Stop Getting Fooled: A Small Business Guide to "Verify and Never Trust" Security

Cyber Security for Small Businesses
Written By Noel Bradford

Because hoping criminals play fair is like expecting your printer to work on deadline day

Right then, let's talk about something that could save your business from digital disaster. When Theresa Payton, who literally protected the President's emails, tells you to "verify and never trust," you should probably listen. And if you think this sounds like paranoid nonsense, congratulations - you're exactly the kind of trusting soul that cybercriminals absolutely love.

The harsh reality? In 2025, your eyes and ears can be fooled by a teenager with a laptop. Deepfakes that would make Hollywood jealous, emails that perfectly mimic your business partner's writing style, and phone calls from "your bank" that sound exactly like your bank. When you can't trust what you see and hear, you need systems that work even when you're being expertly manipulated.

Why This Actually Matters (Spoiler: Money)

Here's the thing - every week, I hear from small business owners who've been had. Not by sophisticated hackers breaking into their networks, but by convincing emails asking for payment details to be "updated urgently." The kind of emails that look so legitimate, even I might fall for them on a bad day after too much coffee.

The average cost of these attacks? About £25,000 for a small business. That's not "oops, we'll tighten up our procedures" money. That's "we might not make payroll this month" money.

Step 1: Build Your Golden Directory (This Week, Seriously)

What it is: A list of real contact details that lives somewhere separate from your email.

Why you need it: Because when someone emails claiming to be your biggest client, you need a way to verify that doesn't involve replying to the potentially dodgy email.

How to do it without going mad:

  • Grab a spreadsheet (yes, a spreadsheet - we're keeping this simple)

  • List every supplier, client, and business partner who could cost you money

  • Include their real phone numbers, verified email addresses, physical addresses

  • Store it somewhere that isn't your email system - OneDrive, Google Drive, even a USB stick in your desk drawer

  • Update it when things change, not six months later when you've forgotten

Pro tip: If you can't be bothered to maintain a spreadsheet, you definitely can't be bothered to recover from a £25,000 fraud. Priorities.

Step 2: The £500 Rule (Non-Negotiable)

Any payment request over £500 gets verified. I don't care if it's marked "URGENT" in red letters with crying face emojis. I don't care if it claims to be from your mother. Five hundred pounds and up gets the full treatment.

The actual process (copy this, print it, stick it on the wall):

  1. Receive payment request

  2. DO NOT reply to the email or call back the number they provide

  3. Look up their real number in your golden directory

  4. Call them back and confirm the request

  5. If they can't confirm it, or you can't reach them, wait

  6. Document everything before you send any money

For amounts over £5,000: Add a 24-hour waiting period unless they're on your pre-approved urgent vendor list (which should be about three companies, maximum).

Common objection: "But what if it really is urgent?"

Reality check: If your business partner's payment process is so broken that they need money transferred within minutes or the world ends, you have bigger problems than cybersecurity.

Step 3: The Passphrase System (Easier Than It Sounds)

Set up secret phrases with your key business contacts. Not their dog's name or favorite football team - something completely random that can't be found on their LinkedIn profile.

Good passphrases: "Coffee needs more widgets" or "Tuesday elephant protocol" Bad passphrases: "Manchester United rocks" or "Fluffy the cat"

Test these monthly. Make it part of your regular business communications. If your contact can't provide the passphrase, you don't process the request. Simple as that.

Step 4: Decision Trees (Remove Human Stupidity from the Equation)

Here's the uncomfortable truth: when you're being psychologically manipulated by experts, your judgment becomes about as reliable as British weather forecasts. So we remove judgment from the equation entirely.

Payment Request Flowchart:

Email arrives → Amount over £500? → Yes → Call number from golden directory
→ Confirmed? → Yes → On urgent vendor list? → Yes → Process with documentation
→ No at any step? → Escalate to boss

Software Installation Request:

"Can you install this urgent software?" → Is it from approved vendor list? 
→ Yes → Follow normal installation procedure
→ No → IT approval required, no exceptions

Make these decisions automatic. When someone's pressuring you to bypass procedures, that pressure is probably the point.

Step 5: Train Your Team (Without Boring Them to Death)

Key training points:

  • Verification isn't rude, it's professional

  • "I need to verify this through our standard procedure" is a complete sentence

  • Management backs these procedures even when they're inconvenient

  • Following procedures is more important than seeming helpful

Practice scenarios: Have someone call pretending to be the CEO requesting urgent payments. See if your staff follow the procedures even when being pressured. If they don't, fix the training, not the staff.

Step 6: Email-Specific Rules (Because Email is Where Most Disasters Start)

Never, ever click "Reply" on payment requests or requests to change banking details. Compose a new email to an address you know is real.

Better yet: Pick up the phone. Amazing how many "urgent" payment requests disappear when you actually try to speak to a human being.

Email warning signs:

  • Unusual urgency about routine requests

  • Requests to bypass normal procedures "just this once"

  • Grammar that's either perfect (AI-generated) or terrible (overseas scammer)

  • Requests that benefit the sender more than you

Common Excuses and Why They're Rubbish

"It slows everything down" Reality: A three-minute phone call is faster than three months of fraud recovery.

"Our clients will think we don't trust them" Reality: Professional clients appreciate businesses that take security seriously. Dodgy ones get annoyed when you make them jump through hoops.

"It's too complicated" Reality: If following a simple checklist is too complicated, running a business might not be for you.

"We're too small to be targeted" Reality: You're not too small to have money, are you? Then you're not too small to be targeted.

What Success Looks Like

You'll know this is working when:

  • Staff automatically verify payment requests without being reminded

  • You catch at least one suspicious request per quarter (if you're not catching any, you're not looking hard enough)

  • Clients comment positively on your security procedures

  • You sleep better knowing your business accounts are protected

The Tools You Actually Need

  • A spreadsheet (free)

  • A phone (you already have one)

  • Basic common sense (surprisingly rare, but usually free)

  • Management commitment to backing the procedures (priceless)

This isn't about buying expensive security software or hiring consultants. It's about implementing systematic skepticism that costs nothing but saves everything.

Beyond the Basics

Once you've mastered verification procedures:

  • Enable multi-factor authentication on all business accounts

  • Regular security training with current examples (not generic presentations from 2019)

  • Apply verification thinking to vendor assessments

  • Consider Cyber Essentials certification to formalize your approach

The Bottom Line

"Verify and never trust" isn't paranoia - it's basic business hygiene in 2025. When teenagers can create convincing deepfakes and AI can write emails that fool executives, trusting your instincts is like bringing a chocolate teapot to a gunfight.

Start with payment verification this week. Your accountant will thank you, your bank manager will thank you, and you'll join the exclusive club of business owners who don't appear in "how I lost £25,000 to an email" case studies.

Remember: In cybersecurity, healthy skepticism is like good insurance - you hope you never need it, but you'll be bloody glad you have it when disaster strikes.

And if someone gets annoyed when you want to verify their identity? That's not a bug in your security system - that's a feature working exactly as intended.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Next

The CVE-2025-53770 Crisis: Why Your SharePoint Response Reveals More About Human Psychology Than Technical Competence