TL;DR: Most fraud in Dutch small businesses happens through invoices, payment requests, and vendor changes. Three minimum controls stop it: dual approval on payments above €500, invoice validation before payment, and vendor change verification through known phone numbers. These controls prevent fraud before it happens, not after.
What Controls Prevent Small Business Fraud?
- Dual approval on payments: Two people review and approve payments above €500.
- Invoice validation: Verify the order, receipt, and amount match before paying.
- Vendor change controls: Call the vendor directly through known numbers to confirm any bank account changes.
- Why these work: Fraud enters where verification stops. These controls create structural barriers that catch fraud before money leaves.
Where Does Small Business Fraud Come From?
Most fraud against Dutch small businesses doesn’t come from sophisticated hackers.
It comes through invoices, payment requests, and vendor changes.
The numbers are clear: 67% of Dutch SMEs experienced online fraud in the past 18 months. The damage wasn’t technical. It was structural.
Businesses trusted their processes without building controls into them.
How Does Fraud Enter Small Businesses?
Fraud enters where verification stops.
In most micro and small businesses, one person handles the full payment cycle. They receive the invoice, approve it, process the payment, and record it in the books.
That’s not efficiency. That’s exposure.
The system doesn’t care about your trust in that person. It measures whether fraud happens undetected. If fraud goes undetected, the risk is structural.
Research on fraud against Dutch businesses found that 73% of CEO fraud occurs during summer months. This happens when founders are on holiday and normal verification breaks down.
The fraud wasn’t creative. The controls were simply absent.
Bottom line: Single-person payment cycles create structural fraud risk because no verification step exists to catch errors or theft.
Why Do Expat Founders Miss This?
You’re managing compliance in a second language, navigating Dutch regulations, and running operations simultaneously.
Internal controls feel like bureaucracy you don’t have resources for yet.
Small businesses are slow to implement proper controls, and fraudsters target this weakness. Fraudsters don’t need sophisticated attacks. They need weak structure.
The Dutch Central Bank (DNB) and the Authority for Financial Markets (AFM) enforce strict anti-fraud regulations under the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme). These rules require businesses to maintain internal control measures.
The law doesn’t exempt you because you’re small. It measures whether you have proof of control.
Reality check: Dutch regulations require internal controls regardless of company size. No proof of control means regulatory exposure.
What Does Missing Controls Cost?
The cost isn’t just the stolen amount.
Financial damage: Direct loss from fraudulent payments, plus recovery costs and potential fines for non-compliance with Wwft requirements.
Time cost: Reconstructing what happened, dealing with banks, filing reports with the police. Only 14% of Dutch SMEs report cybercrime incidents because the process is time-intensive.
Control erosion: Once fraud occurs, you lose visibility into what else might be wrong. Trust inside the company fractures.
Regulatory exposure: Authorities don’t examine the fraud alone. They examine whether you had adequate controls in place to prevent it.
One in four European SMEs fear a cyberattack could force them to close their business. That’s not paranoia. That’s the consequence of operating without minimum controls.
Core insight: Fraud costs compound because they include direct loss, recovery expenses, regulatory scrutiny, and internal trust damage.
What Are the Three Minimum Controls?
You don’t need enterprise software or a compliance department.
You need three structural controls that prevent most fraud from entering undetected.
1. Dual Approval on Payments
The control: No payment above €500 gets processed without two people reviewing and approving it.
Why it works: Fraud relies on single points of failure. When two people must verify, collusion becomes necessary. Collusion is exponentially harder than solo fraud.
How to implement: Set your banking system to require two approvals for payments above your threshold. Document who approved what.
This isn’t about distrust. It’s about building a system where mistakes and fraud both get caught early.
Key point: Dual approval eliminates single points of failure and forces collusion, which exponentially reduces fraud risk.
2. Invoice Validation
The control: Before paying any invoice, verify three things:
- Did we order this?
- Did we receive what was ordered?
- Does the amount match the agreement?
Why it works: Most invoice fraud relies on you paying without checking. Fake invoices, inflated amounts, and phantom services all collapse under basic verification.
How to implement: Create a simple log that tracks: order placed, goods/services received, invoice matched, payment approved. One person orders. A different person verifies receipt.
The goal is proof. If you don’t have proof the invoice is legitimate, don’t pay it yet.
Key point: Invoice validation stops fake invoices, inflated amounts, and phantom services by requiring proof before payment.
3. Vendor Change Controls
The control: Any change to vendor payment details requires direct verification through a known phone number, not through email or the number provided in the change request.
Why it works: Email compromise is common. Fraudsters send emails that look like they’re from your supplier, requesting payment to a new account. If you verify through the original contact method, the fraud fails.
How to implement: Maintain a vendor contact list with verified phone numbers. When any payment detail changes, call the vendor’s main switchboard and confirm directly with your usual contact.
Never verify a bank account change using contact information from the change request itself.
Key point: Vendor change controls stop email compromise fraud by requiring verification through pre-established, trusted contact methods.
What Do Good Controls Look Like in Practice?
Good internal controls don’t slow you down after the first week.
They create clarity. You know who approved what, you have proof of verification, and you reconstruct any transaction if questioned.
When the Belastingdienst or your accountant asks for documentation, you produce it immediately. When a supplier disputes a payment, you show the approval trail. When fraud is attempted, your controls catch it before money leaves.
Research shows that vigilant employees are the most effective fraud prevention. But vigilance without structure is hope. Structure gives vigilance something to act on.
Implementation reality: Good controls create documentation trails that enable fast responses to audits, disputes, and fraud attempts.
When Should You Install These Controls?
Fraud isn’t a big-company problem that small businesses ignore.
It’s a structural problem that small businesses are uniquely vulnerable to because they delay building controls.
You don’t need complexity. You need three controls: dual approval, invoice validation, and vendor change verification.
Install them before the first fraudulent payment. Because after that, you’re not building controls. You’re rebuilding trust.
Structure is cheaper than recovery.
Frequently Asked Questions
What is dual approval on payments?
Dual approval means two people review and approve any payment above a set threshold (typically €500). This eliminates single points of failure and forces collusion, which exponentially reduces fraud risk.
How do I verify invoices before payment?
Verify three things before paying: Did we order this? Did we receive what was ordered? Does the amount match the agreement? Create a simple log that tracks order placement, receipt, invoice matching, and payment approval.
What are vendor change controls?
Vendor change controls require direct verification through a known phone number when any vendor payment details change. Never verify bank account changes using contact information from the change request itself.
Do Dutch regulations require internal controls for small businesses?
Yes. The Dutch Central Bank (DNB) and the Authority for Financial Markets (AFM) enforce anti-fraud regulations under the Wwft. The law doesn’t exempt small businesses. It measures whether you have proof of control.
Why do fraudsters target small businesses?
Small businesses are slow to implement proper controls. Fraudsters don’t need sophisticated attacks. They need weak structure. Single-person payment cycles and absent verification processes create easy targets.
What happens if I don’t have internal controls and fraud occurs?
You face direct financial loss, recovery costs, potential Wwft fines, time spent reconstructing events, control erosion, trust fractures, and regulatory examination of whether you had adequate controls in place.
How long does it take to implement these three controls?
Initial setup takes one week. After that, good controls don’t slow you down. They create clarity and documentation trails that enable fast responses to audits, disputes, and fraud attempts.
What percentage of Dutch SMEs experience online fraud?
67% of Dutch SMEs experienced online fraud in the past 18 months. The damage wasn’t technical. It was structural, caused by businesses trusting processes without building controls into them.
Key Takeaways
- Most fraud in Dutch small businesses happens through invoices, payment requests, and vendor changes, not sophisticated hacking.
- Fraud enters where verification stops. Single-person payment cycles create structural fraud risk.
- Three minimum controls prevent most fraud: dual approval on payments above €500, invoice validation before payment, and vendor change verification through known phone numbers.
- Dutch regulations (Wwft) require internal controls regardless of company size. No proof of control means regulatory exposure.
- 67% of Dutch SMEs experienced online fraud in the past 18 months. 73% of CEO fraud occurs during summer months when verification breaks down.
- Fraud costs compound: direct loss, recovery expenses, Wwft fines, regulatory scrutiny, and internal trust damage.
- Structure is cheaper than recovery. Install controls before fraud happens, not after.
