Why payment fraud is the #1 financial risk for SMBs in 2026
Ransomware gets the headlines. Payment fraud quietly takes more money out of small businesses every quarter — usually without anyone noticing for weeks.
The reason is simple: payment fraud doesn't need to break anything. No malware, no encrypted files, no ransom note. Someone just convinces your finance person to send money to the wrong bank account. By the time the real supplier asks where their payment is, the funds have already been moved through 3–4 mule accounts and are gone.
For a 5–50 person business, a single successful incident is typically €8,000–€120,000. Insurance recovery rates on social-engineering wire fraud in the EU and Israel sit around 20–30%, often less.
The 5 patterns we actually see
1. Supplier email takeover (the most common)
An attacker compromises *your supplier's* mailbox — not yours. They sit quietly, read months of email, and learn the relationship: how invoices look, what amounts are normal, who approves what.
Then they wait for a real invoice to go out, intercept it, and resend the same PDF with one change: the IBAN. The email comes from the real supplier address. The signature, formatting, and PDF template are identical. Only the bank account is different.
> Red flag: A long-standing supplier sends you "updated bank details" by email — especially close to an existing invoice due date.
2. CEO / founder impersonation
A finance employee gets a message — email, WhatsApp, sometimes SMS — that looks like it's from the founder: *"I'm in a meeting, need you to push through an urgent transfer to this account today, will explain later."*
The domain is usually a lookalike (techsuit.io → techsuit-io.com, or techsuıt.io with a Turkish dotless ı). On WhatsApp, the profile photo is the real founder pulled from LinkedIn.
> Red flag: Urgency + secrecy + a payment request that bypasses normal approval flow. Always.
3. Invoice manipulation inside your own mailbox
The attacker compromises *your* mailbox first — usually through a phished Microsoft 365 password with no MFA. Once inside, they set up a mailbox rule that auto-forwards or deletes any email containing words like "invoice", "payment", "bank", or "IBAN".
Then they impersonate your finance team to your customers, and your customers to your finance team. Money flows out before anyone realises both sides are talking to a stranger.
4. Payroll redirect
Around payroll dates, HR receives an email from "an employee" requesting that their salary be paid to a new account. It's plausible — people switch banks. The change goes through, and one employee's monthly salary lands in a fraudulent account.
Small loss per incident, but trivially easy to execute and often repeated month after month before being discovered.
5. Fake invoice / fake supplier
A finance inbox receives an invoice from a supplier that *looks plausible* — domain-matched email, professional PDF, reasonable amount. It might reference a real project or a generic line item like "consulting services" or "domain renewal".
If no one strictly checks supplier onboarding, the invoice gets paid. We've seen €400–€2,000 invoices clear without anyone noticing the supplier didn't exist.
Why small businesses are the preferred target
Three reasons:
The controls that actually stop it
You don't need an enterprise security stack. You need 6 specific controls.
Control 1 — MFA on every mailbox (no exceptions)
The single highest-ROI security control for an SMB. ~95% of business email compromise starts with a phished password where MFA wasn't enforced. Microsoft 365 Conditional Access can enforce this for every user in one policy.
Control 2 — Mailbox rule auditing
Most BEC attacks set up forwarding or deletion rules. Microsoft Defender for Office 365 alerts on any new external forwarding rule. Without this, you can be compromised for weeks and never know.
Control 3 — Out-of-band callback verification
A non-negotiable rule for finance: any bank detail change, or any new wire over a threshold (€2,000–€5,000), is verified by phone — using the phone number you already have on file, not one from the email.
Print this on a card. Put it on the finance person's monitor. It will stop more fraud than any software.
Control 4 — Dual approval for wires
Two people must approve any outbound payment above a threshold. Most banks (Greek, Israeli, and Spanish business banking included) support this natively in the business portal. Enable it.
Control 5 — Supplier onboarding checklist
New suppliers don't get paid until: (a) someone has spoken to them on the phone using a number from their official website, (b) bank details are received via that verified channel, (c) a manager has approved the supplier record.
Control 6 — Domain protection (SPF, DKIM, DMARC)
Properly configured DMARC at p=reject prevents attackers from sending email *as your domain* to your customers. Without it, your customers are an attack surface you don't control.
What to do in the first 60 minutes after a fraudulent transfer
Speed matters more than anything else.
The 30-minute mark is roughly when funds typically leave the first receiving account. Past that, recovery rates fall sharply.
What this costs to implement
For a 10-person business, the full stack — MFA, Defender for Office 365, mailbox rule alerting, DMARC, documented dual-approval and callback procedures — runs about €15–25/user/month on top of standard Microsoft 365 licensing.
A single prevented incident pays for the entire program for 5–10 years.