Protect your business against impersonation fraud

Fraud and cyber related fraud is on the rise, and all businesses are vulnerable, this is why business leaders need to take the threat seriously and protect your business.


Cyber theft from data centre

“Business leaders set the tone for their company, take the threat seriously, raise awareness of how this fraud works, build controls into your processes and create a culture that encourages staff to question suspicious activity.”

Impersonation fraud is a rising epidemic in the UK and around the world. Financial Fraud Action UK claims that “impersonation and deception scams continue to be one of the primary drivers behind business losses to financial fraud so protect your business.

In many cases, impersonation fraud takes place after a cyber security attack has occurred. The cyber breach allows fraudsters to conduct reconnaissance, research and harvest valuable information which is used to make their attack very convincing.

46 per cent of businesses identified at least one cyber security attack or breach in the last 12 months according to the Government’s Cyber Security Breaches Survey 2017.

The two most common types of impersonation fraud attack targeting UK businesses are CEO fraud, where staff receive a payment instruction that purports to be from the CEO or other Heads of Department, and invoice fraud, where staff receive new payment information from a fraudster disguised as a supplier.

Putting impersonation fraud on your watch list

Impersonation fraud is relatively straightforward to carry out, however also fairly easy to mitigate the risk. Protecting a business is in everyone’s interests. As CEO or MD, you’re responsible for all aspects of the business, its culture, reputation, expenditure and the bottom line – impersonation fraud is a simple way of undermining those principles.

Openness in your business

One of the main reasons impersonation fraud succeeds is the culture in a business, fear of questioning an apparent direct order from the CEO can mean that money is paid without question. Or fear of admitting they may have been duped to click on a fraudulent link in an email can stop employees from reporting potential breaches.

Money moves in milliseconds, so every minute matters – the sooner a fraud or malware breach is notified, the greater chance there is of preventing an attack or getting the money back. Business leaders need to foster a culture of openness, no-blame and awareness.

Delete the opportunity for fraud

Tackling impersonation fraud requires a two-pronged attack, covering both culture and processes. For example, requiring dual-authorisation for payments, a clear chain of command and setting levels for access and limits for authorisation are all changes CEOs can effect within their organisation in order to help thwart the fraudsters. Regular staff training and testing also encourages ongoing awareness.

Fraudsters are organised and plan, often taking advantage of periods of change or busy times when staff may be stretched. Time around bank holidays can be prime targets,

Review processes to keep pace with change

Creating and reviewing processes may not be exciting, but it is important. As you grow review all process and training documentation to cope with an increase in staffing levels, suppliers, contractors and so on.

Business disruption, loss of confidence, reputational damage, compromised cash flow and actual financial loss are all potential consequences.Businesses aren’t always aware they’ve been hit. Many fraudsters will take relatively small amounts from a number of businesses so they’re less likely to be caught, but many businesses losing £20k, £50k and more. Amounts that have the real potential to wipe out their working capital and maybe have catastrophic business outcomes.”

How to reduce your risk

Simple steps businesses can take to reduce their exposure:

  1. Make staff aware of the cyber-security threat – and keep reminding them.
  2. Put controls in place – signatory limits or authorisation protocols, for example.
  3. Take Five – if something doesn’t look or feel right, ensure staff won’t feel pressurised to act.
  4. Verify everything – create processes where staff will check and refer requests to change beneficiaries or make out of the ordinary payments; a phone call to check can make all the difference.
  5. Train and test – undertake a false phishing exercise to test how staff respond.


Business leaders set the tone for their company, take the threat seriously, raise awareness of how this fraud works, build controls into your processes and create a culture that encourages staff to question suspicious activity.