How to spot and avoid banking scams


Keep your organisation’s funds safe and secure. Here are some of the more common banking scams affecting charities, and how to spot them.

Protect your charity’s funds

When it comes to avoiding being duped by banking scams, preparation is vital. Most charities think they’re doing all they can to prevent fraud, but nearly half don’t have effective protections in place*.

Make sure the funds your supporters have so generously given don’t fall into the wrong hands. Simply stay in the know, and build protection measures into your processes. We’ll show you how.

* Source – Preventing charity fraud: insights and action, The Charity Commission

What is a banking scam?

Banking scams, or bank fraud, use deception to gain your trust. The fraudster will typically attempt to persuade you to give away, confirm or change sensitive information, so that they can access your bank account and steal your money.

There are different types of scam – but one in growing use at the moment is the Authorised Push Payment (APP) scam, also known as the bank transfer scam.

Types of bank transfer scam

CEO fraud

This is a phishing scam in which a criminal hacks into an organisation’s email accounts – or ‘spoofs’ one of their email addresses. The targeted employee receives urgent instructions to transfer money to a third-party account. The key detail: the sender's email address looks like it’s from a senior manager or someone in authority, but it’s actually from the fraudster.

Mandate fraud

Disguised as an existing supplier, the scammer gets in touch by email, letter or phone. They ask for Direct Debit, standing order or bank transfer instructions to be changed to their 'new' bank account.

Invoice fraud

Criminals pose as a supplier to your organisation and make a request for their payee details to be changed. Or fraudsters may attempt to trick you into paying for goods or services from a fake company. They may use a combination of contact methods – such as a phone call – followed up with an authentic-looking email or letter on headed paper.

Sim swap fraud

This involves a fraudster tricking your mobile network into transferring your phone number to a new SIM card, owned by them. If you receive an unexpected text message saying your plan is about to be switched – or that they’re sorry you lost your phone – call your mobile operator immediately. Then call us.

What to look out for

Pressure tactics

A communication comes out of the blue, or an expected invoice arrives which has been intercepted and changed, putting pressure on you to take urgent action. Be suspicious, even if it seems plausible.

Unfamiliar sources

A communication from your usual contact sounds out of character. Or you don’t recognise the contact details of the person at all.

Unusual messages

You’re asked to give confidential details. The message isn’t addressed to you by name. Or it contains errors, suspicious-looking links or attachments.

Bank account changes

Your bank alerts you of a new payee or change of payee details that you don’t recognise. Unauthorised withdrawals or payments may appear on your statement. 

A real customer story

Before making a regular payment, a customer received the expected invoice from the supplier. It contained a request for the payment to be sent to a new bank account. Only when the genuine supplier chased the outstanding payment did the customer spot that the invoice had been sent from a different email address.

Fraudsters had stolen a copy of the supplier’s customer list. They then issued fake invoices from a new email address which imitated the supplier’s address, but with a well-disguised change of spelling.

Ten tips for fraud prevention

  • 1. Protect your systems and software

    Make sure you keep software updated, and keep your firewall switched on to block any unauthorised access to your systems. Enable multi-factor or two step authentication on your email system to prevent internal accounts being compromised.

  • 2. Keep devices updated and back up data

    Keep your computers and other devices updated to ensure known security weaknesses are fixed before fraudsters can exploit them. Regular back-ups of key data will allow you to recover your systems and keep operations working, if you are exposed to a ransomware infection.

  • 3. Be smart with passwords

    Use strong passwords or pass phrases that are difficult to guess. Never use the same password more than once. Don’t ever share a password with anyone and use two factor authentication, if available to protect your accounts. Remember, we will never ask you for your full password or Business card PIN. Read our password dos and don’ts.

  • 4. Encrypt all portable devices

    Make sure all portable devices that store personal, financial or other sensitive data are encrypted. These could include mobile phones, tablets, laptop computers, external hard drives and memory sticks. That way, if your device is lost or stolen, it’s almost impossible for criminals to gain access.

  • 5. Be wary of unusual messages

    Never click on links or open attachments in unexpected screen pop-ups or suspicious-looking emails – especially if you don’t recognise the sender.

    If something doesn’t feel right, delete the message. If it’s a call, simply hang up. When hanging up the phone after receiving a suspicious call, use a different phone when making another call to ensure you have a clear line – fraudsters will often stay on the line and try to steal your passwords if you make another call.

  • 6. Check payee requests

    Establish clear financial controls to check and verify all new and change of payee requests with suppliers, by calling back using known and verified contact details.

  • 7. Question payment instructions

    You or a trustworthy colleague should always check payment instructions from senior managers, other colleagues, suppliers or authorities such as HMRC. Make sure invoices match records or purchase orders on file before authorising a payment. Maintaining a good relationship with your suppliers will help you verify any payment instruction changes.

  • 8. Review and follow your financial controls

    Review your organisation's internal financial controls regularly.

    Whenever you need to change who can access your accounts, let the bank know straight away. Check that any transactions line up with your bank statements every month, so you can spot any unusual activity.

    Make sure that at least two trusted people verify and authorise each payment. These should not include anyone who raised that payment instruction.

  • 9. Check your digital footprint

    Raise your team’s awareness of the dangers of sharing personal or organisation information on social media. Carefully consider the nature and level of information about your organisation that’s freely available online. For example, be wary of sharing dates of birth or information about the systems and types of computers you use.

  • 10. Build security into your processes and culture

    Use fraud policies and processes, internal briefings and training to create a security awareness culture. Make sure staff and volunteers are aware of the latest threats and know how to spot and report suspected fraud. Check they know the security basics, such as keeping login details safe and locking their computer when they’re not using it.

Seen something suspicious?

Find out the best way to report it to us.

Contact us

More about fraud prevention