No matter how strong the safeguards are, even the most prepared businesses can find themselves facing a fraud incident. The real test isn’t just how fraud happens, it’s how a company reacts when it does. For small to medium-sized businesses (SMBs), an effective response requires preparation, clarity and action. How leaders manage those first steps often determines how quickly and confidently the business recovers.

In this second installment of our series, Steve Lenderman, isolved’s Head of Fraud Prevention, shares insights into what SMBs should do when fraud is suspected or confirmed. From containing the immediate impact and managing communications to working with financial institutions and law enforcement, we break down the critical steps that help organizations respond quickly and strengthen resilience for the future.

Q.        If a business suspects or detects fraud, what’s the first thing they should do?

Businesses that suspect or detect fraud should take the following steps:

• Secure and Preserve: Isolate affected systems or accounts to prevent further damage. Preserve all evidence, including emails, logs, screenshots, transaction records and communications. Do not delete or alter anything.
• Escalate Internally: Notify your fraud prevention or risk team immediately. If no dedicated team exists, escalate it to senior leadership, IT security and legal. Follow your incident response protocol or initiate one if none exists.
• Begin an Investigation: Conduct a preliminary assessment to understand the scope and impact, as well as to determine if the fraud is internal, external or systemic.
• Report Externally: Where applicable, report the incident to law enforcement, such as local police or federal agencies like the Federal Bureau of Investigation (FBI). If customer data, financial systems or compliance are involved, report to the appropriate regulators. For internet-enabled fraud or cybercrime, file a report with the FBI Internet Crime Complaint Center (IC3).

TIP: Avoid tipping off the suspected fraudster, especially if internal.

Q.        What are the biggest mistakes businesses make in those critical first 24–48 hours after discovering fraud?

Some of the most common mistakes businesses make upon discovering fraud include:

• Delaying Action: Waiting to confirm before escalating can give fraudsters more time to exploit systems or cover their tracks. Suspected fraud should trigger containment protocols immediately.
• Destroying or Altering Evidence: Deleting emails, wiping logs or “cleaning up” systems before a proper investigation can compromise legal and forensic efforts. Preserve everything, even if it seems irrelevant.
• Failing to Communicate Internally: Not informing key stakeholders (e.g., IT, legal, compliance, leadership) slows response and coordination. Delays and a lack of communication can lead to confusion and prevents containment.
• Skipping Root Cause Analysis: Focusing only on the visible loss, like stolen funds, without identifying how the fraud occurred leaves vulnerabilities open. Root cause analysis helps you understand the method, not just the outcome.
• Avoiding External Reporting: Some businesses hesitate to report to law enforcement, regulators or platforms fearing reputational damage. This can backfire legally and operationally.  Reporting to the FBI’s IC3 is especially important for cyber-enabled fraud.
• Neglecting Access Controls: Failing to immediately reset passwords, revoke access or enable multifactor authentication (MFA) can allow continued exploitation. Lock down affected systems and accounts promptly.
• Lack of a Response Plan: Without a fraud response checklist or playbook, teams scramble and make inconsistent decisions. Every business should have a clear protocol for fraud incidents, even small-scale ones.

Q.        How can SMBs communicate with employees without causing panic or reputational harm?

When a fraud incident occurs, the best way to control the narrative is through transparency, composure and clear direction. Acknowledge the situation promptly using factual, measured language that focuses on what’s being done to contain and resolve the issue. For example, “We’ve identified a potential fraud incident affecting [system/team], and our security team is actively investigating.”

Frame the communication as part of a broader effort to strengthen defenses, reinforcing that swift reporting and response reflect a resilient organization. Tailor messaging by audience: reassure frontline staff, give detailed instructions to those involved in the response and equip leadership with strategic talking points for external communication.

Provide clear, actionable next steps, such as resetting passwords, enabling multifactor authentication (MFA) or reporting suspicious activity, and ensure internal and external messages are aligned. Above all, foster trust by focusing on facts, avoiding speculation and encouraging employees to report concerns in a safe, supportive environment.

Q.    How can SMBs work effectively with law enforcement or financial institutions during a fraud investigation?

Start with a clear, documented incident report that includes key facts, like what happened, when the incident occurred, how it was discovered and what systems or data were affected. Attach relevant evidence, such as emails, transaction records, screenshots and logs. Use concise and factual language, as this helps law enforcement and banks act faster.

Quickly engage the proper authorities, including local law enforcement or a cybercrime unit, the FBI IC3 for internet-enabled fraud and notify your financial institution’s fraud department so they might be able to freeze transactions, trace funds or initiate recovery procedures.

TIP: Understand what each authority can and cannot do.

For example, law enforcement may not recover funds but can pursue criminal charges or support broader investigations. By contrast, financial institutions may help with chargebacks, fund recovery or fraud alerts but within appropriate time frames.

To aid the investigation, designate a single point of contact to coordinate with external parties. This ensures consistency and responsiveness to the investigative and forensic teams, as well as avoids confusion among the parties involved. The contact person should be briefed on the incident, informed of what’s been done so far and the timeline of the processes involved.

TIP: If you’re unsure about a request, ask for clarification. For future-proofing, ask for feedback from investigators or fraud teams.

Q.        How can businesses preserve evidence, such as emails, transaction records and communications, without compromising an investigation?

A great rule of thumb in preserving evidence in a fraud investigation is to adopt the mantra of “preserve first, analyze later.” This means that you do not alter, delete or “clean up” any data until forensic experts review it.  Additionally, create read-only backups of emails, logs, transaction records and communications. Store originals securely and work only from duplicates during analysis.

TIP: Avoid opening suspicious files or forwarding fraudulent messages since this can change metadata or trigger malware.

Q.        When is it appropriate to bring in outside legal counsel or forensic experts?

Typically, outside legal counsel is involved when there’s:

• Compromised data
• Potential regulatory exposure
• Uncertainty about disclosure obligations to involved parties
• Attorney-client privilege preservation during internal investigations
• Legal action against fraudsters or negligent parties
• Law enforcement involvement requires specialized guidance

Forensic experts usually get involved when:

• An internal, unbiased investigation is necessary (i.e. Internal fraud suspected)
• Digital systems or platforms require forensic analysis and preservation, tracing, recovering or analyzing affected data or systems
• Lack of in-house expertise to assess the full scope or method of fraud

Q.        How should SMBs handle situations where fraud involves an internal employee?

Handling internal fraud demands discretion and structure so the response protects business integrity and employee trust. Here are some first steps SMBs should take to address internal fraud incidents:

• Revoke the employee’s access to systems, accounts and facilities promptly. Secure emails, transaction logs, communications and device data.

TIP: Avoid confrontation until containment steps are complete.

• Engage human resources (HR), legal and IT security teams to lead a formal investigation. Consider bringing in outside forensic experts for unbiased analysis. Maintain a clear chain of custody for all evidence.
• Consult legal counsel early to verify compliance with employment law, privacy regulations and contractual obligations. Legal advisors can guide disciplinary action, termination and potential prosecution.
• Communicate internally with care by limiting details to need-to-know stakeholders during the investigation.

TIP: Avoid speculation or naming the employee until facts are confirmed.

• Based on findings, determine appropriate consequences, such as suspension, termination, restitution or legal referral. Be sure to document all steps and decisions thoroughly.
• Report to respective authorities and regulators.  Notify regulators if customer data, financial systems or compliance are affected.

Fraud response is as much about leadership as it is about logistics. The moments following an incident test a company’s ability to stay calm, communicate clearly and act decisively. For SMBs, having a plan in place can make recovery faster and more effective. Resilience isn’t built in the moment of crisis; it’s built in the preparation that happened long before. With a thoughtful response strategy and a culture of vigilance, businesses can emerge stronger, smarter and better equipped to face whatever comes next.

To stay in the know about the latest fraud, cyber and security trends, register for the upcoming webinar on December 9—”Inside the Next Wave of Cybercrime: 2026’s Biggest Scams and How to Outsmart Them.”

_{Disclaimer. The information provided herein is for general informational purposes only and is not intended to be legal, investment or tax advice. It is not a substitute for professional legal, investment or tax advice, and you should not rely on it as such. No attorney-client or accountant-client relationship or any other kind of relationship is formed by any use of this information. The effective date of various provisions, amendments, and regulatory guidance may impact eligibility. The accuracy, completeness, correctness or adequacy of the information is not guaranteed, and isolved assumes no responsibility or liability for any errors or omissions in the content. You should consult with an attorney, investment professional or tax professional for advice regarding your specific situation.} 

Print