Cyber Security for Tradespeople: Scams, Hacks and What to Watch For

‍‌‌​​​​‌‌‌​​‌​​‌​‌​​‌​​‌​​‌‌​‌​​‍You're more likely to lose a week's graft to a hacked invoice than someone nicking your drill. Cyber-fraud is now just another tool theft risk -- only quieter and nastier.

12.7.1 The big one: mandate fraud (bank-details change scam)

This is the classic one that nails small builders:

• A scammer gets into your email or your customer's.
• They watch invoices going back and forth.
• Then they send a message -- looking like it's from you -- saying "we've changed bank details, please pay this account instead", with a different sort code/account.
• Your customer pays the scammer. Money's gone.

Because the customer authorised the payment to that account, banks treat it as an authorised push payment (APP), not a straight card fraud.

APP fraud reimbursement

From October 2024, the Payment Systems Regulator (PSR) requires payment firms to reimburse most APP fraud victims up to £85,000. But there are exceptions -- gross negligence, first-party fraud, and delays in reporting can all reduce or remove the reimbursement. Don't rely on this as your safety net -- prevention is still far better than trying to get money back after the fact.

Practical protection

• Never change bank details by just emailing a new number.
• If bank details ever change (yours or a supplier's), the other side should:
  • Phone a known number (not the one in the email) and confirm verbally.
• For big sums, consider sending a £1 test payment and confirming it landed before sending the big one.
• Lock your email down (see below) so you're not the weak link.

12.7.2 Protect your invoices -- a free 30-second fix

Add this line (or similar) to every invoice you send:

"Our bank details will never change by email. If you receive any communication asking you to pay to different account details, please call us on [your phone number] before making any payment."

This costs nothing, takes 30 seconds to add to your template, and puts the customer on alert. If a scammer then sends a fake "new bank details" email, your customer is primed to call you first.

Tell your regular clients this is your policy too -- a quick email or WhatsApp saying "just so you know, we'll never change bank details by email" sets the expectation.

12.7.3 Other scams hammering small construction businesses

Phishing emails

• Fake HMRC, Companies House, "delivery failed" notices, Office 365/Google log-ins.
• Aim: get your passwords or make you click an attachment that installs malware.
• Signs: odd sender addresses, urgent language, links that don't match the real site, spelling/grammar off.

Companies House scams

• Fake "annual return due" or "your company is being struck off" emails specifically target ltd company directors.
• The links go to credential-harvesting sites that look like the real Companies House login.
• Real Companies House emails come from specific addresses -- if in doubt, go to companieshouse.gov.uk directly, never via a link in an email.

Fake invoices / supplier impersonation

• PDF invoice that looks like your normal merchant / hire company but account details are different.
• Or scammers register a domain like @supp1ier-name.co.uk (with a "1" instead of an "l") and send "updated bank details".

WhatsApp / SMS scams

• "It's the boss, I'm in a meeting, send £X to this account urgently" messages.
• Or links to "job photos" or "delivery updates" that actually take you to a fake login page.

Ransomware / data theft

• Open a dodgy attachment, it encrypts your files and demands money.
• Small firms get hit via fake quotes, CVs, or "new project info" emails.

You're a target because you use email and banking like everyone else, but don't have dedicated IT staff.

12.7.4 Simple defences that actually work

NCSC's small-business guide boils it down to a few habits:

Lock your email, banking and accounting down

Turn on two-factor authentication (2FA) on:

• Email accounts (Office 365 / Outlook, Gmail, etc.).
• Accounting / invoicing systems (QuickBooks, Xero, FreeAgent) -- if someone gets into these, they can see all your customer details, bank info, and send invoices as you. This is as important as locking your email.
• Online banking.
• Companies House filing account.

Use strong, unique passwords for each, stored in a password manager if you can't remember them.

Use authenticator apps, not just SMS

Where possible, use an authenticator app (Google Authenticator, Microsoft Authenticator) for 2FA rather than SMS text codes. SIM swapping -- where someone convinces your mobile provider to transfer your number to their SIM -- can intercept SMS codes. Authenticator apps don't have this vulnerability.

Back up your stuff

• Regularly back up quotes, invoices, contacts and job photos -- ideally to a cloud service or an external drive that isn't always plugged in.
• That way, if ransomware hits, you don't lose everything.

Keep devices updated and protected

• Let phones, tablets and laptops auto-update.
• Run decent antivirus on PCs and laptops and don't ignore warnings.

Train your small team

Anyone sending invoices, paying suppliers or approving payments needs the same basics:

• Don't click links or open attachments in unexpected emails.
• If anything involves changing bank details or urgent payments, double-check by phone.

12.7.5 If it goes wrong -- who to tell and what the law cares about

If money's moved

• Contact your bank's fraud team immediately -- the faster you report an APP scam, the better chance they have to freeze the receiving account.
• Get the customer to tell their bank immediately too -- both sides need to move.

Report it

• Action Fraud (online or 0300 123 2040) -- national reporting centre for fraud and cyber crime; you'll get a crime reference number.
• If you're in Scotland, you normally report directly to Police Scotland (101) rather than Action Fraud.

Data protection angle

If customer data (names, addresses, contact details, invoice history) has been accessed or leaked, you may have duties under UK GDPR and the Data Protection Act 2018:

• For serious breaches, you might have to notify the ICO and affected customers.
• See guide 8.12 for your baseline data protection obligations.
• NCSC and ICO both have simple breach-response checklists.

Computer crime itself (hacking into your systems) is covered under the Computer Misuse Act 1990, but you're not expected to fight that -- you just report and harden your systems.

12.7.6 Cyber insurance -- worth considering

Some business insurance policies now include cyber cover as an add-on. For a small trade firm, it's often cheap -- typically £100-£300/year -- and can cover:

• Fraud losses (including APP fraud in some policies).
• Data breach response costs (legal advice, notification, ICO liaison).
• Business interruption from ransomware or system compromise.
• Specialist IT forensics and recovery.

It's not a substitute for the basic habits above, but it's another layer of protection. Ask your broker if it's available as an add-on to your existing PL/business policy.

What to do next

For a small trade outfit, one good afternoon's effort gets you most of the benefit:

• Turn on 2FA for email, banking, accounting software, and Companies House -- use authenticator apps where possible.
• Agree a one-line shop rule: "We never change bank details by email -- always confirm by phone," and tell your regular clients that's your policy.
• Add the bank details warning to your invoice template.
• Download and skim the NCSC Small Business Guide -- it's written for exactly your size of business, with five simple steps that don't need an IT department.
• Ask your insurance broker about cyber cover as an add-on.

Sources

• Computer Misuse Act 1990 -- legislation.gov.uk/ukpga/1990/18/contents -- offences relating to unauthorised access to computer systems.
• Data Protection Act 2018 -- legislation.gov.uk/ukpga/2018/12/contents -- UK implementation of GDPR, including breach notification duties.
• UK GDPR -- legislation.gov.uk/eur/2016/679/contents -- data protection obligations for businesses handling personal data.
• Payment Services Regulations 2017 and PSR APP fraud reimbursement rules (2024) -- framework for authorised push payment fraud and reimbursement requirements.
• NCSC Small Business Guide -- ncsc.gov.uk/collection/small-business-guide -- five practical steps to protect your business from cyber threats.
• Action Fraud -- national fraud and cyber crime reporting centre.
• Fraud Act 2006 -- legislation.gov.uk/ukpga/2006/35/contents -- offences of fraud by false representation, including mandate fraud.

How this site is funded →

Spotted something wrong or out of date? Email us at hello@kilnguides.co.uk.

In crisis? Samaritans 116 123 · Mental health support

How this site is funded →