The latest Workplace Fraud Trends findings from Cifas should concern any UK business leader, but they carry particular weight for SMEs. Smaller firms often depend on trust, informal approvals, and lean operating models. That makes them more vulnerable when workplace misconduct becomes normalised or quietly rationalised.
The report does not just point to isolated bad behaviour. It suggests that some forms of fraud are being seen by a worrying number of professionals as acceptable, understandable, or at least easier to excuse than many employers would expect.
As Mike Haley, CEO of Cifas, put it: “These insights suggest a shift in workplace norms and raise urgent questions about organisational culture, risk management, and accountability. Organisations must take steps urgently to build effective counter-fraud cultures in the workplace, strengthening prevention, and empowering employees to do the right thing.”
That is the real headline for SMEs. This is not only a fraud issue. It is a culture, governance, and control issue.
The figures supplied from the Cifas report paint a stark picture:
* 1 in 4 (24%) believe it is acceptable to secretly work for a competitor
* 18% of professionals admit to selling company login details for money
* 19% have used fake job references to land a job
* 13% know someone who used company funds to place a bet
* 1 in 4 (24%) say expenses fraud is justifiable
Taken together, these findings suggest that misconduct is not always seen as a serious line to cross. In some cases, it appears to be viewed as opportunistic, defensible, or simply part of working life.
For SMEs, that matters because smaller organisations are less likely to have the formal safeguards needed to detect or deter these behaviours early.
Large enterprises often have internal audit teams, mature identity controls, structured procurement checks, and stronger segregation of duties. Most SMEs do not. Many rely on a handful of trusted staff, outsourced support, and systems configured more for convenience than control.
This often leaves smaller firms exposed in areas such as:
* payroll and finance permissions
* supplier onboarding
* expense claims
* reference checking
* shared or over-permissioned accounts
* leaver processes
* contractor and temporary staff access
That creates exactly the kind of environment where low-friction fraud can thrive. One person may have too much visibility, too much access, or too much unchecked authority.
* If 18% admit to selling company login details for money, that is not merely an HR concern. It is a direct cyber security and business resilience issue.
* If 19% have used fake job references, recruitment assurance becomes part of fraud prevention, not just people administration.
* If 24% think expenses fraud is justifiable, then financial leakage and weak control culture may be more embedded than many leaders assume.
The strongest value in the report is not just in the percentages. It is in what those behaviours could mean in practice.
Selling company login details can lead to mailbox compromise, data theft, payment fraud, customer record exposure, unauthorised access to SaaS systems, and reputational or regulatory consequences.
For SMEs running on Microsoft 365, cloud accounting platforms, CRM systems, and payroll tools, one set of credentials can unlock a surprising amount of operational risk.
Hiring someone on the basis of fake references can expose a business to unqualified staff in sensitive roles, increased insider threat, poor access decisions, financial misconduct, reputational damage, and weaker compliance outcomes.
This becomes particularly risky where the role involves finance, procurement, customer data, or systems administration.
Some businesses still treat expenses fraud as minor misconduct. That is a mistake.
Repeated low-level abuse can lead to direct financial loss, poor management visibility, tolerance of rule-breaking, internal resentment, and a broader erosion of accountability. Once that tone is set, more serious fraud becomes easier to conceal.
The answer is not to drown the business in policy documents. It is to strengthen a handful of high-value controls and reinforce a culture of verification.
