FAQs
News
Webinars
Trustpilot

Call: 0191 466 1050

Out of Office, Out of Pocket: How UK Businesses Stop BEC and Invoice Fraud This Summer

by | Jun 2, 2026 | Blog, Cybersecurity, IT Support Blogs | 0 comments

Invoice fraud prevention is a seasonal problem for most UK SMEs, and the worst season is summer. Two of the three approvers are out, one new starter is covering the inbox, and the finance lead’s out-of-office reply tells anyone who emails that they are walking the Camino until late August. June through August is when invoice fraud lands. It lands because the people who would normally spot it are not in the building.

Invoice fraud prevention is less about new tools and more about closing the seasonal gaps in how your business approves changes when senior staff are away. The five controls below take less than a week to put in place and cover the most common scams we see hitting UK businesses through the summer holiday window.

Why invoice fraud prevention gets harder in summer

In the UK Cyber Security Breaches Survey 2025/26, phishing was the most disruptive type of incident for most businesses that experienced one. The technique itself is not seasonal. The success rate is.

When the finance director is on a beach in Crete, an email from “the finance director” asking the bookkeeper to authorise an urgent supplier bank-detail change carries more weight, not less. The bookkeeper cannot easily check. The MD who would normally be CC’d is also away. The supplier has been a real supplier for years. The bank account change is the only thing that has moved, and that is the part nobody notices.

This is the operational reality criminals are betting on, and they are right often enough to keep doing it.

Control 1: A deputy matrix that covers approvals

Most businesses have an out-of-office system for replying to emails. Few have one for approvals. Build a one-page deputy matrix before staff start booking holiday. Three columns: the action that needs approval, the primary approver, the named deputy.

Cover at minimum:

  • Supplier bank-detail changes
  • New supplier setup
  • Payments above a defined threshold
  • Payroll changes
  • Refunds above a threshold

The matrix lives in finance, in HR and in your shared drive. Every approver knows who their deputy is, in writing, before the first holiday week. Adapting the 30-second social engineering script we published in May gives the deputy a working escalation pattern when something feels wrong.

Control 2: Out-of-office replies that do not leak

The default out-of-office reply tells the world the sender is away, for how long, who is covering, and often where they are. That is enough for a convincing impersonation attempt.

A safer pattern says only what the recipient needs to know: that the message has been received, when a reply can be expected, and a generic team inbox or covering colleague for urgent matters. No travel details, or external phone numbers and no private mobile.

The same rule applies to LinkedIn updates and team-wide announcements. Holiday plans do not need to be public.

Control 3: A callback rule for any bank-detail change

This is the single highest-impact control on the list. Any change to supplier banking details triggers a callback to a known phone number for that supplier, never to the number in the latest email signature. The known number lives in your purchase ledger, not in the email thread requesting the change.

If the supplier cannot be reached, the change waits. The cultural piece matters as much as the rule: nobody gets blamed for delaying a payment to verify it. That is the no-shame part. Once it is in the cyber incident response plan and the team knows it applies to everyone including the MD, the rule holds.

Control 4: Conditional access for travel windows

If your team uses Microsoft 365 and your licences include conditional access, you can tighten sign-in rules during defined travel windows. Block sign-ins from countries staff are not in, require a fresh MFA prompt from new locations, and flag impossible-travel events for review.

This sits naturally next to the controls described in our Cyber Essentials v3.3 guide. It is also the control that catches account takeover attempts before they reach finance at all.

Control 5: A short briefing for the team

Before the holiday season starts, send a five-bullet email to the people who handle money and inboxes. Cover the deputy matrix, the OOO rule, the callback rule, and the two scams to expect: a bank-detail change for a real supplier, and a same-day urgent payment request from a senior approver who is travelling.

The briefing does not need to be long. It does need to be in writing, so the team can point to it when they apply the rules.

What this looks like by mid-July

A business that has done the five controls above answers a different question in August. Instead of “did we just send GBP18,000 to the wrong account”, the question becomes “should we approve this change today or wait for our finance lead to confirm on Monday”. That is the same conversation, with one difference. The money is still in the account.

If you would like us to walk through your summer cover and tighten the gaps, book a 30-minute summer-readiness review and we will produce a deputy matrix, a callback rule and conditional access settings tailored to your business before the July rota change.