Blog

Protecting your business from scams at tax year-end

The impact of fraud and scams on businesses can be detrimental and with over 5.7 million SMEs in the UK, it’s essential that businesses and employees stay vigilant as we near the end of the tax year. 

In the first half of 2025 alone, £20.7 million was stolen through CEO and Invoice and Mandate fraud, according to UK Finance’s Half Year Fraud Report. As the end of the tax year approaches, SMEs face one of their busiest periods – processing invoices, paying suppliers, and closing off accounts.  

It’s exactly this surge in activity that makes businesses a target for criminals, who exploit the pressure and pace to slip fraudulent requests into everyday workflows. With millions lost each year to these types of fraud, staying alert to the threat of scams during this time isn’t just good practice – it’s essential to protecting your business. 

But what are CEO and Invoice & Mandate scams? 

CEO scam is when a criminal impersonates a CEO or senior manager to trick employees into making payments to the criminal. They can gain access to your business’s email account or use spoofing software to email a member of the finance team with what appears to be a genuine request. 

An invoice and mandate scam happens when criminals pose as trusted suppliers, contractors or service providers. They try and provide new or amended bank account details, so you’re tricked into sending money to the account they control.  

So, why do criminals target SMEs? 

SME’s in particular can be targets for these types of scams with one in four SMEs experiencing fraud in the 12 months prior to the Economic Crime Survey 2024. Criminals know these businesses can often have smaller teams, remote-working processes, and fewer internal walls of security. Criminals can spend hours researching an organisation, and use sophisticated techniques and AI technology to impersonate senior leaders or trusted suppliers. 

Let’s take the example of an employee working in a small business. It’s 4pm on a Friday and the finance manager receives an email that appears to come from the CEO. It’s marked urgent. The message is brief, clear and simple. A payment needs to be made that day to secure a deal and because it’s sensitive, the CEO has asked not to share with anyone else. As the task is urgent, the employee makes the payment straight away.  

For many SMEs, scams such as CEO and impersonation, invoice and mandate fraud, do not usually rely on sophisticated hacking alone. They rely on social engineering to create pressure, familiarity, and urgency to trick someone into doing something they normally wouldn’t. 

What red flags can SME’s look out for? 

  • Changes in bank details. This should always spark concern and changes in bank details should be verified before making a payment.  
  • New suppliers. When paying someone for the first time, always transfer a small amount of money first and check if the payment has been received directly by the company.  
  • Urgent requests. Always confirm urgent payment requests directly with the sending in person or over the phone. If you’re unsure, ask a colleague.  
  • Irregularities. Make sure all staff know to check for irregularities before processing any payments and changing bank details.  

What steps can SMEs take to protect themselves? 

  • Always question changes in payment information and confirm details directly with suppliers using the contact information you have on file. Companies rarely change their bank details. 
  • Ensure you have robust payment processes and cyber security in place to protect your business, and educate employees on these. 
  • Be careful with the type of information you share online about your business – criminals use can any information they find to make their scams seem more convincing. 

If you do think you’ve been targeted or scammed, escalate it internally and contact the bank immediately.  

Head to our ’Protect Your Business’ page to learn more about how you can protect your business from scams. 

And always remember… 

When faced with any requests for your personal or financial information: 

Stop: Take a moment to stop and think before parting with your money or information. It could keep you safe. 

Challenge: Ask yourself, could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you. 

Protect: Contact your bank immediately if you think you’ve been scammed and tell the Police at reportfraud.police.uk or on 0300 123 2040. 

About
Read More
CEO Scam - Business
Read More
Business - Banking Fraud
Read More
Impersonation Scam - business
Read More