accounting for around 84–90% of incidents. Impersonation scams also remain prevalent, experienced by roughly 35% of businesses. In terms of financial fraud, invoice fraud tops the list at 31% of reported cases, followed by card/cheque fraud (29%) and unauthorised bank payment fraud (26%).

Are small businesses keeping up?

Many SMEs are taking steps to improve their defences – 92% report implementing some form of cyber or anti-fraud measure. However, as criminals continue to evolve their tactics, there’s still a knowledge gap. Nearly half of small businesses are unaware of threats like invoice fraud, making them easier targets. Without dedicated cybersecurity teams or regular training, smaller firms often struggle to spot and stop scams in time.

Preventative measures

Experts and authorities urge small businesses to take proactive steps to guard against scams. Here are key preventative measures based on official advice:

Be sceptical and verify requests

Encourage your team to question unexpected requests, especially those involving payments or sensitive information. If you receive an email requesting a payment or a change of bank details – even if it appears to come from a known supplier or your boss – verify it via an independent channel. For example, call the supplier using the phone number you have on file (not a number provided in the email) to confirm the request.

Always confirm changes to bank details or unusual payment instructions through a separate, trusted communication channel – such as phoning the supplier directly using a known number. Don’t rely solely on email or caller ID, as both can be spoofed.

Educate and train employees

Regular training is key. Help staff recognise red flags such as strange email addresses, unexpected urgency, or generic greetings. Make scam awareness a routine part of your operations – much like health and safety. Campaigns like Take Five to Stop Fraud and quizzes from UK Finance offer excellent training tools to keep your team alert and informed.

Strengthen cybersecurity hygiene

Adopting good cyber habits can go a long way. Use strong passwords, turn on multi-factor authentication, keep devices and software up to date, and install reliable antivirus protection. Back up your data regularly and limit who has access to key systems. The NCSC’s Small Business Guide offers simple, practical tips for building digital resilience.

Secure your business identity

Protect your business’s official records by signing up for the PROOF scheme at Companies House, which helps block unauthorised changes. Use the Follow service to get alerts for any updates to your business’s filings. Be cautious about what you share online – details about suppliers or contracts could help a scammer craft convincing messages.

Implement strong payment controls

It’s worth introducing checks and balances into your payment processes. Require dual approval for high-value transactions and consider setting daily transfer limits. Make the most of banking tools like Confirmation of Payee – if the account name doesn’t match, investigate before sending funds. Separating responsibilities for payment approvals and execution can further reduce risk.

Report and respond quickly

If you do suspect a scam or fall victim to one, act immediately. Contact your bank’s fraud team if you think you’ve sent money to a wrong account – banks can sometimes freeze or recall funds if alerted in time. Likewise, if your system is hacked or you notice suspicious account changes, notify your IT provider or cybersecurity response service without delay.

Next, report the incident to Action Fraud (the UK’s national fraud reporting centre) either online or by phone. Prompt reporting not only aids possible investigations, but also ensures authorities capture the details to warn others and build intelligence on scam trends.

Small businesses can also reach out to helplines from bodies like the National Cyber Security Centre or industry associations for guidance after an incident. Remember that you’re not alone – law enforcement and industry groups are encouraging all businesses to speak up about fraud attempts so that the perpetrators can be tracked and stopped.

By staying vigilant, educating staff, and putting these protective measures in place, small businesses can significantly reduce their exposure to scams. As fraud experts often stress, a combination of human scepticism and robust processes is the best defence.

Sources

Action Fraud (UK police fraud reporting centre) – alerts and prevention tips

UK Finance – industry reports on fraud losses and scam types

Federation of Small Businesses (FSB) – research on small business crime trends

National Cyber Security Centre (NCSC) – Small Business Guide for cybersecurity (gov.uk)

Companies House – guidance on protecting your company from identity fraud (PROOF scheme)

Visa UK – SMB Fraud research 2024 (press release)

Barclays Bank – fraud prevention advice for businesses (invoice scam guidance)

Avena Group

Get Small Business Insurance from Protectivity

The most effective way to stay protected is to understand the risks and how they could impact your business, while keeping up to date with the latest scam trends. For other risks such as injury and damage liabilities it’s worth investing in business insurance.

At Protectivity, our affordable small business insurance* suitable for sole traders, freelancers and other small business owners, specialising in a wide range of different activities.

Whether you’re looking for  pet care business insurance, decorators insurance, catering insurance, crafters insurance, or another small business, explore the full list of small business insurance we provide today – or get in touch with our team to discuss your specific requirements.

*Currently cybersecurity cover is not included in Protectivity small business policies as we aim to keep premiums as affordable as possible.

*Disclaimer – This blog has been created as general information and should not be taken as advice. Make sure you have the correct level of insurance for your requirements and always review policy documentation. Information is factually accurate at the time of publishing but may have become out of date.