UK small firms lag on cyber breach & ID fraud defences

New UK government research suggests fewer than half of small businesses can successfully identify a cybersecurity breach. The gap is concerning as criminals increasingly target smaller firms and their payment processes.

The research found 42% of small businesses could identify a cybersecurity breach in 2025. Larger organisations typically perform better because they often have dedicated IT and risk teams, along with more formal controls.

Remote working has expanded the ways staff access company systems and data, increasing identity and access risks across devices, networks and locations.

Adam Bennett of UK ID card provider Digital ID said many smaller firms still treat cyber risk as a narrow technical issue. He argued that identity fraud now sits at the centre of many attacks, from supplier payments to staff access.

Supplier fraud

One common route involves criminals changing supplier bank details. Attackers impersonate a legitimate vendor and ask for payments to be sent to a new account. The request often arrives by email and relies on busy teams acting quickly, or on established relationships where requests are rarely questioned.

"One of the most common ID-related breaches affecting small businesses is fake supplier bank detail changes, where criminals impersonate legitimate vendors and request payments to new accounts," said Bennett.

Payment redirection scams can lead to direct losses and disputes with genuine suppliers. They can also delay goods and services and create extra internal work to investigate what happened. In some cases, attackers target multiple invoices over time, masking the pattern of fraud.

"Ultimately, this can lead to a business losing thousands of pounds simply because they didn't verify a supposed supplier's email requesting a bank account change. A simple prevention protocol is to call the actual supplier using their original contact details," Bennett said.

Impersonation risks

Bennett also highlighted employee impersonation scams, in which fraudsters claim to be staff to gain access to premises or systems. In a hybrid environment, this can extend to remote requests for password resets, changes to login details, or access to accounts.

"Employee impersonation scams have also risen, with fraudsters gaining access to sensitive systems by pretending to be staff members to enter business premises. Once inside, they can steal data or initiate fraudulent transactions," Bennett said.

Such incidents often begin with small inconsistencies, such as unusual requests, a change in tone in a familiar email thread, or contact from an unexpected address or phone number. Attackers can also exploit staff turnover, where knowledge of who should have access to what may be limited and informal.

Onboarding gaps

Weak onboarding processes can create vulnerabilities involving suppliers, employees and customers. Small firms may accept emailed documents with minimal checks, especially when speed matters or a relationship seems low risk.

"Weak onboarding processes also create significant vulnerabilities that criminals quickly exploit. Small companies often accept emailed documents without proper verification procedures, fail to verify IDs, and skip essential fraud-screening steps," Bennett said.

These gaps can create longer-term exposure. Once an attacker gains a foothold using false identity information, they may keep access open for later use, including data theft or invoice fraud. Untangling these incidents can quickly become complex when records are incomplete or checks were not documented.

Beyond antivirus

Digital security for small firms often begins with antivirus software and basic firewalls. Many businesses also rely on standard email filters and ad-hoc password policies. Bennett said these measures do not cover the full range of identity and access risks.

"Importantly, most small businesses think cybersecurity finishes at installing antivirus software, which is far from the truth. They don't realise identity fraud is now an easy opening to attack. To a fraudster, a small business is the perfect target: cash flow, trust, and little to no identity controls," Bennett said.

"Small businesses often have a more trusting relationship, which is commendable but also exploitable. Without proper ID verification systems, criminals can easily pose as customers, employees, or partners," he added.

Immediate steps

For smaller firms, basic process changes can reduce exposure. Stronger controls around payment changes, onboarding checks and system access can reduce the risk that a single deceptive email or phone call leads to a loss.

"Outlining processes to prevent security breaches should be standard for any business, but particularly smaller businesses," Bennett said.

"Firstly, establish a formal identity verification policy for all new suppliers, employees, and customers. Second, never change payment details based solely on an email request. Always verify through a separate communication channel using previously established contact information," he said.

He also recommended investing in basic ID verification technology, training staff to recognise common identity fraud tactics, and implementing multi-factor authentication for all business systems.

"Finally, remember, what worked last year might not be sufficient today. Regular security assessments help identify new vulnerabilities before criminals can exploit them," Bennett said.