For small firms, the strongest defence is often a saved check before money moves.
On a Thursday morning, a small online retailer in Breda finds a tempting supplier offer in the inbox. The website looks normal. The prices are sharp, but not absurd. The contact person replies quickly. The first order would help cover a weekend rush. Then one detail starts to itch: the bank account does not match the company name.
The signal has to become readable
That is where the Dutch fraud story now lives. Not only in a server room. Not only in a hacked password. Online fraud pushes trust back to the transaction desk, between the offer, the invoice, the website, the KVK number, the review page and the person who approves the payment.
CBS reported that 16.8 percent of people aged 15 or older were victims of online crime in 2025. Online fraud and scams affected 10.3 percent, up from 9.3 percent in 2023 and 9.7 percent in 2021. Purchase fraud reached 7.9 percent, after 6.9 percent in both 2023 and 2021. CBS defines purchase fraud as paying for online orders that are not delivered.
Hacking moved lower. CBS reported 5.5 percent in 2025, against 6.9 percent in 2021. It also reported that external-attack cyberincidents at companies fell to 4 percent in 2024, from 11 percent in 2016. The pattern points to a shift in pressure. For many small firms, the weak point is not only technology. It is commercial trust without enough proof.
Trust has moved closer to the invoice
Dutch business runs on online contact. CBS reported that 80.4 percent of people aged 12 or older bought something online in the three months before the 2025 survey, and 76.3 percent took part in social networks. In 2024, the Netherlands had the highest EU share of online shoppers among people aged 16 to 75, at 87 percent.
That is not a side market. Small firms buy online, sell online, advertise online, check reviews online and onboard customers online. Fraud can enter through an unfamiliar supplier, a fake webshop, a changed bank account, a borrowed company name, a review score that looks too clean or an urgent payment link.
What the signal changes
KVK put a practical number on the weakness in May 2026. It reported that 55 percent of entrepreneurs do not check a new business relation for a KVK number. One in five say they do not check, or barely check, new business relations. That is not a lack of intelligence. It is the normal speed of small business life, where the owner is also buyer, seller, administrator and complaint desk.
A KVK number check can show within minutes whether a business exists and who sits behind it. KVK also warns that fake websites can look almost the same as real webshops. It advises checking the Handelsregister, registered activities and official contact details, not only the website or invoice. The simple question is useful: if the deal goes wrong later, can the business show what it checked before money moved?
Your own site matters too
Compliance is not only about spotting the other side. A legitimate business also has to make itself checkable. KVK says online sellers must provide details about payment, shipping and returns. Mandatory website information includes the registered company name, KVK number, VAT number, business address, e-mail address, phone number and contact availability.
From 19 June 2026, KVK says online sellers must also have a clear button or link on the website that lets customers cancel an order or service. For a consumer-facing webshop, that is not a decorative extra. It changes the route by which a customer can prove cancellation, and by which the company can show it handled the process properly.
Reviews deserve the same sober treatment. ACM states that both positive and negative online reviews can be fake, and that businesses must explain what they do to ensure reviews are genuine and how they handle reviews and scores. A review page is not only marketing. It is part of the public trust record.
This is where the Breda retailer comes back into view. If her own website shows a clear identity, real contact routes, honest review handling and a visible cancellation path, she looks less like the structures she wants to avoid. Compliance and reputation meet in the same place.
Finance asks for proof
For regulated finance, the pressure is already formal. Rijksoverheid states that institutions covered by the Wwft must carry out customer due diligence and report unusual transactions to FIU-Nederland. That due diligence includes identity, representation authority, ultimate beneficial ownership where relevant, the purpose of the relationship and transaction monitoring.
What founders should check
DNB says Wwft institutions may use electronic identification tools if the tool is sufficiently reliable. The institution remains responsible for compliance. DORA has applied since 17 January 2025 to financial entities in scope. It covers ICT risk management, ICT incidents, digital operational resilience testing, outsourcing risk and cyber threat information sharing. AFM supervision can include investigations, incident handling, registers, licence assessments and document requests.
Most small firms do not sit inside that full financial rulebook. Still, the habits travel through contracts. A payment provider, lender, insurer, platform or regulated client may ask for clearer records: who approved the supplier, how bank details changed, where incident logs are kept, which ICT provider has access and what happens when an online identity does not match the official record.
Small controls protect cash
Purchase fraud hits cash before it becomes a legal discussion. Money leaves, delivery fails, the customer waits, the VAT booking sits in the accounts, and the owner loses time reconstructing what happened. One weak supplier payment can disturb payroll comfort, tax timing or a delivery promise.
The answer does not need to be a thick manual. It needs a few decisions made before the busy moment arrives. For unfamiliar suppliers, a Handelsregister check belongs before the first payment. A bank-account change deserves separate approval. Website identity should be current. Reviews should be explainable. Staff who process orders or payments should know when doubt stops the transaction.
I see this less as paperwork than as memory. A business with good records can tell its own story when a customer complains, an insurer asks questions, a lender reviews risk or a supervisor wants documents. A business without records can only say it trusted what it saw.
The Dutch online market will not become smaller because fraud is harder to read. Customers will keep buying. Firms will keep advertising. Suppliers will keep arriving through e-mail, search and social channels. The practical discipline is to slow down the first payment just enough to leave a trace.
For the retailer in Breda, the least dramatic decision may be the best one: check the KVK data, call through the official contact route, save the evidence and pause the order if the bank account still does not fit. That is not fear. It is the quiet work of making trust defensible.
Sources
Referenced in the article
Column | Human Resources
Dutch Employers Need Clear Rules for AI at Work
UWV figures show fast adoption, but the harder HR question is guidance, trust, and who remains.
Column | Human Resources
The Dutch Leave Management Trap: How Small Employers Inherit Liability They Never Saw Coming
Dutch employers don't get to assume employee vacation days expire.
The Polder is written for readers who need the Dutch business environment translated into practical meaning. Corrections, source policy and editorial accountability are part of the publication record.
