Online safety guide for professional installers and small businesses

43% of UK businesses experienced a cyber attack or breach in the past year, according to the UK Government’s Cyber Security Breaches Survey 2025 – with phishing emails and impersonation scams leading the way, and small firms being hit the hardest.

While your day-to-day is all about tools, vans and technical skills, another thing that runs in the background is your online presence.

Quotes, emails, social media accounts, online banking – the way you and your team use the internet can directly affect your reputation, cash flow and customer trust. That’s why it’s so important to stay aware of cyber criminals and the tactics they use.

As daunting as this may seem, there’s an easy way to avoid stolen invoices, fake bank accounts scams, lost access to key accounts, damaged online reputations and ransomware locking your files – and that’s online safety.

This guide is here to help you keep your business running safely.

10-minute baseline (do this first)

• Turn on MFA 2-step verification – for email, banking, social media, accounting and any job platforms.
  
  
• Use a password manager – and change any reused passwords.
  
  
• Back up your information data – quotes, invoices, photos and put them on a cloud drive and an external drive.
  
  
• Update everything – your phone, laptop, apps and router firmware.
  
  
• Create a no bank details changes by email rule.

Email safety

Set up your email properly – use a business email rather than a free webmail for customer/supplier trust. Make sure you have your MFA and recovery options and separate accounts into admin, owner account and your day-to-day accounts.

Know how to spot dodgy emails – always check the following before you click/pay:

• Sender address – is it spelled correctly?
• Tone and urgency of the message
• Links: hover over them when you’re on your desktop – does the link go to where it claims?
• Attachments – anything unexpected like ‘invoice.zip’, ‘html’, ‘iso’, ‘.exe’ – are all high risk

The ‘bank detail change’ rule
Never accept bank details changes from email or WhatsApp alone.

Safe process:

1. Use the phone number you already have on file (not the one in the email/message)
2. Ask them to confirm two details you both already know (last invoice amount and delivery address)
3. Log it – note date/time/name of person who confirmed.

Reduce damage if someone does log in

• Turn on login alerts for your email provider.
• Disable auto-forwarding rules
• Don’t let staff share one inbox password (give them individual logins)

Social media safety

Lock down your accounts with MFA on everything, add 2-3 trusted admins (so you’re not locked out if your phone dies). Review ‘connected apps’ and remove anything you don’t recognise.

What not to post

• Customer address, alarm panels, key safes, access codes
• Vehicle registration and where it’s stored overnight
• ‘Away for a week on a big job in ___’

Watch out for fake surveys and competitions
Scams often appear as surveys, prize draws or special offers that ask for personal details. Before entering or sharing, check the official website directly (don’t click the link), be cautious of pages with low followers or recently created profiles, never provide passwords or full payment details.

Impersonation response plan

If someone does copy your page here’s what to do:

• Post a pinned warning: ‘we never ask for deposits via DMS’
• Report the fake account and get customers to report it too
• Update your website/Google My Business with your official links

Online platforms

For your marketplaces, quoting tools and supplier portals, make sure that you:

• Use unique passwords per platform
• Use MFA and login alerts if available
• Keep company card limits low for online purchases – use virtual cards if your bank supports them
• For supplier accounts: restrict who can add news payees or change delivery addresses

Phones and laptops safety

For the everyday stuff like your phones and laptops, make sure you:

• Turn on screen lock (PIN or biometrics) and autolock for your phone
• Turn on Find My Phone/Device
• Keep work data in work apps (Microsoft/Google) rather than random note apps
• Full-disk encryption on your laptop (often already on by default – make sure it’s enabled)
• Don’t use admin accounts for everyday work
• Avoid plugging unknown USB sticks into your laptop

Wi-Fi and router safety

Home routers are a favourite target because they’re often neglected. To be one step ahead of cyber criminals:

• Change default admin password
• Turn off WPS
• Update router firmware
• Use a guest network for customers/subbies instead of the main network

Customer data safety
Collect only what you need and store it in one place on a company drive and remember to delete old job data on a schedule such as after warranty/contract period.

This may be information such as:

• Addresses
• Alarm codes
• Gate codes
• Key-holder numbers
• Floorplans

Staff, apprentices and subcontractors
Mistakes happen but to help reduce them, you can:

• Give everyone their own login
• Use least privilege – most people don’t require admin access
• Offboard checklist – remove access the same day someone leaves

Staying safe when communicating with VELUX and VCIP

Your security is important to your business and ours.

As part of our commitment to keeping installers safe, it’s important to remember that VELUX and VCIP will never ask for sensitive information, passwords or payment details through unexpected links, emails, texts or social media messages.

If you ever receive a message claiming to be from VELUX or VCIP and something doesn’t feel right – pause for a moment.

Don’t click any links, download attachments or reply directly to the message. Instead, contact your usual VELUX representative or official support channel using the contact details you already have on file.

Taking a moment to verify could prevent financial loss, account compromise or disruption to your work.

If installers are unsure about a message claiming to be from VELUX or VCIP, they should contact their usual VELUX representative or support channel directly. We’re here to support you every step of the way.