Business scam prevention checklist

Use this to reduce invoice fraud and business email compromise (BEC). Print or share with your finance and operations teams.

Privacy note: this is a checklist to read and print. Do not write OTPs, passwords, card numbers, bank details, or ID numbers onto it.

Invoice fraud checks

Most business losses start with a believable invoice or a quiet change to payment details. Build a habit of verifying before you pay.

• Treat any new invoice or a change to an existing one as unverified until you confirm it.
• Match invoices to a real purchase order and an expected amount before approval.
• Be cautious with invoices that arrive with urgency, a new contact, or a slightly different email address.
• Flag round-number or last-minute requests for manual review.

Payment change checks

• Always confirm new or changed bank details by phone using a number you already hold - never a number from the email.
• Require dual approval for payments and for any bank-detail change.
• Add a mandatory cooling-off step for first-time payees and amount thresholds.
• Keep a written record of who approved each change and when.

Vendor verification

• Call the real supplier on a known, previously verified number, not details in the current thread.
• Keep a trusted contact list for key suppliers and review it periodically.
• Confirm unusual requests through a second channel (a call to verify an email).

Staff training

• Train staff to recognise invoice-redirection and business email compromise (BEC) patterns.
• Make it normal and safe to pause and verify, even when a request looks urgent or senior.
• Run short refreshers and share real examples from the scam types library.

WhatsApp & email impersonation

• Treat urgent "CEO", "director", or "supplier" payment requests as suspicious until verified in person or by a known number.
• Watch for look-alike domains, display-name spoofing, and new mobile numbers claiming to be a colleague.
• Enable two-factor authentication on all business email and messaging accounts.
• Not sure about a message? Check it with the message checker first.

Escalation process

• Agree in advance who to contact if a suspicious payment is spotted.
• Contact your bank immediately to recall or freeze a transfer.
• Report to police or your national cybercrime service via the reporting directory.

Evidence preservation

• Preserve emails, invoices, payment instructions, and approval logs.
• Reset compromised email passwords and review account access and forwarding rules.
• Keep a short incident note: what happened, when, and what was done.

This checklist is general educational information, not legal or financial advice. Adapt it to your own controls and seek professional advice for your specific situation.

Last reviewed: 2026-06-01.