Support
approvalmax-logo
approvalmax-logo
Explore ApprovalMax Accounts Payable Software > Start a free trial >
Approvals
Workflows
multi-level-approvals Multi-level approvals
purchase-orders Purchase orders
vendors Vendors
invoices Invoices
approvals-channels Approval channels
credit-notes Credit notes
custom-workflows Custom workflows
expenses Expenses
Financial Controls
bill-to-po Bill-to-PO matching
audit-readiness Audit readiness
segregation-duties Segregation of duties
platform-security Platform security
budget-controls Budget controls
Payments
OCR
pay-capture ApprovalMax Pay
pay-capture ApprovalMax Capture
Integrations
integrations Xero
integrations QuickBooks Online
integrations Netsuite
integrations All integrations
Explore ApprovalMax Accounts Payable Software > Start a free trial >
By accounting software
integrations Xero
integrations QuickBooks Online
integrations NetSuite
By function
finance-leaders-1 Finance leaders
finance-teams-1 Finance teams
outsourced-accountants-1 Outsourced accountants
Resources
blog-learn Blog
guides-templates Guides & templates
help-center Knowledge base
product-content Product content
video-recorder Webinars
play-circle How to videos
customer-stories-1 Customer stories
Pricing
integrations Xero
integrations QuickBooks Online
integrations NetSuite

You're not too small to be a fraud target. You're an ideal one.

Justin Campbell
Justin Campbell
accounts payable audit & fraud control
Explore with AI
Ask ChatGPT Perplexity Ask Perplexity

There are three quotes from sales calls that stood out this year, all variations on the same theme:

We're a team of five. I see everyone every day. I don't think someone here would pull a fast one with an invoice.

I sign off on everything anyway. I'm so close to the numbers, I don't think we're at risk for sophisticated fraud.

We only process 20 bills a month. It's easy to spot something off. We'll review controls once we hit 100+.

Three calls, from three different regions, and different sectors, but the same instinct: fraud happens to other businesses - bigger ones, with finance departments and procurement teams and enough bureaucratic distance for bad things to hide. Right?!

While many small businesses have the same instinct, the data says otherwise. The ACFE's 2024 Report to the Nations found that organisations with fewer than 100 employees lost a median of $141,000 per fraud incident, second only to companies with 10,000+ employees. The reason isn't that small businesses have more to steal. It's that they have fewer controls.

But there's a deeper problem with the "we're too small" mindset though. It assumes the fraud worth worrying about looks like someone on your team going rogue. For most small businesses, that's the wrong threat to model.

Most small business fraud is automated, not sophisticated

The FBI's IC3 logged $2.77 billion in business email compromise (BEC) losses in 2024 alone, with more than $17 billion reported since 2015. BEC now ranks as the second most expensive cybercrime category tracked, behind investment fraud. It works because it doesn't rely on hacking. It relies on a finance person, in the middle of a normal week, doing their job.

The most-mentioned fraud pattern on our discovery calls this year is the supplier bank detail change. A finance lead gets what looks like a routine email from a regular supplier. Same address, same email thread, same invoice template. The only difference is a polite line halfway down saying the supplier has changed banks and would you please update the records.

Successful fraud in small business just requires the path between a fake invoice and a real bank transfer to be short.

A small construction firm we spoke to last year paid $40,000 to a bank account in Moldova because the email looked identical to one from their landscaping supplier. The real supplier chased the unpaid balance three weeks later. By then the money had already moved through onward accounts the firm would never see again.

A team of five is more exposed to this than a team of fifty. Larger businesses tend to route vendor changes through a second approver, or validate them against the original supplier record, or flag the edits automatically. A smaller business often doesn't, because the person who got the email is also the person who updates the record. There's no second check, because nobody built one.

The same pattern repeats with fake invoices: pixel-perfect copies of genuine supplier formats, sent for amounts small enough to slide through without scrutiny ($280, $400, $750), often linked to payment portals the business has never used before. None of this requires anyone on your team to be dishonest. None of it requires you to be a big or interesting target. It just requires the path between a fake invoice and a real bank transfer to be short.

When the trusted person is the problem

Internal fraud is real, in fairness. The most common version is an office manager or AP lead with enough permissions to create a supplier, raise a bill against them, and approve payment - quietly directing invoices for "cleaning services" to a company they control. The ACFE found these schemes run a median of 12 months before detection, costing businesses roughly $9,900 per month while they go unnoticed.

For a finance team to prevent fraud, one person cannot function as the entire control system, however carefully they sign things.

The point isn't that the team should have been more trustworthy. The point is that nothing in the workflow flagged the invoices as unusual. An owner who "signs off on everything anyway" would have signed off on these too. One person can't function as the entire control system, however carefully they sign things.

photo placeholder (13)-1

Why fraud prevention is going to be an even bigger concern

There's a newer reason to care about all of this that has nothing to do with the fraud itself.

The UK's Failure to Prevent Fraud offence came into force on 1 September 2025. On paper it applies only to large organisations - those meeting two of three thresholds: 250+ employees, £36m+ turnover, £18m+ in assets. So technically, not most ApprovalMax customers.

But the offence makes large organisations criminally liable for fraud committed by an "associated person" acting for their benefit, with unlimited fines on conviction. Their statutory defence is showing they had reasonable procedures in place to prevent it. And the Home Office guidance is explicit that "associated persons" includes suppliers and subcontractors providing services on a large organisation's behalf.

Which means your customer's compliance team now has a legal incentive to push fraud-prevention requirements down their supply chain. Which is showing up as:

  • New anti-fraud clauses in supplier contracts at renewal
  • Refreshed compliance questionnaires asking about your approval workflows, segregation of duties, and audit trails
  • Warranties about your own fraud-prevention procedures, with the contract at stake if you can't satisfy them

The first wave of post-September contract renewals is happening now. ICAEW only started flagging this to accountants advising mid-market clients in April. If you sell into professional services, construction, SaaS, or any business selling into FCA-regulated firms, the questions are coming, if they haven't arrived already.

The legislation is UK-specific, but the dynamic isn't. Large customers face compliance pressure on fraud everywhere, and the same trickle-down happens through commercial channels long before it happens through legal ones. What changes is the question. "Could we get defrauded?" is a risk question, easy to wave off. "Can we demonstrate the controls our biggest customer is asking us to have?" is a revenue question, much harder to ignore.

Size doesn't determine risk - the protection gap does

None of these fraud patterns care about team size. They care about whether there's a meaningful check between the request and the payment, and whether you can show afterwards exactly who approved what.

A five-person business with structured approvals, supplier verification, and duplicate invoice detection is harder to defraud than a 500-person business whose approval process is "thumbs up in Slack." It's also easier to underwrite for a customer running a compliance review.

Better controls also tend to improve the rest of the AP function - faster month-end close, fewer supplier disputes, less time spent chasing approvals across inboxes and chat threads. The same controls produce, as a side effect, the kind of evidence a supplier questionnaire is now asking for.

Being close to your numbers doesn't protect you from any of this. It just means you'll find out faster that the money is gone.

What designing out the gap looks like in practice

This is what ApprovalMax does. For a five-person business, it usually means:

  • Every payment requires two explicit approvals, so no single person can receive, edit, and pay a bill alone
  • Supplier bank detail changes trigger a separate verification workflow before the record can be updated
  • Duplicate invoices are flagged automatically before they reach a payment run
  • Every approval is logged in a time-stamped audit trail tied to the underlying transaction

These aren't enterprise controls retrofitted for smaller businesses. They're the minimum protections a small business needs to stop being an easy target, and increasingly the minimum evidence a large customer expects to see.

By simply existing as a business, you’re already a target. The question is whether the path between a request and a payment in your business has more than one set of eyes on it, and whether the record of who approved what is something you'd be comfortable showing an auditor or a customer.

See what two-step approvals, supplier verification, and a defensible audit trail look like in your workflow with a free ApprovalMax trial.