Online security


Reduce your charity’s risk of falling victim to hoaxes.

How we help protect you


More often than not, deception is at the root of fraudsters’ attempts to gain access to people's and organisations' systems, data or bank accounts. This guide explores how to spot possible scams and avoid being duped.

Picture the scene. Your charity receives a call from someone who claims to represent your internet service provider. The caller reports issues with your internet connection and requests information to help fix the problem. He insists that unless your organisation provides this information, including bank account details, the issue can not be resolved. Convinced the call is genuine, the employee who takes the call provides the information demanded to restore the internet connection.

This describes an actual case of vishing, where criminals try to persuade victims to hand over confidential details or transfer money, over the telephone. Fortunately, the charity’s quick reporting of the incident and its bank's security measures prevented the fraudster gaining access to the customer’s bank account.

It’s an example of a fraud technique known as social engineering. This is where a criminal manipulates or deceives an unsuspecting person into disclosing sensitive information, by exploiting psychological traits such as trusting authority, curiosity or naivety.


A deception scam is one where fraudsters approach someone, claiming to represent a trusted body, such as a bank, the police, utility company or government agency. Criminals try to obtain personal and financial details for use to commit fraud, or attempt to trick people into transferring money to them.

These scams often involve an email (phishing), phone call (vishing) or text message (smishing), reporting a fault or suspicious activity on a customer’s account, or asking for account details to be ‘updated’ or ‘verified’.


Types of deception scams

Specific types of scams include:

  • CEO fraud - A phishing scam in which a criminal spoofs or hacks into an organisation’s email accounts and impersonates a senior manager. Its aim is to dupe a staff member into executing unauthorised transactions, or to pass on confidential financial information.
  • Invoice fraud - An employee is tricked into changing bank account payee details for a payment. Criminals pose as a supplier to the organisation and make a request for the supplier’s payee details to be changed. They may use a combination of methods, such as a phone call, followed up with an authentic-looking email or letter on headed paper.
Phishing scams


Pressure tactics

You receive an unexpected communication asking you to take urgent action, to avoid an adverse outcome or secure a financial benefit.

The source

You do not recognise the caller, message source or their contact details. A request from a known contact is unusual or its tone is out-of-character.

The message

You are asked to disclose confidential details, the message is not addressed to you by name, it contains errors, suspicious-looking links or attachments.

Bank account

Your bank alerts you of a new payee or change of payee details that you do not recognise. Unauthorised withdrawals or payments appear on your statement.


Be alert to scams

Top tips

  1. Never share security or login details with anyone. Your bank will never ask for your PIN number or full password.
  2. Use strong passwords or pass phrases that are difficult to guess. Do not use the same password for different websites or services.
  3. Never comply with requests to provide confidential, financial or payment information, without verifying the source of the request. Always call back using known contact details for that organisation or those displayed on its official website.
  4. Always ensure that you or colleagues you entrust verify the legitimacy of payment instructions received from senior managers and suppliers.
  5. Reconcile transactions with monthly bank statements to check for any discrepancies.
  6. If you are suspicious or feel pressured, reject the request and terminate the call or delete the message.
  7. When hanging up the phone after receiving a suspicious call, use a different phone when making another call to ensure you have a clear line.
  8. Never click on links or open attachments in unexpected or suspicious-looking emails, especially from an unknown source.
  9. Encourage a security aware culture, through clear counter fraud policies and processes, and regular briefings and training for staff and volunteers.
  10. Consider carefully the nature and level of information about your organisation which is publicly accessible.


CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your organisation’s bank accounts have been exposed to fraud or cyber attack, call our customer service team without delay on 03000 123 456 or email

If you believe your organisation has become a victim of fraud of any kind, please report it to the Action Fraud helpline.


The following links are to external websites offering further coverage of this topic. CAF has not reviewed, does not control and is not responsible for these websites, their content or availability.

Action Fraud - The national fraud and cyber crime reporting centre.

The Charity Commission - How charities can identify fraud risks, recognise fraudulent activity and prevent fraud occurring.

Charity Finance Group - A guide exploring the measures that small charities can take to prevent fraud.

Get Safe Online - Guides to social engineering and common scams.

National Cyber Security Centre - Ten steps to cyber security.