Welcome to CAF Bank

The bank dedicated to supporting charities and social purpose enterprises. So we understand what you need.

Current account Savings Loans Security centre Help About us

How to spot and avoid banking scams

Keep your organisation’s funds safe and secure.

Protect your charity’s funds

Fraudsters target charities as payment processes often rely on trust, routine and urgency. Protect your organisation by putting clear checks in place, questioning unusual requests and verifying payment changes before you act. 

You can reduce your risk by staying informed and building fraud checks into your everyday processes. We will guide you through what to look out for and what you can do next. 

What is a banking scam?

Banking scams (also known as bank fraud) rely on deception. Fraudsters work to gain your trust, then try to persuade you to share, confirm or change sensitive information. This can give them access to your bank account and allow them to steal money. 

Scams take many forms, but one that continues to grow is the Authorised Push Payment (APP) scam - also called a bank transfer scam. 

Types of bank transfer scam

CEO fraud

CEO fraud (also known as CEO phishing) is a type of phishing scam. A fraudster pretends to be someone senior or influential, such as your CEO or a trustee, to pressure you into:

  • Transferring money
  • Changing payment details
  • Sharing sensitive information

This scam works because it exploits trust, authority and urgency. Fraudsters often use a realistic-looking email address or contact via WhatsApp or other messaging platforms with convincingly written messages to influence your decision-making. 

Mandate fraud

In mandate fraud, a scammer impersonates a trusted supplier. They contact you by email, letter or phone and ask you to change Direct Debit, standing order or bank transfer details to a ‘new’ bank account, which belongs to them. 

Invoice fraud

Invoice fraud often starts with a fake invoice or a request to pay a new supplier. Fraudsters may use a phone call first, then follow up with an authentic-looking email or letter (sometimes using branded templates or headed paper) to make the request seem genuine. 

Sim swap fraud

In SIM swap fraud, a fraudster deceives your mobile network into moving your phone number to a SIM card they control. This can let them intercept security codes and access accounts. 

If you receive an unexpected text about a plan change or a lost phone, contact your mobile provider immediately, then contact us

What to look out for

Pressure tactics

Scammers often create urgency. You might receive an unexpected message, or an invoice may arrive that looks familiar, but has been intercepted and changed. If someone pressures you to act quickly, pause and check before you do anything. 

Unfamiliar sources

A genuine contact may sound out of character, or you may not recognise the contact details at all. Treat any unusual change in tone, spelling, email address or phone number as a warning sign. 

 

Unusual messages

Scam messages often:

  • Ask confidential details
  • Avoid using your name
  • Include spelling errors or unusual wording
  • Contain suspicious links or attachments

If you receive a message claiming to be from us or you are asked to move the conversation elsewhere, it is likely to be a scam. We will never contact you through WhatsApp or ask you to join a video call.

Bank account changes

Your bank may alert you to a new payee or a change in payee details that you do not recognise. You may also notice unexpected withdrawals or payments on your statement. 

A real customer story

Before making a regular payment, a customer received an expected invoice from the supplier. It contained a request for the payment to be sent to a new bank account. Only when the genuine supplier chased the outstanding payment did the customer spot that the invoice had been sent from a different email address. 

Fraudsters had stolen a copy of the supplier’s customer list. They then issued fake invoices from a new email address which imitated the supplier’s address, but with a well-disguised change of spelling. 

Ten tips for fraud prevention

Make sure you keep software updated, and keep your firewall switched on to block any unauthorised access to your systems. Enable multi-factor or two step authentication on your email system to prevent internal accounts being compromised.

Keep your computers and other devices updated to ensure known security weaknesses are fixed before fraudsters can exploit them. Regular back-ups of key data will allow you to recover your systems and keep operations working, if you are exposed to a ransomware infection.

Use strong passwords or pass phrases that are difficult to guess. Never use the same password more than once. Don’t ever share a password with anyone and use two factor authentication, if available to protect your accounts. Remember, we will never ask you for your full password or Business card PIN. Read our password dos and don’ts.

Make sure all portable devices that store personal, financial or other sensitive data are encrypted. These could include mobile phones, tablets, laptop computers, external hard drives and memory sticks. That way, if your device is lost or stolen, it’s almost impossible for criminals to gain access.

Never click on links or open attachments in unexpected screen pop-ups or suspicious-looking emails – especially if you don’t recognise the sender.

If something doesn’t feel right, delete the message. If it’s a call, simply hang up. When hanging up the phone after receiving a suspicious call, use a different phone when making another call to ensure you have a clear line – fraudsters will often stay on the line and try to steal your passwords if you make another call.

Establish clear financial controls to check and verify all new and change of payee requests with suppliers, by calling back using known and verified contact details.

You or a trustworthy colleague should always check payment instructions from senior managers, other colleagues, suppliers or authorities such as HMRC. Make sure invoices match records or purchase orders on file before authorising a payment. Maintaining a good relationship with your suppliers will help you verify any payment instruction changes.

Review your organisation's internal financial controls regularly.

Whenever you need to change who can access your accounts, let the bank know straight away. Check that any transactions line up with your bank statements every month, so you can spot any unusual activity.

Make sure that at least two trusted people verify and authorise each payment. These should not include anyone who raised that payment instruction.

Raise your team’s awareness of the dangers of sharing personal or organisation information on social media. Carefully consider the nature and level of information about your organisation that’s freely available online. For example, be wary of sharing dates of birth or information about the systems and types of computers you use.

Use fraud policies and processes, internal briefings and training to create a security awareness culture. Make sure staff and volunteers are aware of the latest threats and know how to spot and report suspected fraud. Check they know the security basics, such as keeping login details safe and locking their computer when they’re not using it.

Seen something suspicious?

Find out the best way to report it to us.

report it

Useful external resources

These links are a collection of further fraud prevention resources. CAF and CAF Bank are not responsible for the content on the following websites, or their availability. 

Take Five is a national campaign offering simple advice to protect you from fraud.

Explore Take Five’s resources

For charitable organisations in England and Wales. How to spot fraud and protect against it.

Read the Charity Commission’s guidance

For charitable organisations in Scotland. How to reduce the risks for your charity.

Read the Scottish Charity Regulator’s guidance

CAF Bank Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 204451).

CAF Bank Limited Registered office is 25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4JQ. Registered in England and Wales under number 1837656.