Mordent

We Told Them an Attack Was Coming. They Still Failed.

We ran an informed fraud simulation against a 40-person professional services firm. Three out of four attack scenarios got through anyway.

Author:Mordent
Mordent

We ran an informed fraud simulation against a 40-person professional services firm. Their finance team knew tests were coming. Three out of four attack scenarios got through anyway. Here's what happened — and what it tells us about how UK businesses actually handle fraud.

The Setup

A mid-sized UK professional services firm asked us to test their payment controls. We informed their finance team that AI-driven fraud simulations would be run over the following month. They were told to be vigilant and follow their verification procedures.

The problem: they didn't have any written verification procedures. Just an assumption that "the team knows what to do."

What We Sent

Four simulated attacks over three weeks: a supplier bank detail change, a CEO voice impersonation requesting an urgent payment, a payroll redirect request, and a fake new supplier invoice.

Key finding

3 out of 4 attacks were actioned without any verification step. No phone call to the supplier. No Confirmation of Payee check. No escalation. The invoice was processed in 22 minutes.

Why Awareness Didn't Help

Knowing attacks are coming doesn't fix a missing process. When there's no written procedure for "what to do when a supplier says they've changed bank details," people fall back on judgment. And under time pressure, judgment defaults to trust.

The finance team were competent, experienced professionals. They weren't careless — they were unsupported. No one had given them a procedure to follow, so they did what felt reasonable. The problem was systemic, not individual.

What We Built

After the test, we delivered a four-page verification procedures manual covering bank detail changes, new supplier onboarding, unusual payment requests, and payroll modifications. Each procedure has specific steps, escalation thresholds, and a sign-off requirement.

The procedures are designed to be practical — not compliance theatre. They tell staff exactly what to do, who to call, and when to escalate. They take minutes to follow, not hours.

Six months later, we'll come back and run a covert test to see if the procedures actually stuck.

What This Means for Your Business

If a team that knew testing was coming still failed three out of four scenarios, what would happen to your team with no warning at all?

Most UK businesses have no written verification procedures for payment changes. They rely on judgment, trust, and the assumption that "it won't happen to us." But fraud is now the most common crime in England and Wales, and AI has made attacks dramatically more convincing.

The only way to know whether your controls work is to test them. Not with a checklist — with a realistic attack.