Accountants — Is your practice ready for AI-speed attacks on client data?

This week's one story that matters for every UK business owner: three of the country's most powerful financial institutions confirmed that AI has made criminal attacks on small businesses faster, more convincing, and harder to stop — and a second signal tells you that your customers can already check whether your website copy was written by a machine.

Accountants — Is your practice ready for AI-speed attacks on client data?

The FCA, Bank of England, and Treasury published a joint statement this week confirming that AI tools have given criminals the ability to run cyberattacks faster and at greater scale than any skilled human practitioner could manage — and they are putting financial firms on formal notice to respond. For a small practice holding client tax records and personal financial data, your cyber setup from a few years ago may no longer meet the standard regulators expect. Two things worth doing this week: turn on two-step login for every email account your team uses, and call your IT provider to ask directly whether your current setup was designed for AI-speed threats. Your clients won't always ask — but when they do, you want the answer ready.

Trades — Could a fake "update our bank details" email drain your business account this week?

AI is now producing convincing payment-fraud emails at industrial scale — the FCA, Bank of England, and Treasury confirmed this is the specific class of attack hitting small businesses right now. The scam looks like this: a perfectly-worded email from what appears to be your regular materials supplier asks you to update their bank details before your next payment; you do; the money transfers and doesn't come back. The defence is free and takes ten seconds: call your supplier on a number you already hold before you change any payment details, no exceptions, no matter how urgent the email sounds. If you're already using ChatGPT to draft customer quotes or job reports, keep doing it — just build that payment verification step as a non-negotiable rule alongside it.

Retail & Hospitality — Your customers can already check whether your copy was written by AI.

Google is rolling its AI-detection tool directly into Chrome and Search — 50 million checks have already been run, according to Google DeepMind — so a customer reading your menu descriptions, booking page, or "About" section may soon see a label if the text was generated by AI. It is not a legal problem, but customers who discover a "personal note from the owner" was machine-written sometimes mention it in their next review. If you use ChatGPT to write your menu or social captions, add a sentence of your own voice before you publish — it takes a minute and keeps it personal enough that any label becomes irrelevant.

Agencies — Your clients are about to ask questions about AI labels on their deliverables.

Google's SynthID detection is being built into Chrome and Search, meaning your clients' customers can check "was this made with AI?" without leaving their browser. If your agency has been delivering AI-assisted copy, ad scripts, or briefs without telling clients, this week is a good time to add a short "AI-assisted, human-reviewed" line to your standard delivery notes — it protects your reputation and turns a potential awkward conversation into a mark of transparency. The tools (ChatGPT, Claude, Gemini) stay just as useful; what is changing is the expectation around disclosure, not the quality of the work itself.

Professional Services — The regulator just turned cyber resilience into a client-trust question.

The FCA, Bank of England, and Treasury signed a joint statement warning that AI has given attackers capabilities that exceed skilled human hackers — faster, at larger scale, around the clock. For legal practices, consultancies, surveyors, and healthcare practices holding sensitive client data, this is moving from "good to have" to something cautious clients actively check before they sign an engagement letter. Your next step this week: ask your IT provider specifically about AI-speed threat protection, and verify that two-step authentication is switched on across every email account your staff use. A practice that answers the question before a client asks it builds more trust than one that scrambles after the fact.

Manufacturing & Wholesale — Fake supplier invoices are now indistinguishable from real ones. One rule prevents it.

AI-generated payment fraud is now sophisticated enough to fool experienced accounts staff — the FCA, Bank of England, and Treasury confirmed this week that fake payment-update requests are being produced at industrial scale. For a business regularly paying material suppliers or sub-manufacturers, this is the highest-cost single attack your finance team faces today. Add one rule to your payment process: a mandatory call to a known number before any supplier bank details change, no exceptions. Separately, if you haven't tried ChatGPT for drafting supplier negotiation emails or turning a production brief into a purchase order summary, that's worth 20 minutes this week.

Money on the table this week

No significant new grant windows opened this week for most business owners. The one competition to launch is a GOV.UK fund for organisations providing digital support services to court users — relevant only to legal technology providers, not general SMBs. No new Innovate UK manufacturing or retail rounds have been announced, and no new Help to Grow cohort has opened. What remains available and worth asking your accountant about this month: R&D tax credits are still claimable for any small business that spent money developing or improving a product, service, or internal process in the last two financial years. If your business has used AI automation — from automated invoicing to AI-assisted quality checking — that development spend may qualify. This is one of the most consistently unclaimed reliefs for small businesses that have made any technology investment recently; a conversation with your accountant before your year-end costs nothing and often surfaces money already owed to you.

Bottom line

Turn on two-step authentication for your business email today — the FCA has now formally signalled it expects this as a baseline, criminals are already working around businesses that haven't done it, and it takes under five minutes in any email provider's settings.

That's today's briefing. Subscribe free to get this in your inbox every morning.