UK businesses making international payments in 2026 face the highest payment fraud exposure on record — 79 percent of organisations experienced payments fraud attempts in 2025, with business email compromise (BEC) and AI-generated invoice modifications the dominant vectors. The cheapest, most effective protection combines a named-specialist payment process (where every transfer is verified by phone with the same person), FCA-authorised partner safeguarding, callback verification on every new payee, and staff training on the specific fraud patterns now targeting UK finance teams.
Who this guide is for
This guide is written for UK finance directors, financial controllers, business owners and accounts payable teams handling international supplier payments, foreign currency receipts, or any cross-border money flow above £10,000. Particular relevance for SMEs and mid-market businesses without dedicated treasury or cyber security functions — the cohort most often targeted because they sit above the consumer-fraud threshold but below the sophisticated controls of corporates.
Cambridge Currencies operates international business payments via our FCA-authorised partners Currencycloud (FRN 900199) and ScioPay (FRN 927951). Every transaction is completed by phone with a dedicated specialist — a model that, by design, structurally limits the email-based fraud vectors that drive most UK business payment losses.
The scale of UK business payment fraud in 2026
Three data points anchor the current threat picture for UK businesses:
- 79 percent of organisations were targeted by payments fraud attempts in 2025 (Airwallex 2026 cross-border payments report), with BEC and AI-generated invoice modification the most cited vectors. The proportion succeeding in extracting funds is materially smaller, but the average loss per successful BEC incident is significant.
- Authorised Push Payment (APP) fraud cost UK businesses £159.7 million in 2024 per UK Finance’s Annual Fraud Report. APP fraud — where the victim is tricked into authorising a payment to a fraudster — is the category that BEC and invoice fraud fall into. International payments above the consumer-protection threshold of £85,000 are typically not covered by mandatory reimbursement.
- AI-generated content has lowered the technical barrier to convincing fraud. The National Cyber Security Centre notes that generative AI now produces near-perfect English-language invoice modifications, fake supplier emails and cloned voice calls — defeating the older “watch for typos and broken grammar” defence that worked through 2023.
The six international payment fraud types UK businesses face
| Fraud type | How it works | Typical target | Average UK business loss |
|---|---|---|---|
| Business Email Compromise (BEC) — CEO impersonation | Fraudster spoofs or compromises the CEO’s email and instructs finance to make an urgent payment to a “supplier” or “acquisition target” account. | Accounts payable, financial controllers — typically when CEO is travelling or known to be unavailable | £35,000 to £250,000+ per incident |
| Invoice modification fraud | Legitimate supplier’s email is compromised. The next genuine invoice arrives modified — bank details swapped to a fraudster’s account. | Recurring overseas suppliers where the invoice flow is established and unchallenged | £20,000 to £150,000 per incident |
| Supplier impersonation | Fraudster registers a look-alike domain (e.g. acmesupp1y.com instead of acmesupply.com) and emails finance with “updated banking details” for an upcoming payment. | New supplier relationships, or after a known supplier relocation/restructure | £15,000 to £100,000 per incident |
| Mandate or direct debit fraud | Fraudster impersonates a regular supplier and submits new bank instructions for an existing recurring payment relationship. | Businesses with regular monthly/quarterly overseas supplier payments | £10,000 to £80,000 per incident |
| Authorised Push Payment via fake “broker” | Fraudster impersonates a currency broker offering exceptional FX rates, captures funds, and disappears. Often via cold call or LinkedIn outreach. | Finance teams seeking better-than-bank FX rates without prior broker relationship | £25,000 to £200,000+ per incident |
| Phishing-led account takeover | Finance team member’s online banking or accounting credentials are captured via phishing; payments are then initiated directly from compromised systems. | SMEs using shared banking access or weak MFA practices | £20,000 to £500,000+ per incident |
The shift since 2024: previously English-language quality was a reliable tell. In 2026, AI-generated fraud emails are linguistically flawless, contextually accurate (using LinkedIn-scraped employee names and reporting structures), and sometimes accompanied by deepfake voice calls. Detection has moved from “spot the typo” to process-level verification.
Business email compromise: the dominant 2026 vector
The typical BEC sequence targeting a UK SME:
- Reconnaissance. Fraudster scrapes the company’s website, LinkedIn, Companies House filings and press releases. Maps the CEO, CFO, financial controller and accounts payable. Identifies one or two recurring overseas suppliers and supplier contact names.
- Email infrastructure. Registers a look-alike domain (one character different from the real company or supplier domain) and sets up spoofed sender addresses. Alternatively, compromises an actual mailbox via phishing.
- Timing. Waits for a credible window — CEO travelling, quarter-end pressure, known supplier payment cycle.
- The instruction. Email to finance from “CEO” requesting an urgent payment, OR email from “supplier” with updated banking details for an upcoming invoice. Tone is professional, contextually accurate, urgent enough to discourage verification.
- The payment. Finance team processes the payment via UK bank wire or fintech app. The fraudster’s account receives the funds and immediately disperses them through a mule network.
- Discovery. Real supplier follows up on unpaid invoice. Real CEO denies the instruction. Funds are typically already gone — recovery rates on cross-border APP fraud above £85,000 are under 20 percent.
“The named-specialist model exists for operational reasons but it’s now a structural fraud control,” says Anthony Bull, CEO of Cambridge Currencies. “When every payment is verified by phone with the same specialist who already knows the client’s payee list, the email-based attack vectors that drive 70 to 80 percent of UK business payment losses simply don’t have a route in. The fraudster can’t email a new supplier instruction into the process because there is no email-based process to attack.”
The detection checklist: ten questions before any new international payment
- Was the bank detail change requested by email? If yes, this is the single highest-risk signal. Treat as suspect until verified by phone callback to a previously-known number for the supplier.
- Have I called the supplier on a number I already know — not the number in the email? The number in a fraudulent email connects you to the fraudster. Use a number from a previous invoice, the supplier’s published website, or your CRM.
- Does the sending domain match exactly? Compare character-by-character with previous emails from this supplier. Look for substituted characters (rn looks like m, 0 vs O, 1 vs l).
- Is the urgency disproportionate to the payment? “Urgent — pay today” combined with bank detail change is the canonical BEC signature.
- Has the supplier’s country of payment changed? An Italian supplier suddenly receiving payment to a Hong Kong account, or a US supplier to an Eastern European IBAN, is almost always fraudulent. Legitimate banking relocations are rare and easy to verify.
- Was the request volume-or-timing unusual? A request to settle three invoices at once when the usual pattern is single-invoice payments; a request before contractual payment terms.
- Did the CEO email outside their normal pattern? A CEO who never emails AP directly suddenly emailing AP directly is the canonical CEO impersonation signature.
- Has the payment process bypassed the normal approval chain? Most BEC succeeds because the standard dual-approval process was bypassed for urgency.
- Did I receive a voice call confirming the email? AI-generated deepfake voice is now possible. A 30-second voice call alone is no longer sufficient verification — it must be a callback to a known number.
- If I’m uncertain, who do I escalate to? Every finance function should have a defined escalation route for payment uncertainty that does not depend on the requestor.
Prevention process: the four controls every UK finance team needs
- 1. Callback verification on every new payee and every bank detail change. No exceptions. The number called must come from your existing records, never from the email or document requesting the change. Document the call and who you spoke to.
- 2. Dual approval, with the second approver verifying independently. If one person can authorise an international payment, BEC will eventually succeed. Two approvers — both seeing the source document and both with independent verification — closes the most common attack path.
- 3. FCA-authorised provider for all international payments. Funds held with FCA-authorised payment institutions (Currencycloud, ScioPay, Wise, Airwallex and others) are safeguarded under the Payment Services Regulations 2017. Funds with unregulated providers are not. See our FCA regulation guide for FX clients.
- 4. Named-specialist or named-account-manager process. A payment process that involves a phone call to the same named person on every transfer is far harder to attack than an online-only or email-based process. The structural reason: there is no email-based payment instruction for the fraudster to spoof. Our how to choose a UK business currency broker guide covers the regulated provider checklist in full.
What to do if your UK business is hit by international payment fraud
Speed determines the recovery outcome. In the first 24 hours, recovery is possible in 30 to 50 percent of cases. After 72 hours, recovery drops below 15 percent. The action sequence:
- Within the first hour. Contact your bank or payment provider’s fraud team directly. Request an emergency recall on the payment. International recalls work if the funds have not yet been dispersed from the receiving account.
- Within 24 hours. Report to Action Fraud (the national fraud and cyber crime reporting centre). Crime reference number is required for insurance claims and any civil recovery action.
- Within 48 hours. If significant volume, instruct a specialist fraud recovery solicitor. Civil recovery routes (Norwich Pharmacal orders, freezing orders) are available where the receiving bank can be identified.
- Within the first week. Notify your business insurer (cyber/crime cover may apply), HMRC if VAT or PAYE liabilities are affected, and your accountants. If client data was exposed, ICO notification within 72 hours of awareness under UK GDPR is mandatory.
- Within the first month. Full incident review and process changes. The fraudster’s intelligence about your business doesn’t expire — repeat attempts within 6 to 12 months are common.
Why the specialist broker model structurally reduces fraud risk
The fraud profile of an international payment depends on which process executes it. The three common UK business payment routes carry materially different fraud exposures:
- UK business bank online wire. Self-service via online banking. The full attack surface — phishing, BEC, account takeover, mandate fraud — is exposed. Banks rely on internal controls (transaction monitoring, MFA) that protect the perimeter but not the instruction itself.
- Multi-currency app (Wise, Airwallex, WorldFirst). Self-service via app or web. Generally strong MFA and behavioural fraud detection, but the underlying email/digital instruction risk remains. New-payee onboarding flow is typically the highest-risk moment.
- Specialist broker with named specialist by phone. Every payment is verified by phone with the same specialist. New payees are onboarded through documented callback verification before they can be paid. There is no email-based payment instruction route for a fraudster to spoof. The structural attack surface is materially smaller.
The specialist broker route is not fraud-proof — no payment process is. But removing email instruction from the loop closes the dominant 2026 attack vector. For UK businesses making regular international payments, this is a meaningful operational control alongside the cost saving on FX margins.
The wider question of counterparty risk — what happens if your FX provider itself fails — is covered in our single FX provider risk guide, with the practical recovery process detailed in our what to do if your UK currency broker stops trading guide.
Speak to a specialist about secure international payment processes
If you’re a UK finance director, financial controller or business owner reviewing your international payment controls, a short conversation with a Cambridge Currencies specialist will set out how the named-specialist phone-verified process compares with your current bank or fintech setup. Every transaction is completed by phone with a dedicated specialist who knows your payee list — by design, this removes the email instruction vector that drives most UK business payment fraud. For wider context on payment-processing risk, see our AML and source of funds documentation guide.
Related guides in our business FX cluster
- UK business foreign exchange — the comprehensive pillar guide
- How to choose a UK business currency broker — the regulated provider checklist
- FCA regulation for FX clients — safeguarding under the Payment Services Regulations
- Best way to pay overseas suppliers UK — payment routing and rate optimisation
- Single FX provider risk — counterparty diversification
- AML and source of funds documentation — UK business compliance framework
Sources: UK Finance — Annual Fraud Report, National Cyber Security Centre — Business Email Compromise guidance, Action Fraud — National Fraud and Cyber Crime Reporting Centre, FCA Financial Services Register.
