Protect your business from fraud
If you are self-employed or running a business, fraud and cyber security should be high on your agenda.
Just over four in ten businesses (43%) reported a cyber breach or attack in the last 12 months.
Source: Cyber Security Breaches Survey 2025
It might not sound like the most glamorous part of running a business, but anything you can do to reduce the risk of financial or reputational loss is fundamental to the success or survival of your organisation.
In some cases, criminals use cyber tools and artificial intelligence (AI) to deceive people, producing highly realistic fake documents or impersonations of people and organisations that we know and trust.
Take time now to explore the advice offered on this website and learn what steps you can take to protect your business from fraud.
On this page:
Payment diversion fraud
Payment diversion fraud is one of the most damaging scams facing UK businesses today. Criminals deceive staff into sending money to the wrong bank account.
These scams come in several forms:
- CEO fraud: Criminals impersonate senior executives, sometimes using deepfake audio or video, to pressure staff into making urgent payments.
- Invoice fraud: Fraudsters hack supplier email accounts or create lookalike domains to send fake invoices with updated bank details.
- Salary diversion fraud: Scammers pose as employees and ask HR or payroll teams to change bank details, redirecting salary payments to their own accounts.
What are fraudsters trying to do?
Their goal is simple: divert legitimate payments into criminal accounts. These scams rely on urgency, authority, and trust – often targeting busy teams or key moments like financial year-end when staff may be under pressure to act quickly.
What to look out for
- Unexpected or urgent payment requests
- Requests to change bank details, especially near holidays or deadlines
- Attempts to bypass normal approval processes
How to protect your business
Be cautious with bank detail changes
It is rare for businesses to change bank accounts. Treat any request to do so with caution.
Verify with a trusted contact
Always confirm both old and new account details using a known phone number – not one provided in the message.
Set up clear procedures
Use sign-off processes and delay periods for approvals to changes to bank or payroll details. Some companies use delay periods of 14 or 30 days before a new supplier account details are approved, allowing them time to check details thoroughly.
Secure supplier communications
Ask suppliers to meet basic cyber security standards. For example, require a Cyber Essentials certificate in contracts.
Communicate clearly
If you are a supplier, make sure your terms explain how you’ll notify customers of any changes to payment details. If your company has a policy that the CEO or CFO does not contact staff to request that they make urgent payments, ensure that all staff are aware of this policy and know how to act if they receive a request to process an urgent payment.
IT support fraud
In IT support fraud, the aim is to break into your systems. Fraudsters pretend to be technical support agents and claim there are problems with your computer, device or account. These problems are fake. They offer help to get you to click on harmful links, download dangerous software or give them remote access.
What are fraudsters trying to do?
These scams take advantage of your need for help and are designed to catch you off guard – especially when you’re busy or under pressure. Their goal is to:
- Install spyware to monitor your activity and steal sensitive information
- Steal login details to access your accounts and networks
- Charge you for fake services or unnecessary fixes
- Create hidden access points for future attacks
What to look out for
- Unexpected phone calls, emails, texts, or voice messages
- A sense of urgency or pressure to act quickly
- Instructions to:
- Grant remote access to your accounts or devices
- Download software or patches
- Share business or personal information like bank details or login credentials
- Share a one-time passcode
How to protect your business
Break the contact
Don’t reply, click on links, or make any payments. If you’re unsure, speak to a trusted colleague or adviser before taking action.
Do not share sensitive information
Never give out passcodes, login details or personal information unless you are sure you know who you are speaking to.
Avoid remote access
Do not allow anyone to access your devices unless you have initiated the request through a trusted provider.
Ignore keypad instructions
If you are asked to type numbers into your phone, stop – you could be unknowingly redirecting your calls.
Fake call for tenders or quotes
Fraudsters may create fake calls for tenders or quotes with the aim of gaining access to your systems. They may do this by sending links to documents which contain malware or asking you to download files that contain malware or ransomware.
Criminals are increasingly using QR codes to hide malicious links, as many people are wary of clicking links in emails.
What are fraudsters trying to do?
Their goal is to compromise your business email account or to get you to download malware. Once inside, they can launch further attacks such as invoice fraud, redirecting payments or impersonating your business to deceive others. If they deploy ransomware, they could lock you out of your systems and demand payment.
How to protect your business
Follow National Cyber Security Centre advice for protecting your organisation against malware
Check whether the call for tender is genuine
Always verify tenders via the company’s official website. You can also use a trusted website checker to check if a website is genuine or potentially a scam.
Beware of QR codes
If an email asks you to scan a QR code – especially if it urges quick action or asks for log in details or other sensitive information – make sure you know where it’s really sending you. Be wary of using your personal phone to scan QR codes in a work e-mail, as it may not have the same protections as work devices. See more advice on the National Cyber Security Centre website.
Look for warnings
Check social media, industry alerts and news for signs others have been targeted.
Investment fraud
Investment fraud happens when criminals trick you into putting money into fake or worthless schemes. These scams often promise high returns with little risk and use clever tactics – like fake endorsements, deepfake videos, and cloned websites – to look real.
Scammers might contact you out of the blue, advertise on social media, or pretend to be trusted financial experts. They often pressure you to act quickly, making it harder to spot the warning signs.
What are fraudsters trying to do?
Their aim is simple: to steal your money. They try to convince you to invest in something that doesn’t exist. Common tactics include:
- Promising high returns with low risk
- Urging you to invest straight away
- Asking for payments by bank transfer or cryptocurrency
- Using fake celebrity or expert endorsements
- Copying real companies to look legitimate
- Creating fake advisers or synthetic identities to build trust
Cryptocurrency scams are especially common. Bitcoin is often used because it’s well-known and hard to trace.
How to protect your business
Be cautious with social media offers
Many scams start with ads or messages on platforms like WhatsApp, Facebook or Instagram. Always check an investment offer is genuine before responding.
Check with the Financial Conduct Authority (FCA) Firm Checker
Before investing, use the FCA’s Firm Checker to see if a firm is authorised, If it isn’t, report the firm to the FCA.
Verify endorsements
Visit the official website or social media of the person or company to confirm they genuinely support the investment.
Don’t be rushed
Real investment firms won’t pressure you to act immediately. Take time to stop, think and check.
Talk to someone you trust
Speak to a financial adviser before making any decisions.
Avoid direct transfers
Never send money unless you’re absolutely sure the firm is genuine and authorised.
Insider fraud
Insider fraud happens when someone within an organisation uses their position to commit fraud. These scams can go unnoticed for years, especially when the person is trusted and has access to sensitive systems.
What are fraudsters trying to do?
The aim of insider fraud is to exploit internal access to steal money or assets. This could involve creating false invoices, diverting payments, or manipulating payroll systems – all while appearing to act in good faith. Here’s what you should look out for:
- Sudden lifestyle upgrades that don’t match their salary
- Resistance to audits or financial reviews
How to protect your business
Follow best practice recruitment process
- Follow the recruitment processes set out in the Better Hiring Institute Guidance
- To protect jobseekers, advertise roles on boards signed up to the JobsAware scheme, or other schemes that demonstrate compliance with the Online Safety Act
Set up strong internal processes
- Use 2-step verification for financial systems
- Segregate financial duties – no one person should approve and pay invoices
- Have clear processes for changing payroll details
- Regularly reconcile invoices and payments
- Carry out internal and external audits
- When staff leave, end access to systems, close email accounts, and remove them from payroll
- If staff move positions within the organisation, re-assess whether they need to retain the access to the systems they had in their old position, and if not, end their access.
- Create and promote a whistleblowing process
- Review access and oversight to sensitive systems and documents:
- Ensure vendors only have the level of computer access necessary for their role – not full access to sensitive systems
- Make sure any third-party contractors do not have physical access to sensitive documents, unless they have the necessary for clearance (e.g., printed financial records)
- Confirm security staff have valid Security Industry Authority (SIA) licences and that they are up to date
Business trading fraud
Fraudsters may set up businesses that look genuine, with the hidden aim of stealing goods. They start by placing small orders and paying promptly to build trust with suppliers.
Once they’ve established a good credit history, they place larger orders – then disappear with the goods, leaving suppliers unpaid. The scam often continues under a new company name.
What are fraudsters trying to do?
The aim of business trading fraud is to get valuable goods on credit and resell them for profit. By pretending to be a trustworthy business, fraudsters trick suppliers into sending large shipments – then shut down the company and repeat the scam. You should look out for:
- Businesses that only use webmail email addresses and mobile numbers
- No credible accounts filed with Companies House
- Multiple companies with similar names or shared directors
- Goods being cross loaded to unidentified vehicles at delivery sites
- Positive reviews online within a short time of incorporation followed by few reviews after that
How to protect your business
Carry out due diligence on new business customers including:
Search the Companies House register
To check if the company:
- is registered and has filed credible accounts – watch out for unrealistic profits, extremely rapid growth, or large fluctuations in turnover from year to year, as these can indicate risk
- has had a Company Director disqualified
- is linked to any other companies which have been struck off the register
Follow the company on the Companies House register
To receive alerts of company transactions, including documents relating to insolvency procedures if relevant.
Check that the company is registered with the relevant regulator
For example the Financial Conduct Authority (FCA) Firm Checker.
Check if the company appears on warning lists
Such as the Financial Conduct Authority (FCA) scam list or rogue landlord lists.
Ask the company to provide credit and trade references
When doing business with new business customers, be cautious of setting up credit accounts or providing services prior to payment, particularly for companies that have recently been incorporated.
Verify delivery arrangements
To ensure goods go to traceable people and addresses. Make sure that staff do not accept requests to deliver to a different address than has already been agreed without completing due diligence.
Cyber security
To protect your business from cyber attacks, visit the National Cyber Security Centre website, which has a wealth of information and advice to help you become more cyber secure.
Cyber Action Toolkit
This free tool offers a personalised action plan to help protect your business against cyber attacks. Just answer a few simple questions to get started.
Advice for self-employed and sole traders
Cyber security advice to protect your business and the technology you rely on.
Advice for small and medium sized organisations
Cyber security advice for businesses, charities, clubs, and schools with up to 250 employees.
Free online training for staff
This free, easy-to-use training takes less than 30 minutes to complete and will help you and your staff keep your business safe from cyber attacks.
Check your cyber security tool
This free service will check your website, email, and browser at the click of a button – then show you how to fix any vulnerabilities.
Early Warning Service
Free NCSC service to inform your organisation of potential cyber threats on your network using information feeds from the NCSC and trusted public, commercial and closed sources using exclusive feeds
Cyber Essentials
Once you have the basics in place, you may like to adopt the Cyber Essentials scheme. This will protect your businesses against the most common cyber attacks and demonstrate to your customers and suppliers that you have good cyber security in place.
Social media: protecting what you publish
Cyber security advice to help you manage your organisation’s social media accounts safely and reduce the risk of reputational damage. This guidance covers how to control who can post, how to secure publishing tools, and what to do if something goes wrong.
Other sources of information
- Cyber Resilience Centres (CRCs) offer free support and guidance for small businesses from regional centres across England and Wales. The CRCs offer practical help to improve your cyber security and build resilience against online threats.
- Cyber Scotland offers advice to businesses in Scotland.
- NI Cyber Security Centre offers advice to businesses in Northern Ireland.
Reporting fraud
If you’ve been a victim of fraud, find out how to report it.
If you think a business has broken the law or acted unfairly, you can report them to Trading Standards: Reporting to Trading Standards – Citizens Advice
You can also report to the relevant regulator if appropriate, for example, the FCA and make a complaint to Companies House if the business is a limited company – Complain about a limited company – GOV.UK