The convergence of online transactions, automated payment systems, poor deployment of matching tools and generative AI have created the perfect conditions for the profession to be under siege. The government has made announcements to help secure the UK, but will their measures be sufficiently timely and impactful to make the difference?

Fake payments in fake banking apps 

Scammers have developed fake banking apps to dupe businesses, using them as props to mimic real banking apps when purchasing items in person. As reported by the BBC, the stories often centred on individuals selling items on social media marketplaces; scammers arrive to purchase the item, show the victims the fake banking app or even have them insert their details into the false app and then leave with the goods – without the money actually being transferred. 

Those of you who operate or advise small businesses that accept bank transfers should not exchange goods until receiving confirmation of the funds being in your own account, and not accept a buyer’s app payment confirmation as proof. 

Is this a real receipt?

Concerns were voiced this month that the latest image generator for ChatGPT-4o could be used to generate fake receipts with logos, creases, stains, real barcodes and VAT numbers, dates and times which match up with diaries and other markers used by expense software. 

Something that used to require graphic design skills and time now just needs a subscription payment. Finance teams need to be attentive to the emerging risk that claims, while convincing, may be fraudulent. The risk is not just limited to employees; criminals might move to scams where they impersonate employees to submit these claims. Members should be diligent about anomalous expenses, check with vendors and adhere to your controls.

Invoice risks

Invoice fraud is also on the rise at the same time as these new scams are emerging. Last year Ivalua, a spend management provider, announced that a third of businesses had fallen victim to invoice fraud in 2024. They found that firms without automated matching of invoices to orders, contracts and vendor payments were most susceptible. While invoice fraud is not new, the ease with which fraudulent invoices can now be generated will likely only make the issue more pronounced. 

This fear is only going to add to the crisis in late payments. In the existing chaos, businesses are already sometimes uncertain whether suppliers have already been paid; adding fears of deepfake communications, fraudulent documentation and invoices will only increase delays for checking. Members need to be alert as fraudsters use AI more often to generate these invoices, receipts, communications, and even payment confirmations. 

There are tools in development to counter this rising threat, but it remains unclear how effective they will be at detecting these false claims in isolation. 

Government plans

Against this siege of fakery, the government has been producing resources and plans for bolstering the security and resilience of the UK. It recently published the results of the annual cyber breaches survey, which found that while the number of breaches seems to have declined from the previous year, external reporting of breaches was still poor, cybercrime is still prevalent and awareness of many of the government's resources to support smaller businesses was in steady decline. 

The Department for Science, Innovation and Technology (DSIT) published its final Cyber Governance Code of Practice, which is part of the free resources created for board members to strengthen their understanding of cyber. We are hosting a webinar to cover the details of this Code on 21 May.

Alongside the Code of Practice, DSIT published a policy statement laying out what will be in the upcoming Cyber Security and Resilience Bill announced in the King’s Speech last year. It will seek to update existing cyber legislation, bringing supply chains of critical infrastructure into the regulatory perimeter, give the Information Commissioner’s Office (ICO) more powers over tech companies, as well as empowering sectoral regulators to recoup costs when investigating cyber incidents and disruptions of critical services.

The Home Office has also closed its consultation on building a new regime for ransomware payments, where they sought views on the possibility of banning ransomware payments from critical national infrastructure and local government, threshold-based payment prevention mechanisms, and a mandatory incident reporting regime.

Cyber Essentials: a must-have

We strongly recommend that organisations begin looking at the government-backed scheme Cyber Essentials and consider being certified under Cyber Essentials Plus. These are tailored for smaller businesses but, as regulatory requirements on larger firms will force them to look at third parties and the security risks they represent, it is likely many will demand that these entities are certified under Cyber Essentials Plus. St James Place, a financial services company, mandated this of their 2,800 partnership members and saw an 80% reduction in cyber incidents since 2023. This also included steering even ‘low risk’ suppliers towards getting the certification.