What types of Business Impersonation Fraud should I be aware of?

Cyber Attacks in 2021 are much more frequent and more complex because they are enabled digitally. To stay secure against business impersonation fraud, it’s important you are educating your staff and making sure they are verifying payment details before paying invoices.


New figures from UK Finance show the number of impersonation scam cases have more than doubled in the first half of 2021. These scams resulted in criminals stealing £129.4 million through this type of fraud in the first half of 2021. In the same period last year, there were nearly 15,000 impersonation scam cases which led to £57.9 million being stolen.


Criminals stole £129.4 million through Impersonation Fraud in the first half of 2021. via UK Finance.

What should look out for?

  • If a client requests a change of payment details for long-standing invoices (especially via email), staff confirming the account details with their known contact over the phone.

  • For an extra layer of security, you should consider using a test payment to confirm that payment has been received.

  • Make sure all your staff who deal with invoices know this process! Embed this additional layer of training when onboarding new employees and check-in periodically to keep staff aware of any additional changes to your processes.

  • Cyber-attackers often time impersonation scams during holidays (Summer, Christmas, Easter), they will step up their efforts when a key member of staff who would usually oversee invoices is away on holiday. So make sure staff are reminded of this type of attack during those periods.

CEO Fraud

This type of Business Impersonation Fraud is when the attackers attempt to spoof or take control of a senior leaders email address.


Often attackers will send emails that request a payment to be made urgently, your staff should double-check the sort-code, account number and amount(s) that are being requested to avoid falling victim to this type of fraud.


We recommend that your staff are aware that they should gain a verbal confirmation of any payment request they receive from senior management.


Invoice Fraud

This type of Business Impersonation Fraud is when a cyber-attacker will send a fake invoice hoping that it will slip into your inbox unnoticed and is paid without question.

Often cybercriminals will have spent time researching before sending out the invoice to staff. They will look to send the request at periods where they will have the maximum chance of success - busy payment periods (payroll weeks, end of tax year, Christmas).


How do you know what is a genuine invoice versus a fraudulent invoice?

  • Does the invoice show a change in details? (Account number and sort code)

  • Always verbally confirm any change in payment details within your company.

  • Get senior staff approval on payment details before sending money for the first time to a new contact.

  • Don’t be afraid to make a call to check up on an invoice. But use contact details you have stored on file or saved in your CRM system. Don’t trust the phone number if it’s different on the invoice - this could be fraudulent.

Don’t be afraid to say no

Research for the Take Five to Stop Fraud campaign found that 19% of people feel uncomfortable saying ‘no’ to a request for personal information from a stranger via email or text. With the number rising to 23% when taking requests on phone calls - this could leave them at risk of an impersonation scam.

92% of people admit to saying ‘yes’ because they don’t want to appear rude. Saying ‘I’m not sure’, ‘I don’t think so’, ‘Let me think about it’ or ‘I can’t at the moment’ all can give criminals a way in.


The Take Five to Stop Fraud campaign advice is to:

STOP: Take a moment to stop and think before parting with your money or information could keep you safe.


CHALLENGE: Could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.


PROTECT: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud.


Worried about your staff?

The Cyber Resilience Centre for the South East can deliver your staff security awareness training through a half-day session either online or in-person in your office. Our security awareness training session is interactive for attendees and builds upon key learnings through examples specific to your business and the industry you work in.


Ready to prepare your staff with security awareness training? Contact us today to learn more.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the South East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the South East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the South East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the South East is not responsible for the content of external internet sites that link to this site or which are linked from it.