Payment Dispute Standards and Compliance Council

Menu
  1. Home
  2. Research and Trends

Blog

Micro-Merchant, Macro-Fraud: Why Smaller Merchants Face Growing Threats

Research and Trends

Across the UK, fraudsters are continuously refining their tactics, and small merchants are finding themselves at the centre of the target. Micro-merchants, often defined as those with fewer than ten employees, make up a vast portion of the retail and service landscape. However, they’re far less likely than larger businesses to have dedicated fraud prevention teams or the budget for advanced monitoring tools.

The statistics are sobering. A 2025 Visa survey found that 41% of UK small and medium-sized businesses reported at least one fraud attempt over the past 12 months. The Cyber Security Breaches Survey 2025 estimates around 72,000 incidents of cyber-related fraud across all UK businesses in the last year alone, with the most common loss being about £200 per case, while some incidents resulted in losses averaging closer to £6,000.

For small merchants, a single attack can leave a lasting scar. This is familiar with a family-run wine merchant in Devon who began selling gift vouchers online during lockdown. Within weeks, they processed dozens of £75 orders, only to learn later that the cards were purchased with stolen payment details. By the time the fraud was uncovered, the vouchers had been redeemed, leaving the business thousands of pounds out of pocket. For larger retailers, such losses can be absorbed, but for a micro-merchant, they can be devastating.

How Are Fraud Tactics Evolving to Exploit Smaller Sellers?

Fraudsters rarely repeat the same trick for long. Instead, they evolve rapidly, targeting the weakest defence, and it should come as no surprise that small merchants often present the least resistance.

One particularly damaging method is impersonation fraud, where criminals pose as trusted suppliers, loyal customers, or even colleagues. They use convincing emails, invoices, and phone calls to get merchants to change bank details or approve unusual payments. In 2021, small/medium sized merchants lost £59.2 million to such scams in just six months, according to UK Finance, and the trend has continued since.

Authorised Push Payment (APP) fraud, where a business is tricked into sending funds directly to a fraudster, has been another major threat. While recent rules mean micro-businesses can now receive reimbursements if they act in good faith, criminals are turning to remote purchase fraud, which increased in 2024 despite APP losses declining overall.

Then there’s cyber-facilitated fraud. These often start with a phishing email about a supposed account problem or a hacked login reused across multiple platforms. Once inside, fraudsters can change invoices, change payment recipients, or siphon customer data. For example, in late 2024, a Bristol-based artisan furniture maker had its email account compromised; the attacker intercepted legitimate orders and replaced payment details on invoices, diverting £12,000 in payments before the fraud was detected. Fraud today is not just opportunistic – it’s adaptive. As soon as one channel closes, criminals are on the look-out for another.

Are UK Regulators Closing the Gap for Micro-Merchants?

The good news is that UK regulators are taking steps to protect smaller merchants, although the pace of change doesn’t always match the speed of fraud evolution.

From October 2024, the Payment Systems Regulator (PSR) mandated that victims of APP fraud, including micro-businesses, must be reimbursed if they acted in good faith. This is a major step forward, and ensures that small merchants aren’t left alone to absorb devastating losses.

The government has also proposed giving banks the authority to delay suspicious payments for up to 72 hours. This provides a vital investigation window in cases where urgency is used as a weapon.

Looking ahead, the Financial Conduct Authority (FCA) will tighten payment firm regulations from May 2026. These will include daily checking of customer funds, mandatory isolation of client money, and increased reporting. These measures will aim to protect merchants even if their payment provider experiences financial or operational trouble.

Regulation is still only part of the answer. Policy changes can take years to design and enforce, while fraud tactics can change in weeks. Therefore, for now, the onus remains on merchants to combine compliance awareness with proactive defence.

What Practical Steps Can Small Businesses Take Right Now?

While budgets may be tight, there are affordable, immediate actions micro-merchants can take to create a stronger defence against fraudsters:

  • Educate your team: Even if that’s just you and a weekend assistant, create a routine of verifying any unusual payment requests or bank detail changes through a separate communication channel.
  • Enable strong authentication: Two-factor or multi-factor authentication on all payment, banking, and email accounts drastically reduces the odds of a successful breach.
  • Watch transaction patterns: Many e-commerce and Point-of-Sale (POS) platforms let you set alerts for orders from high-risk countries, unusually large purchases, or multiple orders from the same card in a short time.
  • Stay connected to industry alerts: Organisations like UK Finance and Financial Fraud Action UK offer timely updates and advice tailored to small businesses.
  • Adopt targeted tools: Even modest fraud-detection plugins, address verification systems, or device fingerprinting services can be game-changers for online sellers. Consider the example of a small handmade jewellery shop in Manchester. After losing £1,200 to fraudulent high-value orders, the owner added a fraud-scoring plugin and began manually checking any orders over £150. Within six months, refund-related losses dropped by 60%, and legitimate customer experience was unaffected.

What Back-Up Plans Should Small Merchants Have for When Prevention Fails?

Even the most vigilant merchant can fall victim to a sophisticated scam. That’s why a recovery strategy is just as important as prevention. This could mean securing cyber insurance, having a dedicated contact at your bank’s fraud department, or keeping a contingency fund for operational stability if fraud does strike.

An often-overlooked element is dispute and chargeback management. When a fraudulent transaction leads to a chargeback, inexperienced merchants can lose the payment, the product, and incur additional fees. Some small businesses choose to work with third-party dispute specialists, not as a main fraud prevention measure, but as a safety net. These partners can help recover funds, track recurring fraud patterns, and feed intelligence back into your prevention processes.

It’s not about outsourcing responsibility; it’s about ensuring that when the unexpected happens, you have more than one way to fight back.

How Can Small Merchants Build True Resilience Against Macro-Fraud?

For UK micro-merchants, fraud is not a distant threat – it’s a daily risk which is part of the reality of trading in a digital-first economy. Regulatory protections are improving, but fraud evolves too quickly to rely wholly on compliance. The strongest defence blends three elements: preventive measures, awareness of evolving tactics, and a plan for swift recovery when things go wrong.

The real question for every small merchant is this: If a fraud attempt happened tomorrow, would I recognise it, could I stop it, and if not, could I recover quickly enough to keep trading?


Those who can confidently answer “yes” are the ones most likely not only to survive, but to thrive in this environment. For everyone else, now is the time to strengthen the walls — before the next wave of macro-fraud comes knocking.