The £47,000 mistake that can end a small business

We received a note last week from the Home Office's Fraud Policy Unit. The message was blunt. Small businesses are being targeted by cyber fraudsters, and many are suffering significant losses. 

They asked us to pass three things on to our members. We are doing that below, with some context on why the problem is getting worse.

The scale 

Fraud is now the most common crime in England and Wales. The Crime Survey for England and Wales recorded 4.4 million fraud incidents in the year ending December 2025. And this cost falls on businesses. The Home Office's most recent estimate puts the annual cost of fraud to UK businesses at £5.2 billion. 

Invoice fraud is a particular problem for small firms. In September 2025 alone, victims lost £3.9 million across 83 reported cases, averaging more than £47,000 per case. 

For a sole trader or a five-person firm, losing that in a single transfer can end the business. 

Why the threat is moving faster 

Attacks are getting cheaper to run and harder to spot. Criminals already use AI tools to write convincing phishing emails, clone voices for scam phone calls, and generate deepfake video meetings. 

This month, Anthropic announced Claude Mythos Preview, a frontier AI model that autonomously finds serious vulnerabilities in widely used software. The UK's AI Security Institute confirmed the model can execute multi-stage cyber attacks and discover vulnerabilities on its own, tasks that would have taken human experts days of work. 

Access to Mythos is deliberately restricted to trusted partners through Project Glasswing, a coalition including Amazon, Apple, Microsoft, and UK government agencies, precisely because its capabilities could be catastrophic in the wrong hands. 

The AI does not create new vulnerabilities; it exposes existing ones, making chronic underinvestment an immediate business risk. Many organisations will need to increase cyber security spending, potentially doubling current levels significantly, and small firms are expected to feel the effects downstream. 

What the experts say

For Ruth Wildman, founder of Millstream Technology and an Enterprise Nation cyber security adviser, the evolution is both rapid and unnerving. Based in Wooburn Green, Buckinghamshire, she’s been helping small businesses navigate the evolving threat landscape since her company began trading in 2001. With around 50 contract customers ranging from sole traders to companies with 250 employees, Ruth has witnessed firsthand how cyber security attitudes are shifting among small business owners. 

Millstream Technology acts as an outsourced IT department, managing entire IT infrastructures, support, communications and cyber security for clients. The timing couldn't be more crucial, as Anthropic's Claude Mythos Preview – described as one of the most powerful AI models to date with serious cyber security implications – can find and exploit vulnerabilities at a scale and speed that far exceeds human capability. Anthropic's own research confirmed the model identified thousands of zero-day vulnerabilities across every major operating system and browser. 

Ruth says:

"We tend to see two sides when it comes to security. Some clients are really keen and want everything set up correctly to keep their data secure. Then you get the other side, where having secure passwords and multi-factor authentication is just seen as an inconvenience until something happens to them." 

The emergence of AI-powered cyber security tools like Mythos highlights how AI exposes existing vulnerabilities. Many organisations will thus need to significantly increase their spending, while strengthening cyber security fundamentals provides significant protection against AI-enabled attacks. 

For small businesses, Ruth warns that the real danger from advanced AI models isn't necessarily direct attacks on their systems:

"The bigger risk could be attacks on services they rely on – their bank, their communications systems.

"Small businesses need to think about how their office will continue to operate if some of the technology they depend on becomes unavailable."

Ruth emphasises that less resourced organisations need sufficient support in testing and patching their systems, particularly as the cyber security landscape evolves rapidly.

"It's about education and being aware. Zero trust – trust nothing until you've checked it out." 

With the UK's Cyber Security and Resilience Bill progressing through Parliament, Ruth expects compliance requirements to trickle down supply chains, making cyber security preparation essential for businesses of all sizes. 

Three most prevalent small business cyber threats 

The methods haven't changed fundamentally. What's changed is the scale, speed, and psychological precision with which they're deployed.

• Invoice fraud: Criminals impersonate a supplier, intercept emails, or swap bank details so a genuine payment lands in their account rather than the supplier's. 

• CEO fraud: An urgent email, text, or cloned voice pretending to be the business owner pressures a staff member to transfer money fast. 

• Business email compromise: Criminals get into your email account and use it to impersonate you to customers and suppliers. 

All three rely on urgency and trust. Slowing down and verifying is the fix. 

The three habits that stop most of it 

The NCA and NatWest campaign on invoice fraud, launched in January, puts the defence in three steps: 

• Check for any changes to invoice details, bank details, or unusual pressure for urgent payment. 

• Verify by calling the supplier on a number you have used before, not one in the email. 

• Never transfer money until you are fully satisfied that the details are correct. 

Share these steps with anyone in your business who handles payments. It takes minutes to do, and it is the single most effective thing you can put in place this week. 

If you work in construction, read this 

The NCA has launched a second campaign with the National Federation of Builders aimed specifically at construction firms. Construction is especially exposed. Long supply chains, multiple subcontractors, high-value payments, and a lot of email correspondence create more points for criminals to intercept. If you work in the sector, the NCA's information sheet is essential reading. 

Ruth's top three cyber security tips for small businesses: 

• Train your staff: Take advantage of free training available through the National Cyber Security Centre, both remote and in-person sessions. Also, look at the government’s Stop Think Fraud campaign checklists. 

• Invest in proper antivirus protection: Ensure all equipment is covered by a suitable antivirus product like ESET that includes physical devices, network and cloud services. 

• Develop AI policies: If using AI tools in your business, establish clear governance around which tools staff can use, ideally secure options like Microsoft Copilot rather than free AI tools that could expose your data. 

When prevention fails 

A new national cybercrime and fraud reporting system, Report Fraud, was launched by the City of London Police on 4 December 2025 to replace Action Fraud. Victims should report through this service immediately. 

But reporting alone doesn't solve the problem. Small firms need faster routes to freeze fraudulent payments, quicker recovery mechanisms, and guidance designed for businesses without dedicated finance teams, not just corporate giants. 

Enterprise Nation welcomes the focus from government and industry partners.

Our COO, Polly Dhaliwal, says:

"Awareness campaigns, while vital, aren't enough. What's needed is structural change: faster account freezing when fraud is reported, simpler recovery processes, and protection mechanisms that don't require a compliance department to navigate. 

"A £47,000 loss can end a small business. Getting the basics right lies with business owners. Getting faster recovery when prevention fails lies with the government and banks. 

"The playing field isn't level. But it can't remain this tilted."

People also read

• Cyber security in 2026: What your business should be thinking about

• Why SMEs are dangerously unprepared for global cyber threats