At a glance
Fraud cases increased by 151% between 2021 and 20221, and SMEs are often seen as a soft target.
Types of fraud SMEs are vulnerable to include phishing scams and frauds involving invoices and payroll. Threats can come from email systems and human vulnerability.
Having up-to-date security systems and separate portals for supplier and client communications could be beneficial. But even simple steps, such as calling relevant parties to verify transactions, can make a difference.
Fraud is an increasing problem for all UK businesses, including Small and Medium-Sized Enterprises (SMEs), and protecting your company has become critical. The value of fraud cases rocketed by a staggering 151% between 2021 and 2022, from £444.7 million to £1.12 billion, according to the KPMG Fraud Barometer 20222. But that data only registered cases over £100,000; there are likely many more frauds against SMEs below that value.
Criminals can view small businesses as soft targets, as they often don’t have enough awareness or resources to prevent fraud. Meanwhile, busy SME owners can see prevention and protection as a lower priority as their business grows.
What are the most common types of fraud facing SMEs?
Small and Medium-Sized Enterprises are vulnerable to a dizzying array of fraudulent activity. Embezzlement remained the most prevalent fraud by volume last year, followed by investment and advance-fee fraud, according to KPMG’s research3. Investment fraud involves a criminal posing as an investment services provider to convince you to transfer large sums of money. In advance-fee fraud, criminals persuade victims to pay for bogus goods or services upfront.
The most common frauds by value were money laundering, investment scams and fraudulently obtaining mortgages – all these crimes rose dramatically between 2021 and 2022.
But there are many others. According to GoCardless, more common scams against small companies include online phishing attacks and frauds involving loans, accounts payable, payroll, and card and cheque payments4.
Business owners must be hypervigilant because, while professional criminals are the biggest perpetrators, the threat can come from employees, management, private individuals, customers and other business contacts. Financial services is a particularly vulnerable sector because there is more potential value for fraudsters, but any company with money flowing in or out could be targeted from anywhere worldwide.
Apart from the financial loss, which could be crippling, cases can take a long time to prosecute as fraud cases are often complex.
What is the biggest mistake small businesses make?
Matthew Smith, Head of Cyber and Information Security at St. James’s Place, says the biggest threat to SMEs comes from fraudulent emails and human vulnerability.
“Fraud isn’t necessarily a sophisticated attack against your IT infrastructure,” he says. “It could be a simple deception using your normal communications, but subtly swapping minor details. They might change one letter in an email address, which is enough to deceive you if you don’t look too closely.”
Employees might then assume they’re talking to a colleague, client or supplier because they have a legitimate-looking email address and be deceived into sending financial details or even making a payment.
Gavin Welch, Deputy Money Laundering Reporting Officer for Financial Crime Prevention at SJP, says a similar risk is email account takeover, with criminals physically hacking into your email account and taking control of it to elicit financial details or payments from colleagues, customers or suppliers.
“Criminals can mimic the email address, so it looks the same,” says Gavin. “They can set up a separate inbox that only they see and control. You could be using your email and not know it’s hacked. Email security often isn’t robust enough in SMEs due to a lack of awareness of the risks and understanding of fraud types.”
How to protect against fraud in your business
Many fraud-prevention tools and technologies are available, including identity and authentication tools; fraud data and trace services; automatic monitoring; and anomaly detection.
However, Matthew says every company should start by making sure it has a secure email and multi-factor authentication (MFA) turned on. “It isn’t necessarily expensive or time consuming – it might just take an hour to ensure you have the right security settings; the latest versions and updates of all software; and two-factor authentication on your accounts,” he says.
Matthew recommends using the government-backed Cyber Essentials website to learn the basics of email security and authentication.
“Cyber Essentials is suitable for all business sizes and digestible by anyone, even with no technical background,” he says. “You don’t need perfect security, but you must avoid being the worst or slowest as they get compromised. For example, if you haven’t thought about things like multifactor authentication on client or supplier accounts, you’re likely the most exposed.”
Creating a separate portal for clients to communicate via a login tends to be even safer, though it could be more expensive to set up and run. You could even avoid emails completely and send finance-related communications only through the portal.
To add security, you can independently verify the identity of every sender asking for money. “Our most successful control has been checking all transactions mentioned in emails by calling the client to confirm their identity on an independently verified phone number – not one supplied in the email,” says Gavin.
Also, you can train your staff to look out for red flags, such as incorrect grammar and spelling in emails or a different tone from normal business dealings, such as trying to elicit an urgent response but avoiding phone or face-to-face contact. A woman in Kent saved her employer half a million euros through such vigilance, according to a UK Finance case study5.
What protection is available and how can we help?
An expensive fraud could be devastating to your business. Prevention is the best strategy, but if you do fall victim, business fraud insurance is available to mitigate the impact. This can also be covered by a commercial crime or business-interruption policy. Each business should identify its risk level and insure appropriately – it may seem like an extra cost, but companies are generally underinsured for major interruptions6 .
If you’re unsure about insurance levels in your firm, we can talk you through the risks and options. We can also help guide you on personal online security.
1, 2, 3KPMG, ‘Fraud barometer 2022’, February 2023
4GoCardless, ‘The most common frauds in small business’, August 2021
5UK Finance, ‘UK Finance warns SMEs of increased risk of targeted scams’, 12 January 2022
6Aviva, ‘Underinsurance explained – what it means to your business’, accessed 9 March 2023
SJP Approved 16/03/2023