In an era where cybercrime is on the rise, small businesses are being left vulnerable, unsupported, and forced to bear the consequences of sophisticated financial fraud. My name is Hannah Sutch, and I am the founder of EquiPacs Ltd., a small but passionate equine supplement company based in East Sussex, UK. After launching in January 2021, following my furlough during the COVID-19 pandemic, I dedicated my life to building this business from the ground up. However, on February 26th, 2025, my company suffered a major financial blow due to an advanced phishing scam, exposing the deep flaws in our financial and corporate systems that fail to protect small enterprises like mine.
The scam was executed with a level of sophistication that would fool even the most cautious individual. The perpetrator posed as a representative from my business bank, claiming to alert me to fraudulent activity on my account. The caller was calm, professional, and articulate—traits that instilled a false sense of security.
During the call, I was asked to verify suspicious transactions, and, as instructed, I followed steps to ‘secure’ my account, including resetting passwords and reinstalling banking apps. After gaining my trust, the scammer informed me that an unauthorized charge to Trip.com for flights from London to Korea had been attempted. I was advised to decline the charge via my banking app, which I did. Moments later, I received a text message—seemingly from my bank—containing a security code. Without hesitation, I provided the code, believing it was for blocking further unauthorized transactions. In reality, it was the authorization code that enabled the fraudulent payment of £5,607.82 to go through.
Even after the transaction was completed, the scammer continued to manipulate me. They remained on the phone, assuring me that my funds were being recovered and even called me back multiple times, claiming they were arranging a replacement card. The deception escalated when a second scammer, posing as a representative from the Financial Conduct Authority (FCA), contacted me. She insisted that I consolidate all my funds into one checking account due to a supposed identity theft risk. It was only when I paused to research FCA contact protocols that I realized the gravity of the situation—at which point the caller abruptly hung up.
By then, the damage was done.
Within two hours of the fraudulent transaction, my bank was notified. Unfortunately, the funds had already left the account. Trip.com, the recipient of the stolen money, refused to provide details of the fraudulent booking, citing data protection laws. My battle with Trip.com has been relentless, spanning several weeks. Initially, they refused to provide any details about the fraudulent booking, but later, they disclosed that it was a one-ticket return flight from London to Seoul, Korea, which had not yet taken place. At this point, they acknowledged the fraud and indicated there was still time to cancel the booking if I could figure out how to do so.
Discussions progressed to the point where Trip.com provided written confirmation that they would refund the full fraudulent amount, less a £250 cancellation fee—an agreement I accepted. However, within 24 hours, they retracted their offer, stating that the passenger had since taken the flight, and the refund was no longer an option. Shockingly, they shared the full name of the ticket holder with me, a massive breach of security on their part. This written confirmation of fraud acknowledgment, the promise of a refund, and its sudden withdrawal highlights the gross negligence of Trip.com.
To further add insult to injury, they later offered £300 in compensation—an offer I declined as it implicitly admits their fault in all of this but fails to make me whole.
This sum of money represented roughly 50% of my business’s working capital. EquiPacs Ltd. had recently received grant funding of approximately £5,000 to invest in our 2025 growth plan. With this theft, we have lost not just money, but critical opportunities to expand and sustain our business.
Beyond the failure of Trip.com, I have also been deeply disappointed by my own bank’s lack of support. Despite almost five fraudulent transaction attempts within two hours—each around the £5,000 mark and directed toward unrelated businesses such as designer jewellery, travel, and high-end whiskey—my bank never flagged the activity as suspicious.
Even more concerning is an interaction I had with a bank representative the day before the scam. During a routine call about a technical issue, I found the individual I spoke with to be unusually odd. Following the scam, I reported my suspicions that this individual could have been involved, filing a formal complaint. To this day, the complaint has been dismissed without any meaningful investigation. My bank has refused to acknowledge the fraudulent activity, did nothing to recover my funds, and has since closed the matter entirely, leaving me without recourse.
Starting a business is a leap of faith. It’s an all-consuming endeavour, where your job, passion, and livelihood intertwine. The early years are difficult enough without the devastating impact of financial fraud. Small businesses do not have the same security safety nets as large corporations, and when fraud occurs, we are often left without recourse.
Trip.com, a global corporation, has directly profited from a criminal transaction, refusing to take responsibility despite clear evidence of fraud. This sets a dangerous precedent—if companies continue to facilitate fraudulent transactions without accountability, scammers will only grow bolder, and more businesses like mine will suffer.
I am sharing my story because no small business owner should have to endure what I have. The financial sector, government regulators, and large corporations must do better in protecting individuals and small businesses from cybercrime. There needs to be stronger policies in place to prevent companies from profiting from fraud, and a more efficient, transparent process for victims to reclaim their stolen funds.
I urge news agencies, financial institutions, and business advocates to shed light on these predatory scams. Let this be a warning to other entrepreneurs—stay vigilant, question everything, and demand better protection for small businesses. If this could happen to me, it could happen to anyone.
Together, we can push for change. Small businesses are the backbone of our economy—let’s ensure they have the support and protection they need to survive and thrive.