Spot and Stop Small Business Fraud in the UK

Fraud against small businesses in the UK is a growing concern, often exploiting trust and busy schedules. One common tactic involves fake invoices, which can appear incredibly convincing. This guide will help you understand how these scams work, how to spot them, and what steps you can take to protect your business.

What this scam looks like

This type of fraud, often falling under the umbrella of Business Email Compromise (BEC), targets businesses of all sizes, including small businesses from the UK. Scammers send emails that look like they're from a legitimate supplier, a known contact, or even an internal department, requesting payment for services or goods that were never provided, or redirecting genuine payments to a fraudulent account. These fake invoice scam emails can be highly sophisticated, making them difficult to distinguish from real correspondence.

The core of the scam involves tricking you or your accounts team into transferring money to an account controlled by the fraudster. This might be for a seemingly overdue bill, an urgent payment to a new supplier, or even a change in bank details for a regular vendor. The emails often mimic the style and tone of genuine business communications, sometimes even using logos and signatures.

Why this scam works on real people

These business frauds in the UK are effective because they prey on several human and organisational factors. Scammers understand that small business owners and their teams are often juggling many tasks, leading to less scrutiny of individual invoices, especially if they appear urgent or from a trusted source. The pressure to maintain good supplier relationships also plays a part.

The psychological impact of urgency and authority is significant. An email demanding immediate payment or claiming to be from a senior manager can bypass normal verification processes. Furthermore, the sheer volume of emails and invoices a small business processes daily means that one fraudulent item can easily slip through, especially if it's well-crafted. The NCSC (National Cyber Security Centre) highlights how BEC attacks exploit human trust rather than technical vulnerabilities.

Step-by-step: how the scammer sets it up

Scammers typically follow a pattern to execute these types of frauds in business UK. It often begins with reconnaissance, where they gather information about your business, your suppliers, and your payment processes. This might involve monitoring public social media, company websites, or even previous data breaches.

1. Information Gathering: The scammer researches your business, identifying key suppliers, typical invoice amounts, and even names of employees involved in financial transactions. They might look for details like your accounting software or payment cycles.
2. Email Impersonation: They create email addresses that closely resemble those of your genuine suppliers or internal staff. This could be a subtle typo (e.g., "supplier@gmaiI.com" instead of "supplier@gmail.com") or a completely spoofed address.
3. Crafting the Fake Invoice/Request: A convincing fake invoice or payment request is drafted. This often includes accurate details like your company name, a plausible service description, and a realistic amount, making it look legitimate. Sometimes, they'll claim a change in bank details for a known supplier.
4. Sending the Attack: The fraudulent email is sent, often timed to coincide with busy periods or when key staff might be absent. The email will usually contain an urgent request for payment or a notification of updated bank details.
5. Pressure and Follow-up: If the initial email doesn't get a response, the scammer might send follow-up emails, increasing the pressure and urgency to complete the payment, sometimes threatening late fees or disruption of services.

Five red flags you can spot in under a minute

Even the most sophisticated fake invoices or BEC attempts often have tell-tale signs if you know what to look for. Training yourself and your team to spot these can save your business a significant amount of money and stress.

1. Sender's Email Address: Always check the full email address, not just the display name. Does it exactly match your known contact's email? Look for subtle misspellings, different domains (e.g., @outlook.com instead of @supplier.co.uk), or extra characters.
2. Urgent or Unusual Language: Be wary of emails demanding immediate action, threatening consequences for non-payment, or using language that seems out of character for the sender. Scammers often create a sense of panic.
3. Unexpected Bank Detail Changes: Any request to change bank account details, even from a known supplier, should be treated with extreme caution. This is a common element in Bermuda fake invoice scams and other BEC attacks.
4. Generic Greetings or Sign-offs: If an email from a supposed long-term supplier uses a generic greeting like "Dear Customer" or has an unprofessional sign-off, it's a red flag.
5. Poor Grammar or Spelling: While some scammers are improving, errors in grammar, punctuation, or spelling can still be indicators of a fraudulent message. Genuine businesses typically proofread their communications carefully.

How to verify safely without confronting the scammer

If you suspect a fake invoice or a fraudulent payment request, it's crucial to verify its authenticity without alerting the potential scammer. Direct confrontation might make them disappear or escalate their attempts.

1. Use Known Contact Information: Do not reply to the suspicious email or use any contact details provided within it. Instead, find the supplier's contact information from your records (e.g., a previous legitimate invoice, their official website, or your internal contact list).
2. Call the Supplier Directly: Phone the supplier using a number you know to be genuine. Ask to speak to your usual contact or their accounts department to confirm the invoice or bank detail change.
3. Internal Verification: If the request appears to be from an internal colleague, verify it through a different communication channel, such as a phone call to their direct line or an in-person conversation. Do not reply to the email.
4. Cross-Reference with Purchase Orders: Check if the invoice corresponds to a legitimate purchase order or service agreement. If there's no matching PO, question the invoice's validity.
5. Check Payment History: Review your payment history with that supplier. Does the amount or frequency of the invoice seem unusual?

What to do in the first hour if you've already paid or shared details

Discovering you've fallen victim to a fake invoice scam or business email compromise can be incredibly distressing. However, swift action in the first hour can significantly improve your chances of recovering funds or mitigating damage.

1. Contact Your Bank Immediately: As soon as you realise a fraudulent payment has been made, call your bank's fraud department. Explain what has happened and ask them to try and recall the payment. Provide them with all transaction details.
2. Gather All Evidence: Collect all relevant emails, invoices, and payment confirmations. This evidence will be crucial for your bank and for reporting the crime to Action Fraud.
3. Isolate Affected Systems (if applicable): If you suspect your email system or network has been compromised as part of a BEC attack, take immediate steps to secure it. Change passwords, inform your IT support, and consider isolating affected devices to prevent further access.
4. Inform Key Staff: Alert your accounts team and any other relevant staff members about the incident. This helps prevent further fraudulent payments and raises awareness within your organisation.
5. Review Recent Transactions: Check all recent bank statements and payment records for any other suspicious activity. Small business not paying tax or unusual deductions could be signs of broader compromise.

UK-specific reporting routes and your consumer rights

Reporting fraud is vital, not just for your own business but also to help authorities track and stop these criminal networks. In the UK, there are clear channels for reporting and avenues for seeking advice.

• Action Fraud: This is the UK's national reporting centre for fraud and cyber crime. You should report all instances of fraud to Action Fraud, even if you've recovered your money. They will provide you with a crime reference number, which can be useful for insurance claims. You can report online or by calling them.
• Your Bank: As mentioned, contact your bank immediately if you've made a payment. Banks have procedures for attempting to recall funds and can advise on securing your accounts.
• NCSC (National Cyber Security Centre): For advice on cyber security and how to protect your business from attacks like Business Email Compromise, the NCSC offers valuable resources and guidance. They also have a reporting tool for suspicious emails.
• Citizens Advice: For general advice on consumer rights and what to do if you've been a victim of fraud, Citizens Advice can offer support and direct you to other relevant services.
• ICO (Information Commissioner's Office): If personal data has been compromised as part of the fraud, or if you suspect a data breach, you may need to report it to the ICO.
• HMRC (HM Revenue & Customs): If the fake invoices HMRC are involved, or if the scam involves tax-related matters, you should also inform HMRC directly. They have specific channels for reporting tax fraud.
• Small Claims Court UK Business: If you've suffered financial loss due to a scam and have identified the perpetrator (though this is rare in these types of fraud), you might consider pursuing a claim through the small claims court. However, this is usually a last resort and often not practical for international scams.

How FakeFind Pro can help (and what we don't do)

FakeFind Pro is a British consumer-protection service dedicated to helping individuals and small businesses navigate the complex world of online fraud. We understand the stress and potential financial impact of business frauds UK, including fake invoice scams and Business Email Compromise elements. Our goal is to empower you with the knowledge and tools to recognise and avoid these threats.

We provide analysis of suspicious communications, helping you to identify the subtle signs of fraud that might otherwise go unnoticed. This includes examining email headers, attachment metadata, and linguistic patterns to determine authenticity. Our expertise lies in identifying the technical and behavioural indicators of scams.

How we can help:

• Email Analysis: We can examine suspicious emails for tell-tale signs of spoofing, phishing, or BEC attempts, such as unusual sender details, hidden links, or metadata inconsistencies.
• Document Verification: We can help you scrutinise invoices and other documents for diffusion artefacts, EXIF stripping, or other indicators of digital manipulation.
• Risk Assessment: We offer guidance on common scam techniques, helping you to build a stronger defence against future attacks.
• Actionable Advice: We provide clear, step-by-step instructions on what to do if you suspect fraud, including how to report it to the correct UK authorities.

What we don't do:

• We do not recover lost funds: While we can help you understand the scam, we are not a financial recovery service. Fund recovery is typically handled by your bank and law enforcement.
• We do not provide legal advice: Our guidance is for informational purposes. For legal matters, you should consult with a qualified legal professional.
• We do not contact scammers on your behalf: Engaging directly with fraudsters can be risky. Our focus is on empowering you to protect yourself.
• We do not act as an official reporting body: You must report fraud directly to Action Fraud and your bank.
• We do not store your personal financial details: Your privacy is paramount. We only require information relevant to analysing the suspected fraud.