Do I have to tell my employer I was scammed?

Generally no — unless the scam involved work data, work email, employer-issued device, or the resulting absence triggers HR / Occupational Health processes. If the scam was purely personal and you can continue working normally, your employer doesn't need to know. If you need sick leave for the mental-health impact, the standard self-certification (first 7 days) and GP fit-note (8+ days) routes apply; you do not have to disclose the underlying cause beyond what the fit-note states.

When SHOULD I tell my employer?

Three cases: (1) the scam involved a work account, work device, work email, or work data — your employer has a legitimate need to know for cyber-incident response; tell IT security or HR same-day. (2) The scam involved you being tricked into making a work payment to a fraudulent account (BEC / CEO fraud) — you must report it to your manager immediately; this is a workplace incident not a personal one. (3) You need significant time off (more than 1-2 weeks) — Occupational Health may want context to support a return-to-work plan. In each of these cases your employer has both legitimate need and existing duty-of-care.

What sick-leave rights do I have?

UK statutory minimum: 7 days self-certified absence with Statutory Sick Pay (£116.75/week as of April 2024, paid by employer for up to 28 weeks). Beyond 7 days you need a GP fit-note. Many employers have contractual sick pay schemes (Occupational Sick Pay) more generous than the statutory minimum — check your contract. You can take sick leave for mental-health reasons including post-scam anxiety, depression, or acute stress; these are recognised medical conditions for sick-note purposes. Your GP will not record the cause as 'scam' on the note; the language is 'stress', 'anxiety', 'low mood', etc.

What if the scam happened at work — a BEC or CEO fraud?

Tell your manager and IT immediately — this is a workplace cyber-incident requiring your employer's response. Your employer's insurance, IT response, and bank-recovery process all depend on speed. The standard reporting cycle: notify manager and IT same hour; IT/security raises an incident ticket and contacts the bank; HR is looped in if there are downstream HR issues. You should not be personally blamed for falling for a sophisticated BEC attack — these attacks are designed to defeat trained finance professionals. If your employer's response treats you as the problem rather than the victim, contact ACAS at 0300 123 1100 for free employment advice.

Can I get fired for being scammed at work?

Falling for a sophisticated phishing or BEC attack is generally not gross misconduct (which is what's needed for summary dismissal). If your employer attempts to fire you over a BEC incident: (1) was the attack a sophisticated one designed to defeat trained staff? (Usually yes); (2) was there proper training and tooling in place? (Often not); (3) is your reaction proportionate to the policy and to other incidents the employer has handled? Free employment-law advice from ACAS 0300 123 1100. If unfair dismissal applies, you have 3 months from dismissal date to file an Employment Tribunal claim.

Scam Victim Employment Help — Work, Sick Leave, Disclosure UK 2026

Two different situations

This page covers two distinct scenarios that often get conflated:

Personal scam, work-side impact — you were scammed in your private life; the emotional or financial impact is affecting your ability to work normally. Most common.
Work scam — BEC, CEO fraud, vendor invoice fraud — you were scammed at work; an employer payment or work data is involved. Different rules apply.

Sections below cover each.

Personal scam — your work-side options

You don't have to tell your employer

A personal scam is personal. There's no statutory disclosure requirement. Most UK scam survivors who continue working normally never tell their employer. This is fine.

Sick leave if you need time off

First 7 days: self-certified absence with statutory sick pay (SSP). You don't need to specify the cause beyond "unwell".
Day 8 onwards: GP fit-note. The GP records the medical reason (anxiety, low mood, acute stress) — not "scam".
Mental-health sick leave is medically legitimate. Post-scam anxiety, intrusive thoughts, sleep disruption, depression are recognised conditions for sick-note purposes.
Statutory Sick Pay = £116.75/week as of April 2024, paid by employer. Up to 28 weeks. Many employers offer enhanced Occupational Sick Pay — check your contract.
Universal Credit may top up SSP if your household qualifies.

Telling your manager (if you choose to)

Reasons to consider telling, in increasing order:

You need significant time off and your manager is asking why. A general "I've had a stressful personal incident and my GP signed me off" suffices.
You need a workload accommodation (reduced hours temporarily, flexibility, no client-facing work for a week). Cite the medical impact rather than the cause.
You trust your manager and want emotional support at work. Personal decision.
The scam involved work-time activity (e.g. you took the scam call while working from home; you were targeted via work email used for personal banking). Slight grey area.

Choose the disclosure level you're comfortable with. Telling one trusted manager is materially different from telling HR or your whole team.

Mental-health support at work

Many UK employers offer:

Employee Assistance Programme (EAP) — confidential phone/in-person counselling, free, separate from HR. Often 6 sessions / year. Worth using.
Occupational Health referral — for return-to-work planning after extended leave.
Workplace mental-health first-aiders — informal peer support.
Reasonable adjustments under the Equality Act 2010 if the scam-related anxiety meets the threshold of a disability (long-term, substantial effect on daily activity). Most won't, but some will, especially if the impact lasts more than 12 months.

Work scam — BEC, CEO fraud, vendor invoice fraud

Different category entirely. If the scam involved an employer payment to a fraudulent account, work data exfiltration, or work-account compromise:

Same-hour actions

Tell your manager. Don't delay. The chance of recovery via bank fraud-prevention drops rapidly after the first 60 minutes.
Tell IT security if the company has an internal security team. They can revoke access tokens, scan for further compromise, and contact the bank.
Save all evidence. Email headers, payment confirmation, the scam message, any contact details used. Don't reply to the scammer.
Don't blame yourself. BEC attacks are designed to defeat trained finance professionals. Falling for a sophisticated BEC is the design intent of the criminal, not a personal failing.

Recovery routes for work funds

Your employer will lead the recovery; you support them with evidence and timeline.

Bank fraud team — first 24 hours, possibly recoverable if not yet withdrawn.
Action Fraud / Report Fraud reporting at reportfraud.police.uk — reference number required for insurance.
Employer's cyber-insurance — most large employers have BEC cover; smaller employers often don't but should check.
Solicitor / specialist recovery firm — for larger losses where the employer wants civil action against the criminal infrastructure.

Your employment rights

Falling for a sophisticated BEC attack is generally NOT gross misconduct (which is the threshold for summary dismissal). Reasons an employer's disciplinary response would be problematic:

Was the attack sophisticated? BEC is professional crime; most aren't trivially obvious to spot.
Was there proper training and tooling? Many employers lack BEC-specific training; this weakens any "you should have known better" argument.
Was the response proportionate to other incidents the employer has handled?
Are there mitigating factors (workload, ambiguous instructions, plausible authority signals)?

If you're facing disciplinary action over a BEC incident: ACAS at 0300 123 1100 for free employment advice. If dismissed, you have 3 months from dismissal date to file an Employment Tribunal claim for unfair dismissal.

If you reported the scam and your employer fails to act

Senior management failure to follow incident-response procedure is a separate issue. If your reporting is being suppressed:

Whistleblowing protections — UK Public Interest Disclosure Act 1998 protects employees who report wrongdoing including fraud. Document everything in writing.
Protect Disclosure helpline at protect-advice.org.uk — free whistleblowing advice.
Report to the FCA if the employer is FCA-regulated and the suppressed incident is a regulatory matter.

If you've been signed off long-term

Sometimes scam-related mental-health impact lasts months. Practical steps:

Maintain GP fit-note continuity. Each fit-note covers up to 12 weeks; renewal at GP appointment.
Engage with Occupational Health when invited by employer — they're typically supportive, not adversarial, and their report can secure reasonable adjustments.
Return-to-work plan — phased return (e.g. 50% hours for 4 weeks ramping to full) is common and reasonable.
If long-term absence puts your job at risk — get legal advice. Employees with mental-health impact lasting 12+ months may have Equality Act 2010 disability protection.
SSP runs out after 28 weeks. After that, Universal Credit Limited Capability for Work pathway, Personal Independence Payment (PIP) for ongoing impact, or Employment Support Allowance depending on circumstances.

Employment help after a scam