Government statistics* show that one in every five UK charities reported a cyber attack or breach in the previous 12 months. And the most common forms of attack or breach were through fraudulent emails. We’ve produced this guide to help you avoid falling prey.

* Source: Cyber Security Breaches Survey 2019



Scam emails attempt to obtain sensitive information such as usernames, passwords, bank details (and money) by fraudulent means - disguising an electronic communication to look as if it's been sent from a trusted person or organisation.

Also known as 'phishing', these scams can come in many forms. For instance, criminals may impersonate a senior manager by spoofing an organisation’s email accounts, to dupe a staff member into executing unauthorised financial transactions. Some trick employees into making a payment into a fraudster’s account by claiming to be an existing supplier whose payee details have changed.

Charities are just as vulnerable to the threat of scam emails as other organisations, as one of our customers can testify. This charity received an email that appeared to be from an existing supplier, notifying them of a change to the supplier’s payee details and requesting a payment for services provided. As this was a known supplier and the email was from a recognised address, the payee details were changed and payment sent. However, this was a scam by a criminal who had hacked into the supplier’s email account and provided fraudulent bank details.

The scam was discovered when the genuine supplier chased payment. The customer alerted us about the fraudulent payment and we are in the process of attempting to recover the funds from the beneficiary bank.



Anatomy of a scam email

Fraudsters are using increasingly sophisticated techniques to disguise the malicious intent of their scam emails.

Download our infographic to help you spot the tell-tale signs of a fraudulent email.

Online test

Think you are too smart to be scammed?

See how well you can spot simulated fraud attempts. Try out this online test (links to an external website) from Take Five, a government backed national fraud awareness scheme led by Financial Fraud Action UK, part of UK Finance.


Be alert to scams

Seven top tips

  1. Information requests - Never share your security or login details with anyone. Your bank will never ask for your PIN number or full password for telephone and online banking.
  2. Source checks - Only disclose personal or financial details to service providers you trust, are expecting to be contacted by and after checking their legitimacy. Call the organisation using known contact details you hold or displayed on its corporate website.
  3. Pressure tactics - A genuine bank, trusted supplier or the police will never coerce you into disclosing confidential information or making an urgent payment. If you feel pressured or suspicious, trust your instincts. Reject the request and delete the message.
  4. Links and attachments - Never click on links or open attachments in an unexpected or suspicious-looking email or text message.
  5. Password protection - Use strong passwords that are difficult to guess. Set up a different password for each website, app and service you use.
  6. Authorising payments - Make sure you and/or a trusted colleague check the authenticity of payment instructions received from senior managers and suppliers.
  7. Raising awareness - Encourage a security conscious culture, through counter fraud measures, robust financial controls, and briefings and training for staff and volunteers.


CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your organisation’s bank accounts have been exposed to fraud or cyber attack, call the CAF Bank customer service team without delay on 03000 123 456 or email scamreporting@cafonline.org

If you believe your organisation has become a victim of fraud of any kind, please report it to the Action Fraud helpline on 0300 123 2040.


The following links are to external websites offering further coverage of this topic. CAF has not reviewed, does not control and is not responsible for these websites, their content or availability.

Action Fraud - The national fraud and cyber crime reporting centre.

The Charity Commission - Guidance on how to spot fraud and the measures you take take to protect your charity against it. 

National Cyber Security Centre (NCSC) - How small charities can improve cyber security, quickly, easily and cost-effectively.

Take Five to Stop Fraud - Impartial advice and guidance on how to protect yourself against financial fraud.