This week, an ex-client accidentally paid us £35,000.
I’ll be honest — there was a brief moment of contemplation. Not a serious one. But a moment.
In line with our values — doing what’s right, not what’s easy — it was returned the same day. They were, as you might imagine, extremely relieved.
But the incident is worth talking about for a different reason, because it highlighted something that a lot of businesses overlook: the security risks that live quietly inside your financial systems.
IT security isn’t just usernames and passwords
When most people think about cyber security, they think about hackers, phishing emails and malware. Those are real threats and they’re worth taking seriously. But there’s another category of risk that’s much closer to home — the kind that lives in your online banking, your payment systems and your financial processes.
Consider the things that typically go unreviewed in a business’s banking setup:
- Old payees — suppliers you no longer use, stored permanently in your banking system
- Cancelled direct debits — payments that should have stopped but sometimes don’t
- Stale user access — team members who’ve left but whose banking access was never removed
- Shared credentials — one login used by multiple people, with no audit trail of who did what
- Unreviewed authorisations — standing orders or payment mandates that nobody remembers setting up
Each of these is a potential route for money to end up somewhere it shouldn’t — accidentally, through error, or deliberately, through fraud or a disgruntled former employee.
The insider risk is real
External cyber attacks get most of the attention. But a significant proportion of financial fraud involving small businesses comes from inside — either from current employees with more access than they need, or from former employees whose access was never properly removed.
It’s not comfortable to think about. But access that isn’t reviewed regularly is access that can be misused. The honest question to ask is: do you know exactly who has access to your financial systems right now, and is that list right?
What a quick banking security review looks like
You don’t need a specialist to do the basics. Set aside an hour and work through the following:
- Log in to your online banking and review the full list of saved payees. Delete anyone you no longer pay.
- Check all active direct debits and standing orders against your current supplier list. Cancel anything that shouldn’t be running.
- Review who has access to your business banking. Remove anyone who has left, and question whether anyone still there has more access than they need.
- Check whether any accounts have shared logins. If possible, give individuals their own credentials so you have a proper audit trail.
- If you use any payment platforms or accounting software with banking integrations, review those access permissions too.
It probably takes less time than you’d expect. And the alternative — discovering that money has left your account because of something preventable — is considerably more expensive, in both money and stress.
As for the £35,000
It’s back where it belongs. The former client’s bookkeeper had a very old payee reference in the system that should have been deleted months ago. A simple data entry error sent a payment to the wrong place.
In this case, the money came back without incident. That’s not always how these stories end.
If you’d like to talk about the security risks in your financial systems — or your wider IT and security posture — book a free call. We’re always happy to give an honest assessment.