If you suspect corporate fraud, your priority is to stop further loss without creating new risks. That usually means restricting access to money, systems and sensitive data, preserving evidence, and assigning clear decision-makers. In parallel, you need to develop a plan for what you will communicate to staff, stakeholders, and whether a report to authorities is required.
Business owners often ask the same urgent questions: How do I know it is fraud and not an error? What should I do in the first 24 hours? Should I suspend someone immediately? How do I preserve evidence? When do I involve legal help? This guide answers those questions in plain language and outlines a practical sequence you can follow.
What UK business owners search in this situation?
These are common search queries that show up when directors and founders suspect wrongdoing:
- “Signs of corporate fraud in a small business”
- “What to do if an employee is stealing from the company?”
- “How to investigate fraud at work in the UK”
- “Can I check employee emails in the UK?”
- “How to preserve evidence for a fraud investigation”
- “Do I need to report fraud to the police or Action Fraud?”
- “Should I tell my accountant or bank?”
- “How to suspend an employee during an investigation”
- “How long should I keep records and logs?”
- “When to contact corporate fraud lawyers”
Quick answers to common questions
How do I distinguish between fraud and a mistake?
Start with patterns, not assumptions. Fraud usually shows intent or concealment: duplicated suppliers, changed bank details, missing invoices, unexplained credits, altered approvals, or repeated “one-off” exceptions. A mistake can still be grave, but it rarely includes a trail of evasive behaviour.
What should I do first?
Control access and preserve evidence. Freeze or dual-authorise payments, revoke unnecessary permissions, and ensure you do not overwrite key data (emails, logs, accounting records, chat messages).
Should I confront the suspected person?
Not at the start. Confrontation can trigger deletion of evidence, collusion, or a coordinated narrative. Keep the circle small until you have preserved core records and agreed on the process.
Can I suspend an employee immediately?
Sometimes, but it should be handled carefully. A knee-jerk suspension can be unfair and can tip off a suspect. In many cases, a short, neutral “administrative” pause on access, followed by a managed HR process, is safer.
Do I have to report it?
It depends on the facts, sector, and risk profile. If there is a threat to customers, investors, regulated activities, or public funds, reporting obligations may apply. Even where reporting is optional, early thinking is valuable because it affects how you preserve evidence and communicate.
Step 1: Stabilise the situation in the first 24 hours
Fraud response is a business continuity issue. On the first day, focus on preventing further movement of money and data.
Lock down financial controls
- Move to dual approval for payments and bank detail changes.
- Pause non-essential supplier onboarding and large transfers.
- Ask your bank about fraud monitoring flags if any payments look suspicious.
Reduce access without raising alarms
- Remove admin rights where they are not needed.
- Limit access to finance systems to essential staff only.
- Preserve a record of access changes so you can explain them later.
Assign a response lead
Pick one senior person to coordinate actions across finance, IT, HR, and external advisers. Too many decision-makers create gaps and accidental evidence loss.
Check immediate exposure
- What is the maximum likely loss if the same behaviour continues for another week?
- Is customer data involved?
- Is there a live threat such as account takeover, invoice redirection, or payroll fraud?
Step 2: Preserve evidence without creating new problems
Evidence preservation is crucial, as it can prevent many businesses from accidentally damaging their own case. You want to keep records intact, maintain their admissibility, and avoid breaching employment or data protection rules.
Preserve, do not “clean up”
- Do not re-save spreadsheets, “fix” ledgers, or tidy email folders.
- Avoid running bulk deletions or mailbox archiving until you are certain of your needs.
Work with IT on controlled collection
- Secure copies of relevant mailboxes, file shares, device logs, and finance system audit trails.
- Capture system access logs and change histories for payment details and approvals.
- Keep a simple chain-of-custody note: who collected what, when, and where it is stored.
Keep communications disciplined
Use a small, need-to-know group chat or email thread. Loose commentary, such as “they are definitely guilty,” can become discoverable and cause reputational damage.
Step 3: Run a focused internal investigation
A reasonable investigation is narrow at the start and expands only when evidence supports it.
Define the allegation clearly
Examples:
- “Unauthorised supplier payments under £5,000 approved outside policy.”
- “Bank details changes followed by diversion of invoices.”
- “Inflated expense claims with missing receipts.”
Create a timeline
Build a timeline of events, approvals, and access. This often reveals the method, the control failure, and whether one person or multiple people are involved.
Follow the money
- Trace payments from invoice to bank account.
- Validate the existence, ownership, and trading activity of suppliers.
- Compare purchase orders, delivery records, and contract terms to ensure accuracy.
Interview with structure
Interviews should follow evidence, not instincts. Start with process owners (how things should work), then witnesses (what changed), and only later approach suspects, once you have preserved records and agreed on the approach.
Step 4: Decide on reporting, recovery, and communications
By this stage, you are usually deciding between three parallel tracks: recovery, reporting, and remediation.
Recovery options
- Contact the bank promptly if funds have recently been transferred. Timing matters.
- Consider civil recovery where appropriate (for example, tracing assets or seeking injunctions), subject to advice.
- Review relevant insurance policies (including crime, cyber, and management liability) and comply with all applicable notification requirements.
Reporting routes
Depending on the facts, you may consider:
- Action Fraud or police reporting (standard for fraud affecting UK businesses).
- Sector regulators, if you operate in a regulated environment.
- HMRC if the issue touches tax fraud or payroll manipulation.
- Investors, auditors, or lenders, if covenants, reporting duties, or material events are involved.
Communications
Draft messages for staff and stakeholders that are factual and controlled:
- What you know, what you are investigating, and what will happen next.
- What staff should do if approached, for example, is to preserve records and refrain from speculation.
- A confidential way for employees to provide information.
Why early legal input changes the outcome?
Fraud investigations often turn on process and timing. Legal guidance can help you structure the investigation, manage employment risk, preserve evidence correctly, and control the flow of information to reduce defamation and confidentiality issues.
If you suspect wrongdoing, involving specialist corporate fraud lawyers early can also help you decide whether you are dealing with an internal disciplinary matter, a civil recovery scenario, a criminal referral, or a combination of all three.
A useful benchmark for scale and urgency
Fraud is often viewed as a rare occurrence until it actually happens. A widely cited benchmark from the Association of Certified Fraud Examiners (ACFE) is that organisations lose an estimated 5% of revenue to fraud each year, based on analysed case data. (ACFE) For a growing business, that level of leakage is not a rounding error. It can change hiring plans, cash runway, and investor confidence.
What to fix after the immediate issue is contained
Once the immediate risk is controlled, the goal is to prevent repeat incidents and improve detection time.
Tighten the points of failure
- Segregation of duties for payments and supplier changes.
- Mandatory verification for bank detail changes using an independent channel.
- Clear approval thresholds with audit trails that are actually reviewed.
Improves detection
- Exception reports for duplicate invoices, round-sum payments, new suppliers, and weekend approvals.
- Regular review of user permissions and admin access.
- A simple whistleblowing channel that staff trust and can use without fear.
Document what you learned
Create a short internal post-incident report: what happened, how it was detected, how long it ran, what controls failed, and what changed. This is useful for boards, insurers, and future audits.
Conclusion
Suspected fraud can feel chaotic, but your response does not need to be. Control access, preserve evidence, investigate with discipline, and decide reporting and recovery steps based on facts. The sooner you act, the more options you keep open, and the easier it is to protect cash, reputation, and staff morale.
