Why Verification Matters More Than Ever

In the first half of 2025, UK Finance found invoice and mandate scams hit businesses hardest, with £15m in losses landing on business accounts. But these aren't just massive corporations being targeted. Small businesses, freelancers, anyone who pays suppliers regularly is fair game. And the scary part? Most business owners don't realise how small businesses get scammed online until it's too late. The truth is, traditional warning signs of fraud have disappeared. Here's how just much:

• According to Entrust's 2025 Identity Fraud Report, digital document forgery surged 244% year over year. Company registration certificates, bank statements, insurance documents – all can be created in minutes with AI tools. That professional-looking certificate of incorporation? Could be completely fake and you'd never know just by looking at it.
• Emails that perfectly mimic your suppliers. Research from Hoxhunt's 2025 Business Email Compromise Statistics report shows that by mid-2024, an estimated 40% of BEC phishing emails were AI-generated. These aren't generic scam emails. They match your supplier's communication style, use the right terminology, and arrive at exactly the right moment in your business relationship. Understanding how to detect AI-powered phishing attacks has become essential.
• Voice and video calls are questionable. In January 2024, scammers used deepfake technology to impersonate a company's CFO during a video conference call, according to the World Economic Forum's analysis of deepfake fraud. The result? $25.5 million in fraudulent transfers. Voice cloning now requires just three seconds of audio. That phone call from your supplier? Might not actually be them. Understanding what deepfakes are and how they work has become critical for business security.
• Your actual suppliers could be compromised. This is the bit that keeps me up at night. Vendor Email Compromise attacks rose 66% in the first half of 2024 according to Hoxhunt's research. Attackers aren't just pretending to be your suppliers anymore – they're actually compromising their email systems and sending fraudulent requests from genuine email addresses. How do you spot that?

The FBI's Internet Crime Complaint Center reports nearly $8.5 billion in BEC losses between 2022 and 2024 in the United States alone. And that's just what gets reported. Many businesses never report fraud out of embarrassment or because they think there's no point.

The traditional approach – trusting professional-looking documents and seemingly legitimate correspondence – simply doesn't work anymore. You need process, not instinct.

How to Verify Suppliers (The Right Way)

I've spent the last few years refining verification processes, both for my own business and for others I've advised. What I've learned is that verification needs to scale with risk. You don't need the same checks for your £50 stationery order as you do for a £50,000 IT contract.

Here's my framework. It's not complicated, but it is something I follow consistently.

Quick Checks for Low-Risk Suppliers

For small, one-off purchases from established companies (let's say under £1,000), you need basic verification that takes about 5-10 minutes:

• Do a company registration check. Confirm they're a legitimate registered business via Companies House in the UK or the relevant state registry in the US. This catches the obvious scams where someone's just set up a fake company name.
• Check for domain verification. Their email domain should match their website. Look for subtle misspellings – scammers love using ‘amaz0n.com' instead of ‘amazon.com' (that's a zero, not an O). Check how long the domain has been registered. A brand new domain for a company claiming to have been trading for years is suspicious. Learning how to tell if a website is safe helps with this verification.
• Do an independent contact confirmation. Ring the number listed on their official website (not the one in the email) to confirm the request is legitimate.

Standard Verification for Regular Suppliers

For medium-value contracts (£1,000-£50,000) and any new business relationship you plan to maintain, I spend about 30-45 minutes on verification:

• Check the full company details. Registered name, company number, registered address, trading address if different. Cross-reference this against official registries, not just their website. I've seen fake websites that look completely legitimate but have no connection to the actual registered company.
• Confirm ownership structure. Check who the directors are and look for Ultimate Beneficial Owners (anyone with 25%+ ownership). If a small ‘local' company is actually owned by a shell company registered in a tax haven, I want to know about it.
• Matching bank account details. This is critical. The bank account name must match the registered company name exactly. If ‘ABC Limited' wants you to pay ‘ABC Trading' or ‘John Smith Personal Account', that's a massive red flag. There might be legitimate reasons (subsidiary companies, trading names), but they need explaining before any payment goes through.
• Check domain and online presence. Check their domain registration history, verify their SSL certificate is legitimate, and look at their social media and online presence for consistency. Real businesses accumulate a digital footprint over time – reviews, social media posts, employee LinkedIn profiles, mentions in industry publications. Scam operations often have perfectly designed websites but no real digital history.
• Look for professional references. Ask for two other businesses they work with and actually ring them. Don't just collect the names – have actual conversations. You learn a lot when you speak to someone who's worked with a supplier for years versus someone who's clearly reading from a script.

Thorough Checks for High-Value Relationships

For large contracts (£50,000+), suppliers with system access, or anyone handling sensitive data, I invest 2-3 hours in initial verification and ongoing monitoring:

• Financial health. Request recent financial statements or credit reports. Check for county court judgements, insolvencies, or other financial red flags. You need to know they'll actually be around next year to fulfil their obligations.
• Insurance and compliance. Verify professional indemnity insurance, cyber insurance for data-handling suppliers, and any industry-specific licences. Don't just accept a certificate at face value – confirm it with the insurance company or licensing body. I've caught expired policies this way.
• Security credentials. For tech suppliers, request ISO 27001 certification, SOC 2 reports, or detailed security questionnaire responses. If they're handling your data or accessing your systems, you need evidence their security is professional.
• Physical verification. Consider visiting their offices or doing a video call where you can see their actual workspace (not just a Zoom background). I've been on video calls with supposed ‘established agencies' where the backdrop was clearly someone's bedroom with a green screen.
• AML screening. Check directors and UBOs against sanctions lists and politically exposed persons databases. This sounds technical, but there are affordable tools that make it straightforward.

When working with suppliers who will have access to sensitive business systems or customer data, conducting thorough background checks becomes essential. Proper documentation is also part of a broader approach to creating a cybersecurity policy for your business that protects against multiple threat vectors.

The One Rule That Prevents Most Fraud

Never accept bank account changes via email alone. This is the single most important thing I can tell you. Research shows that nearly 29% of BEC attacks in early 2024 were advance-fee fraud scams, with bank detail changes being the primary tactic, according to Hoxhunt's analysis. The Association for Financial Professionals found that 63% of organisations experienced BEC in 2024.

Here's my protocol, and I follow it without exception:

1. Pause. Don't update anything in your payment systems yet.
2. Ring the supplier on a number you already have on file (not a number provided in the change request email).
3. Speak to someone you've spoken to before and verbally confirm the new details.
4. Request written confirmation on company letterhead with an authorised signature.
5. Send a test payment of £1 before processing the full amount.
6. Verify the test payment was received by ringing again (not by email).

This sounds paranoid. It takes 15-20 minutes. But it's saved me at least twice that I know of, and I've watched it save other business owners from losses in the tens of thousands.

Multi-channel verification is critical because attackers can now fake voice and video. If someone rings with a bank change request, I verify by email to a known address. If it comes by email, I verify by phone. Never confirm major changes through a single channel, no matter how legitimate it sounds. Training employees to avoid phishing and deepfake scams helps reinforce this protocol across your team.

Additional safeguards I use:

• Require dual approval for all bank detail changes (two people must verify)
• Implement a 24-hour cooling-off period before processing payments to new accounts
• Use payment platforms that flag first-time payees
• Train finance teams to be suspicious of urgency (artificial time pressure is a key fraud indicator)

What to Capture During Onboarding

Capture essential information in a centralised system during supplier onboarding. Don't scatter details across email threads or spreadsheets.

For all suppliers:

• Legal registered name and company registration number
• Registered address and trading address
• VAT number or tax identification number
• Bank account details (name must match registered company name)
• Primary contact details (email domain verified, phone number verified)

For regular suppliers (Standard tier and above):

• Directors and ownership structure
• Professional references with notes from verification calls
• Insurance certificates
• GDPR compliance confirmation
• Industry certifications where relevant

For high-value suppliers:

• Recent financial statements or credit reports
• Security attestations and certifications
• Multi-channel verified contact protocols

Store everything in one place with proper access controls. The best password managers for business owners can help manage these credentials securely, or you can use document management systems with version control. The key is that everyone knows where to look, access is controlled (not everyone needs to see banking details for every supplier), and everything is searchable.

Consistency Is Key: Keep Verifying

Verification isn't a one-time tick box exercise. I do annual reviews of all regular suppliers to check:

• Company status (still trading in good standing)
• Financial health
• Updated insurance certificates
• Contact details are still current

Any time a supplier notifies you of changes, treat it like new onboarding. Bank details change? Full verification protocol. New contact person? Verify their identity through multiple channels. Address change? Confirm via phone and email.

Watch for red flags:

• Communication style changes
• Unexpected urgency in requests
• Requests to bypass procedures
• Payment requests outside normal hours
• Reluctance to speak on the phone
• Unusual payment amounts or frequencies
• Invoice formatting inconsistencies

Research shows businesses receive an average of 13 fraudulent invoice attempts per year, with nine typically succeeding. Transaction monitoring catches many of these before payment. Checking if emails are fake or scams before acting on them is a critical skill for your entire team.

What to Do When Something Feels Off

If something about a communication, request, or transaction feels wrong, follow this protocol:

• Stop the transaction immediately. Don't alert the person you suspect (if the email is compromised, you're warning the attacker). Don't click links or download attachments. Preserve all evidence.
• Verify through a completely different channel. If the suspicious contact was by email, ring them on a number you already have. If a call seemed odd, verify by email to a known address. Use a separate device if you suspect your system might be compromised.
• Ask verification questions only the real person would know. Details from recent meetings, previous invoice reference numbers, account manager names, project-specific information. This is what saved Ferrari from a deepfake voice attack – an executive asked a personal question only the real CEO would know, and the fraudster couldn't answer.
• Escalate immediately. Alert your finance director and IT security. Check if others have experienced similar attempts. Consider reporting to Action Fraud in the UK or FBI's Internet Crime Complaint Center in the US.

Research indicates that 92% of companies have experienced some form of financial loss due to a deepfake incident. If you spot something suspicious, you're not being paranoid. You're being professional.

Practical Ways to Get Started

I know this can feel overwhelming, especially if you've never had formal verification processes before. Start small:

• This week: Implement the bank details rule immediately. Verify your three largest suppliers by value.
• This month: Create a simple tracking system for when each supplier was last verified. Set calendar reminders for annual reviews.
• Ongoing: Build verification into your normal workflow so it becomes automatic rather than an extra task.

The investment in proper verification is significantly lower than the cost of a single fraud incident. In an environment where AI-generated fraud is projected to cause $40 billion in losses by 2027 according to UNESCO's analysis of deepfakes and fraud, relying on instinct simply isn't enough.

The verification methods outlined here aren't complicated. Light checks for low-risk suppliers, standard verification for normal vendors, and thorough due diligence for high-value relationships. The bank details rule alone prevents the most common fraud scenario. Start with your highest-value suppliers and build from there.