Ever wondered ‘what is phishing?’, or ‘what the heck is spoofing’, and how they might actually hurt your business? If you’ve ever received a strange email or message saying “potential spoofing” or “this message seems dangerous” – what do they actually mean?

In a nutshell, phishing is when you receive an email or text that tries to get you to click a link or give sensitive information. Spoofing is the act of pretending to be someone else so the fake message looks real. You can have phishing without spoofing, like a sloppy email that just asks for your password without trying to look official. You can also have spoofing without phishing, like someone faking their caller ID as a prank but not trying to steal anything.

But scammers often combine them: they spoof an address or number to make a phishing email or call look real.

And when they do, it can cost your business big time.

Why phishing and spoofing matter for small business finances

For small businesses, phishing and spoofing aren’t just annoying spam. They’re real financial risks. The goal is usually money: tricking you into paying fake invoices, handing over payroll details, or clicking links that let malware drain your accounts.

As someone who spends a lot of time inside small business finances, I’ve seen how a single “oops” click can create a mess: fake supplier payments, stolen bank details or accounting systems locked up with ransomware. These scams don’t just cost money – they eat up hours of admin, cause missed deadlines, and can even trigger HMRC penalties if filings are delayed.

So don’t just delete that phishing alert email from Google – make sure you stay vigilant.

How phishing and spoofing actually play out

Here’s how it typically goes: a fraudster sends an email that looks like it’s from a trusted source. It might be from your bank, accountant, colleague or a supplier. They spoof the sender’s address so it really does look like it came from someone you know (and yes, they can forge the “From” field so the email is identical to your trusted contact). The email might ask you to:

• pay an “urgent” invoice
• click a link to “confirm your account details”
• download an attachment to “fix an issue”

One click or quick payment later and… money gone, data stolen or your systems infected.

We’ve seen phishing emails from Companies House (asking you to complete a payment for enhanced Web Filing Access), from HMRC (asking for payment for outstanding taxes) and many others that look shockingly genuine.

Payroll fraud is another favourite. You’ll get a fake email from a “staff member” from HR, asking you to update your bank details. Next payday, wages land in the fraudster’s account.

And it’s not just email. Text messages (“smishing”) and phone calls (“vishing”) are common too – think fake delivery texts or “HMRC” calls demanding payment.

Steps to protect your business

The best defence is tightening up your processes, and making sure you communicate with your whole team. Here’s where to focus:

Double-check payment requests If an email asks you to pay an invoice, change bank details or make a “urgent” transfer, pick up the phone and verify using a known number or write a new email to a trusted email address. Don’t trust the reply button – if it’s a spoof, you’ll just reach the scammer.

Educate your team (regularly) Everyone with an inbox is a potential target. Share real-life scam examples, run short refreshers on spotting dodgy links or fake email addresses, and make it crystal clear who to report suspicious emails to.

Use email authentication Ask your IT provider to enable SPF, DKIM and DMARC on your domain. They’re not just jargon, they make it harder for criminals to spoof your email address in the first place.

Keep an audit trail Log every payment authorisation and supplier detail change. If something slips through, you’ll have the paper trail HMRC, banks or insurers need to help recover funds.

Report every attempt Forward phishing emails to [email protected] and alert your bank if any payments were made. The faster you report, the better the chance of clawing money back.

Bookkeeping habits that help spot fraud early

Even with strong controls, something might slip through, so spotting issues quickly matters. Regular bookkeeping checks are key.

Do weekly bank reconciliations so unexpected transactions stand out straight away. If a payment doesn’t match an approved invoice or if something looks fishy, investigate before it’s too late.

Introduce a “pause and check” rule for any invoice with new payment details. A 48-hour delay gives time to verify changes and stops knee-jerk payments.

Keep a clear approval trail for every payment – who requested it, who signed it off and when. If anything ever goes wrong, you’ll know exactly what happened and can act fast.

If something goes wrong

Still get caught out? Speed is everything. If someone in your business becomes a victim of phishing:

• Isolate affected devices and change passwords immediately.
• Contact your bank to try to recall payments or freeze accounts.
• Report the fraud to Action Fraud.
• If personal data was compromised, notify the ICO within 72 hours to stay compliant.

Getting your accountant and IT support involved early can help limit the damage and speed up recovery.

The bottom line

Phishing and spoofing attacks are on the rise, and small businesses are prime targets. They know most small teams don’t have a big IT department or formal finance controls. A well-crafted email can fool anyone (and I mean anyone), especially when you’re busy and juggling a million things.

The good news? You don’t need fancy cybersecurity software to cut the risk. You just need clear processes, strong communication and regular checks. These habits might feel tedious, but they’re far cheaper than losing a client payment or paying an HMRC penalty because fraud held up your VAT return.