Digital Fraud: Emerging Threats in the Workplace

Digital fraud is when criminals use digital channels and systems to cause a business to take a harmful action, such as releasing money, disclosing data, or granting access, under the appearance of a legitimate request.

What makes digital fraud different from offline fraud is speed and reach. Messages can be replicated at scale, real accounts can be compromised and reused, and actions can be executed quickly once a weak point in the process is found. A digital fraud incident exploits authority, permissions, and verification design inside everyday business processes.

Digital fraud succeeds because it exploits predictable working conditions:

• Speed
• Volume
• Interruption
• The friction people face when controls slow delivery

When the workflow is designed for throughput, detection becomes a side task and the organisation’s “normal working day” becomes the attacker’s advantage.

Time pressure makes employees more susceptible because they are more likely to misclassify a phishing email as genuine when moving quickly through the inbox.

A Computers & Security study found that phishing detection dropped significantly under time pressure, and common “obvious tells” such as weak personalisation or poor mechanics did not reliably help people discriminate between genuine and phishing emails (Butavicius, Taib and Han, 2022).

This is why teams that rely on staff “spotting the signs” can still be caught out when the decision is made at speed, inside routine triage.

High workload increases susceptibility because attention narrows onto completing the task, so a task-shaped lure can feel routine. A usable security experiment presented at USEC 2024 found that, under high workload, participants were more likely to click task-relevant phishing than non-relevant phishing, based on a post hoc analysis (Zhuo et al., 2024). 

This is why fraud can concentrate in high-volume roles, even where awareness is high, because workload pushes people toward “just clear the queue” behaviour.

Spear phishing succeeds in workplaces because messages are crafted to resemble legitimate work, not obvious scams. Williams, Hinds and Joinson frame susceptibility as a workplace context issue, shaped by factors such as role demands, organisational expectations and the surrounding work environment, rather than simple “user error” (Williams, Hinds and Joinson, 2018). 

That shifts the practical focus toward defining what “normal” looks like for high-risk requests in each role, then making verification a routine step at the points where pace and pressure are highest.

Security fatigue leaves organisations more exposed because repeated security demands can lead people to disengage and follow guidance less consistently. NIST researchers describe security fatigue as an affective response linked to decision fatigue, which can shape how users make security decisions and whether they persist with protective actions (Stanton et al., 2016).

In NIST’s reporting on the same work, the researchers describe how weariness can progress into resignation and loss of control, which then increases avoidance and riskier choices (NIST, 2016).

This is why reducing unnecessary friction and making a small number of critical checks quick and routine in everyday workflows matters more than adding further reminders.

Most workplace fraud follows a small set of repeatable patterns. A message or request looks work-relevant, arrives when teams are busy, and pressures someone to act before verification happens. The channel varies, but the weak point is usually the same. A routine workflow allows a high-impact action without a reliable stop-check.

Phishing is the most common form of digital fraud targeting businesses. It starts with a fraudulent message that appears to come from a trusted source such as a bank, supplier, colleague, or internal system. The goal is to get someone to click, open, or log in, so the attacker can harvest credentials or deliver malware.

• A message prompts a login, file open, or “security check” that routes to a fake page or malicious attachment.
• Stolen access is then used to move laterally, send further messages, or target finance workflows.

Phishing lands because inbox volume and task pressure encourage fast triage. When an email matches the day’s work, people default to completion behaviour and clear the queue.

• Make high-risk actions hard to complete from email alone. Require verification for payment, bank detail, and account reset requests, even when the message looks familiar.
• Reduce reliance on “spot the signs.” Use email filtering and multi-factor authentication so one click does not become full access.
• Make reporting frictionless. If reporting is slow or punitive, suspicious messages stay unchallenged and attackers get repeat attempts.

Impersonation occurs when criminals pose as a trusted person such as a supplier, client, or senior manager to trigger a payment, change records, or release information. Email spoofing supports this by making messages appear to come from a legitimate address or domain, increasing credibility at first glance.

• The attacker mimics a known contact, tone, and format, then asks for a high-impact action such as a payment or bank detail change.
• Spoofed emails or convincing calls are used to remove hesitation and speed approval.

This succeeds when authority and payment norms override verification. People hesitate to slow a request that appears senior, urgent, or commercially sensitive, especially when “getting it done” is rewarded.

• Define a non-negotiable callback and verification rule for payment instructions and supplier bank changes. Make it role-based and routine, not discretionary.
• Use a trusted second channel. Call back using an official number from your records, not the one in the message.
• Implement email authentication controls to reduce spoofing reaching inboxes. Pair this with a clear rule that phone calls do not authorise payments or sensitive changes on their own.

Malware is malicious software that gets onto devices through attachments, links, or compromised websites. Some malware captures credentials, monitors activity, or enables remote access, which can then be used to commit fraud.

• A device is infected via an attachment, link, or unpatched software weakness.
• The attacker captures credentials or uses remote access to reach systems involved in payments or sensitive data.

Malware takes hold when patching is inconsistent, admin rights are too broad, or controls are bypassed to keep work moving. Shared devices and ad hoc file sharing increase exposure.

• Maintain patch discipline for operating systems, browsers, and core applications. This closes common entry points without adding user burden.
• Limit privileges. Remove local admin rights where they are not essential so infection does not become escalation.
• Use endpoint protection and monitoring that can isolate devices quickly, so one infection does not spread into finance and identity systems.

Account takeover happens when criminals gain control of business accounts such as email, banking, or cloud tools. It often follows phishing or malware, but the damage depends on what the account can access and what actions it can approve.

• Credentials are stolen, reused, or captured through malware.
  The attacker uses the account’s existing permissions to access systems, change settings, or initiate fraudulent actions.

The risk is not only passwords. It is privilege design. Over-broad access, shared accounts, and weak separation between email and finance workflows allow a single takeover to become a payment event.

• Enforce multi-factor authentication for email, finance, and administrator access. This blocks many takeovers even when credentials leak.
• Reduce privileges and segment systems so that compromised email does not directly enable payment changes.
• Monitor for unusual sign-ins and risky actions, then make account lockdown fast and well-owned.

Bank account hacking targets a business’s online banking access. The aim is to transfer money, add payees, or change controls so legitimate users cannot intervene.

• The attacker gains access using stolen credentials or compromised devices.
• They create payees, change contact details, or initiate transfers, often outside normal working patterns.

This succeeds when segregation of duties is weak, payee controls are informal, or approvals can be bypassed to keep payments moving. Workarounds become the path of least resistance.

• Put payee management behind strong controls. Require independent verification before new payees or bank detail changes go live.
• Enforce dual approval and transaction limits, and make exceptions rare and auditable.
• Reconcile frequently and act fast on anomalies. Early detection matters because recovery windows are short once funds move.

If your business falls victim to digital fraud, act quickly to reduce further loss and preserve recovery options.

• Contact your bank immediately to try to stop, recall, or freeze payments.
• Report the incident to the police reporting service for fraud and cyber crime. You can report online via Report Fraud or call 0300 123 2040 for advice and reporting support.
• If an attack is still live and data may be at risk, escalate internally and call 0300 123 2040 for the live cyber attack reporting route.
• If there is immediate danger or an offence in progress, call 999. For non-emergency police contact, call 101.
• Preserve evidence such as emails, invoices, payment instructions, screenshots, call logs, and account audit logs.
• Investigate how the fraud happened and close the control gaps. Most organisations discover issues they had normalised, such as informal workarounds in payment handling, assumptions that certain requests are “trusted,” or unclear ownership between Finance and IT for verification controls.
• Inform affected staff, clients, or suppliers promptly where doing so helps prevent further harm, for example, by stopping follow-on payments or confirming genuine contact routes.

If the incident involved phishing messages, you can also use UK Government guidance on reporting suspicious emails and online scams, which links to the same reporting routes (GOV.UK, n.d.).

Note: The reporting routes and phone numbers below (for example, Report Fraud, 0300 123 2040, 101, 999) are UK-specific. If you are outside the UK, use your local police non-emergency number and your national fraud or cybercrime reporting service (or equivalent).

Digital fraud is often presented as a test of employee judgement. In practice, it succeeds when everyday business processes allow authority and urgency to override normal verification, especially around payments and changes to supplier bank details.

The UK National Cyber Security Centre treats Business Email Compromise as a business process attack. Its guidance prioritises controls that reduce reliance on making the right call under pressure, particularly for payment requests and bank detail changes.

That framing aligns with Herath and Rao’s findings that security behaviour is shaped by practical organisational conditions, including:

• Response Costs: How much time, effort, and friction “doing the right thing” adds to the job.
• Self-efficacy: Whether people feel able to carry out the required checks with the resources they have.
• Organisational Commitment: Whether the organisation visibly supports secure practice through priorities and follow-through.
• Social Influence: What peers and leaders signal as normal, expected, and acceptable in day-to-day work.

Which means people follow controls more reliably when the organisation makes them doable, resourced, and normal. The design goal is therefore to make verification the default route for high-risk requests, and ensure seniority cannot create an informal bypass.

Training helps staff recognise suspicious cues, slow down at the right moments, and respond consistently when something feels off. It supports better decisions in the flow of work, especially when requests arrive through email, messaging, or phone calls.

However, training does not compensate for weak payment controls, authority bypass, or unclear ownership for verification. If a process allows high-impact actions to be completed without a reliable stop-check, fraud will still get through.

Used properly, fraud awareness training supports competence inside a designed system. It reinforces the behaviours your controls depend on, such as:

• Knowing when to pause and verify, rather than relying on judgement at speed.
• Escalating unusual requests without fear of blame.
• Reporting suspected attempts quickly, so the organisation can block follow-on attacks.
• Using the agreed verification route for payment, bank detail, and access requests.

Ultimately, training improves recognition and reporting. Preventing digital fraud depends on whether your payment and verification controls still hold up on the busiest day, with the least time, and the most pressure to “just get it done.”