Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Today’s SMB cyber lookout: payment diversion scams + remote support tool risk

What small and medium-sized businesses should look out for today.

High Tuesday 30 June 2026, 15:43 UK time
Today’s look-out: Supplier/IT support compromise and payment-change scams (BEC), plus breach-impersonation follow-ons

What to look out for today

Keep an eye out for two practical risks that commonly hit smaller organisations:

  • Payment diversion / “change of bank details” scams (Business Email Compromise – BEC), often timed around invoices, payroll, or urgent supplier payments.
  • Remote support / IT helpdesk tool compromise risk (particularly where an outsourced IT provider or MSP uses a remote support platform). If a support tool is abused, attackers can move quickly across many customer environments.
  • Breach ripple-effect scams after large brand incidents (e.g., insurers): criminals may impersonate the breached organisation or use stolen personal/bank details in follow-on fraud.

Why this matters to smaller businesses

SMEs are targeted because they have regular supplier payments, fewer approval layers, and often rely on third parties (IT support, payroll, finance systems). A single convincing email thread or a compromised support tool can lead to:

  • irreversible bank transfers to criminals
  • account takeover and fraudulent invoice approvals
  • rapid operational disruption if attackers gain remote access via a supplier tool
  • staff being tricked by “we’ve had a breach” phone calls/emails into handing over codes or making payments

Warning signs

  • Bank detail changes requested by email, especially with urgency (“must be paid today”, “new account due to audit”).
  • Small wording changes in email addresses/domains, or replies that look like they’re in an existing thread but feel slightly “off”.
  • Unexpected IT support contact asking to install software, approve a login, or “confirm” MFA codes.
  • New or unusual payment instructions that bypass normal PO/invoice processes.
  • Customer/staff messages claiming a major company breach and pushing you to “verify details”, “claim a refund”, or “secure your account” quickly.

How attackers may exploit the situation

  • BEC playbooks often involve compromised mailboxes, research into who approves payments, and carefully timed requests aligned to real invoices.
  • Abuse of legitimate cloud/SaaS and business services can make malicious activity blend into normal traffic and processes.
  • Remote support tooling: if attackers exploit a weakness in a support platform used by your IT provider, they may gain direct access to endpoints, run actions remotely, or harvest credentials.
  • Brand impersonation after breaches: criminals may use breach news and stolen data to make phone calls/emails more convincing (name, bank details, policy/account context).

What to do today

  • Re-brief finance and admin staff: any change of bank details must be verified using a known-good phone number (from your own records, not the email).
  • Add a “payment change” delay: introduce a mandatory waiting period (e.g., same-day payments require second approval).
  • Lock down mailbox rules: check for suspicious auto-forwarding rules and unusual “inbox rule” changes for finance staff.
  • Confirm your IT support access routes: staff should know exactly how your IT provider contacts you and how remote access is initiated.
  • Prepare a short script for breach-impersonation calls: “We don’t verify details or move payments via inbound calls. We’ll call you back on a known number.”

Ask your IT provider

  • Do you use any remote support tools for our environment? If yes, which ones, and how do you secure admin access (MFA, IP allow-listing, device checks)?
  • Do you have monitoring/alerts for new remote sessions, new admin accounts, or unusual automation activity?
  • If a tool you use is exploited, what is your customer notification and containment process (timelines, actions you’ll take, evidence you’ll provide)?
  • Can you help us implement conditional access and strong MFA for email and finance/admin accounts?

Patch watch - only one short paragraph, and only if relevant

There are reports of active exploitation affecting commonly deployed business platforms and a remote support product (SimpleHelp). If your organisation (or your IT provider) uses remote support tooling or Oracle E‑Business Suite, ask your IT provider today to confirm whether you are exposed and what mitigations/updates have been applied—focus on reducing remote access risk and monitoring for suspicious support sessions.

One action today

Send a 5-minute note to finance/admin staff: no bank detail changes are accepted by email—verify by calling a known number and require a second approver for any same-day payment change.

Related Actions On Cyber resource

Actions On Cyber checklist: Payment change & invoice fraud (BEC) call-back verification process

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.