Last updated Jun 25, 2026 and written by Daniel Tuckey

How To Protect Your Small Business From Fraud

Fraud doesn't discriminate. It happens to new businesses and established ones, to sole directors working from home and companies with full teams. If you run a limited company in the UK, you're a target, and the scams aimed at business owners have gotten increasingly convincing.

The good news is that most of them follow a pattern. Once you know what to look for, they're a lot easier to spot and a lot easier to stop.

Key Takeaways

  • Awareness is one of your strongest defences. Most scams rely on you not knowing how they work.
  • HMRC and Companies House will never contact you out of the blue asking for bank details or passwords. Full stop.
  • The free Companies House PROOF scheme prevents unauthorised paper-based changes to your company's filing.
  • Your WebFiling Authentication Code is essentially your company's online password. Treat it like one.
  • A registered office address service keeps your home address off the public Companies House register, which reduces your exposure to targeted fraud and junk mail.
  • A company tracker or fraud protection service will alert you whenever a change is made to your company, so you can act fast if something looks wrong.
  • Strong passwords, two-factor authentication, and decent internet security are basics that genuinely make a difference.

Common Scams Targeting Business Owners

HMRC and Companies House Impersonation

This one is everywhere. Fraudsters send letters, emails, texts, and make phone calls claiming to be from HMRC, Companies House, or another government body. The message usually involves an unpaid tax bill, a filing error, or a threat of legal action, and it always wants something from you quickly.

The tell is usually a request for payment details or personal information. Neither HMRC nor Companies House will contact you out of the blue asking for that kind of thing. Check any link carefully too: a genuine government URL will always be gov.uk, not a variation of it like gov.com or gov.uk.net.
GOV.UK publishes guidance on how to spot and report government-related scams if you want to familiarise yourself with what to look for.

Phone and Email Spoofing

Technology has made it straightforward for scammers to fake a caller ID or email address so it looks like your bank, HMRC, or another trusted institution is getting in touch.

If something feels off, stop engaging. Your bank will never ring you and ask for your password or card number. Contact them directly using the number on the back of your card or their official website, not any number the caller gives you.

CEO Fraud

This one tends to catch people off guard because it can look extremely convincing. A fraudster poses as a senior manager or director and emails a member of staff asking for an urgent bank transfer, gift card codes, or sensitive financial information. The urgency is always part of the script.

Before acting on any instruction like this, check the actual email address or phone number it came from against the real contact details of the person being impersonated. They'll look similar at a glance but won't match. If you're still unsure, call the person directly on a number you already have for them. Always report this kind of attempt to whoever manages your IT or security so they can warn the rest of the team.

Fake Tech Support Calls

Your business gets a call from someone claiming to be tech support for a well-known company. They say your systems are at risk and they need access to fix it. Their actual aim is to get into your devices and take whatever they can find.

Legitimate tech support doesn't cold-call businesses asking for access to their systems. If you get a call like this, hang up and contact the company directly yourself using their official contact details.

How to Keep Your Company Protected

Know the Pattern, Stay Sceptical

Scams work by creating pressure. An unexpected deadline, a threat of legal consequences, an urgent request that arrives without warning. Genuine institutions send reminders. They don't appear out of nowhere demanding immediate action.

Keep up with common fraud tactics and always verify contact details independently before responding to anything unexpected. A quick check against the official website can save you a lot of trouble.

Block, Don't Engage, and Report

If you identify something as a scam, don't reply, don't click anything, and don't call back. Block the number or email address and report it to Action Fraud. Even accidental engagement can get your details added to lists that circulate among fraudsters.

Get Your Internet Security in Order

Use a reputable security package, make sure your software is up to date, and only use encrypted tools from legitimate sources for your business. Set up two-factor authentication on all your accounts, particularly email and social media, and use strong, different passwords across platforms. It sounds straightforward because it is, but it's also genuinely effective.

Keep Your Personal Information Off the Public Register

Your registered office address and your director's service address are both listed on the public Companies House register. That means anyone can look them up. If you're using your home address for either, you're handing that information to anyone who searches for your company, including people with no good reason to have it.

A registered office address service is a simple and cost-effective way to keep your home address off the register. Your provider handles your post, forwards official government correspondence, and filters out the junk and scam mail that would otherwise find its way to you. If you also need non-statutory mail such as bank letters forwarded, a mail forwarding service covers that too.

Join the PROOF Scheme

PROOF stands for PROtected Online Filing. It's a free Companies House scheme that tells the register not to accept paper-based changes to your company.

Without it, someone could potentially use paper forms to update your registered office address, appoint or remove directors, or file a confirmation statement, without your knowledge. Joining PROOF means the vast majority of changes can only be made online, which closes off that route entirely.

Sign up to PROOF here. It's free.

Look After Your WebFiling Authentication Code

This six-character code is what unlocks your company's online filing with Companies House. Anyone who has it can make changes to your company record. It should only be shared with people you fully trust, and if you ever think it's been compromised, contact Companies House immediately.

You can change it once you have it, and it's worth doing if the original code isn't something you'd naturally remember.

Track Changes to Your Company

A company tracker sends you an email alert whenever a change is made to your company at Companies House. That means if something is filed without your knowledge, you'll know about it quickly enough to do something.

Take a look at our dedicated fraud protection service for more comprehensive monitoring. It's worth remembering that Companies House processes documents in good faith, which means changes can go through even without your authorisation if the right safeguards aren't in place. A fraud protection service helps close that gap.

If You Think You've Been Targeted

Contact Companies House immediately if you believe an unauthorised change has been made to your company record. Report scam calls, emails, and messages to Action Fraud. If bank fraud is involved, call your bank directly using the number on their official website or on the back of your card, not any number you've been given by the person contacting you.

This article is for general information only and does not constitute legal or tax advice. Rules and thresholds can change, and the right structure for your business will depend on your individual circumstances. It's worth speaking to a qualified accountant or adviser before making a decision.

FAQs

What are the most common scams targeting small businesses?

HMRC and Companies House impersonation, phone and email spoofing, CEO fraud, and fake tech support calls are the ones that come up most often. All of them rely on urgency or a trusted-looking sender to get you to act without thinking.

How do I tell if a message from HMRC or Companies House is genuine?

A genuine message will never ask for your password, bank details, or personal financial information out of the blue. Any link should point to a gov.uk address. If you're not sure, don't click anything and contact the body directly using their official website.

What is the Companies House PROOF scheme?

It's a free scheme that tells Companies House not to accept paper-based changes to your company. It significantly reduces the risk of someone making unauthorised changes using paper forms, such as updating your registered office or appointing false directors.

What is a WebFiling Authentication Code?

It's the six-character code that acts as your company's online password for Companies House. Anyone who has it can make online changes to your company record. Keep it secure, only share it with people you trust, and contact Companies House straight away if you think it's been compromised.

Why shouldn't I use my home address as my registered office?

Because both your registered office and your director's service address are publicly listed on the Companies House register. Anyone can find them. Using a registered office address service means you meet the legal requirement without putting your home address on the public record.

What does a fraud protection service do?

It monitors your company's details at Companies House and alerts you whenever a change is made. That way, if something happens without your knowledge, you find out quickly and can act on it. Our dedicated fraud protection service provides more comprehensive monitoring.

What should I do if my company has been targeted?

Contact Companies House immediately if you think an unauthorised change has been made. Report scams to Action Fraud. For anything involving your bank, use the number on their official website or the back of your card.

Is two-factor authentication worth setting up for a small business?

Yes. It adds a second layer of verification to your accounts so that even if your password is stolen, someone still can't get in. It takes minutes to set up and makes your accounts significantly harder to compromise