Why the Insurance Excuse Fails When Cyber Criminals Target UK Small Businesses Cyber criminals often justify their actions with a simple argument: “Businesses have insurance, so nobody is really hurt.” It is a convenient story. It makes fraud feel less like exploitation and more like a cynical business transaction. But the reality in the UK’s small and medium-sized business (SMB) sector tells a very different story. Fraud against businesses is not a harmless transfer of money from one account to another. It causes real financial damage, operational disruption, emotional stress and in some cases the collapse of otherwise healthy companies. This article explores the mindset behind that justification and explains why the “insurance will cover it” argument does not stand up to scrutiny. The Mindset Behind the “It’s Just a Job” Mentality Many online fraudsters frame their activity as a form of remote work rather than criminal behaviour. This psychological distancing is common in financial crime. A scammer targeting businesses might rationalise their actions with arguments such as: Businesses can absorb financial losses Cyber insurance will reimburse stolen funds Large companies exploit people anyway The victim made a mistake, so they are responsible These beliefs allow criminals to mentally detach from the consequences. Dr Elisabeth Carter, criminologist at the University of Kingston who researches fraud networks, explains: “Fraud offenders often rely on techniques of neutralisation. They convince themselves the victim deserves it or will not be seriously harmed. This psychological mechanism allows them to continue offending without confronting the human impact.” Reference:https://www.kingston.ac.uk/research/research-areas/fraud-and-financial-crime/ In reality, these assumptions are largely false when applied to small and medium businesses. Why the Insurance Argument Is Fundamentally Flawed The idea that insurance removes the harm caused by fraud misunderstands how business insurance works. Most UK cyber insurance policies contain strict limits and conditions. They rarely cover the full financial damage. 1. Many Businesses Are Not Fully Insured According to the UK Government’s Cyber Security Breaches Survey, a large proportion of small firms either lack cyber insurance or hold only limited cover. Report:https://www.gov.uk/government/publications/cyber-security-breaches-survey Small businesses often assume their general business insurance includes cyber protection when it does not. 2. Insurance Claims Are Not Guaranteed Even when a policy exists, insurers may refuse payment if: security procedures were not followed staff training requirements were not met payment authorisation rules were bypassed the attack method falls outside policy definitions This leaves companies responsible for the loss. Professor Alan Woodward, cyber security expert at the University of Surrey, notes: “Insurance is not a safety net for poor security practices. Policies typically require businesses to demonstrate reasonable protections. If those controls fail, insurers can decline the claim.” Reference:https://www.surrey.ac.uk/people/alan-woodward 3. Insurance Does Not Cover All Costs Even when a claim is successful, businesses still face significant expenses including: operational downtime forensic investigation costs legal fees regulatory penalties reputational damage higher insurance premiums For small businesses with tight margins, these secondary costs can be devastating. The Real Victims: UK Small and Medium Businesses The stereotype of a wealthy corporation absorbing fraud losses does not match the typical target. Most UK businesses are small firms. According to the UK Department for Business and Trade: 99.9% of UK businesses are SMEs over 5.5 million companies fall into this category Source:https://www.gov.uk/government/statistics/business-population-estimates For these companies, a fraud incident can have serious consequences. Cash Flow Disruption Many scams target immediate bank transfers or invoice payments. Losing tens of thousands of pounds overnight can halt payroll or supplier payments. Operational Shutdown Cyber attacks may lock systems, corrupt files or force networks offline while investigations occur. Personal Financial Impact Unlike large corporations, many SME owners are personally liable for debts and losses. When a small business loses money to fraud, the impact is often felt directly by the owner, employees and local community. The Legal Reality in the United Kingdom Fraud against businesses is a serious criminal offence under UK law. Relevant legislation includes: Fraud Act 2006 Computer Misuse Act 1990 Serious Crime Act 2015 Fraud offences can carry prison sentences of up to 10 years. The National Crime Agency (NCA) and Action Fraud coordinate investigations across the UK. Reference:https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/cyber-crime Cyber criminals often assume they are anonymous online, but digital forensics, international cooperation and financial tracking increasingly lead to arrests. The Ethical Problem With the “Insurance Covers It” Argument Beyond legality, the moral argument also collapses under scrutiny. Insurance does not erase harm. It simply spreads the financial cost across the wider economy. When fraud occurs: insurance premiums increase businesses raise prices consumers ultimately pay the difference Dr Mark Button, Director of the Centre for Cybercrime and Economic Crime at the University of Portsmouth, summarises the wider impact: “Fraud is far from victimless. It creates a ripple effect throughout the economy, increasing costs for businesses, insurers and consumers alike.” Reference:https://www.port.ac.uk/research/research-centres-and-groups/centre-for-cybercrime-and-economic-crime In other words, even when insurance pays, society still absorbs the cost. Why the Justification Ultimately Fails The idea that scamming businesses is acceptable because they have insurance relies on several false assumptions: that businesses are wealthy that insurance always pays that no real harm occurs that the risk of being caught is low Each of these beliefs is contradicted by real-world evidence. Small businesses suffer genuine financial damage from fraud. Insurance rarely covers the full loss, and the economic consequences extend far beyond the initial victim. The “it’s just a job” mindset may help offenders sleep at night, but it does not change the underlying reality. Fraud against businesses is neither victimless nor harmless. It is simply theft carried out through a keyboard rather than a crowbar. Post navigation How Cyber Criminals Try to Make Threat Emails Look Believable