Cifas has published its 2025 Workplace Fraud Trends report, based on a survey of 2,000 UK employees working in companies with more than 1,000 staff. The headline is uncomfortable. Nearly a quarter of respondents (24%) know someone who has committed expenses fraud in the past year. One in eight (13%) say they or someone they know has sold company login details. Almost one in five (19%) know someone who has used a fake reference to cover a CV gap.
These are not edge cases. They are the people sitting next to you.
What the survey actually measured
Cifas put five scenarios to respondents and asked two questions about each: do you think this is justifiable, and have you, or someone you know, done it?
- Faking a reference to cover gaps and get hired.
- Selling login details, believing it is harmless one-time access.
- Secretly freelancing for a competitor while still employed.
- Claiming personal lunches as business expenses to skip approval.
- Gambling company funds, intending to pay them back after a win.
Roughly a quarter of respondents (24%) said secretly working for a competitor was acceptable. Three in 10 (30%) said using a fake reference house was justifiable. The "I would never" answers were a minority on every scenario.
Two findings are worth lingering on. The first is that tolerance ran across all levels of seniority, including leadership. The second is that IT and telecoms staff scored highest for tolerance across multiple scenarios. The people closest to the systems were also the most relaxed about misusing them.
Why this matters for smaller businesses
Cifas surveyed large employers, but the dynamics travel down. If anything they get sharper at SME scale, because the controls are lighter, the segregation of duties is thinner, and one finance manager often holds the keys to the bank, the payroll, and the expenses tool at the same time.
Most insider fraud in a small business does not look like a film. It looks like:
- A salesperson who is also taking commission from a competitor on the same leads.
- An ops manager whose Amazon Business basket has grown a personal tail.
- An IT contractor who shares an admin login with a friend who left six months ago, so the friend can pull a reference to land a new job.
- A bookkeeper who books personal cards through the company account and intends to settle up at year end.
None of these need a sophisticated attacker. They need an opportunity and a story the person can tell themselves about why it is fine.
What actually helps
You cannot tool your way out of a culture problem, but you can take the easy opportunities off the table.
- Vet beyond onboarding. Reference checks at hire are table stakes. Re-checking when someone moves into a finance, IT admin, or procurement role is the bit most firms skip. Cifas explicitly recommends continuing background checks beyond onboarding.
- Segregate the duties that matter. The same person should not raise a supplier, approve the invoice, and release the payment. In a small team this often means the director approves payments above a threshold, and that threshold is low enough to bite.
- Make logins personal and traceable. Shared admin accounts are how "selling login details" becomes invisible. Every admin action should be tied to a named human, with logs you could actually review if you had to.
- Treat expenses as a control, not a chore. A monthly five-minute look at the top 10 expense claims by value, picked at random, changes behaviour faster than any policy document.
- Have a route for people to flag concerns. Most insider fraud is noticed by a colleague before it is noticed by a system. If the only options are "say nothing" or "go to HR", people pick the first one.
The Cifas message worth taking away is that this is a culture question first and a controls question second. The controls only work if the tone from the top makes it clear that fiddling the company is not a victimless game, and that the people who flag concerns are protected rather than punished.
How Steelwise can help
Working out where a small business is actually exposed to insider risk, which controls are worth tightening, and which would just create paperwork, is the kind of review we run for clients. Get in touch.