Fraud prevention


How to spot and protect your organisation from the most common banking scams affecting charities.


Banking scams, such as CEO fraud or mandate fraud, are among the most common types of fraud affecting charities, according to new research1

The fraud awareness survey of 3,000 charities found a mismatch between charities' potential exposure to fraud and action taken to strengthen their defences. 85% think they are doing all they can to prevent fraud, but nearly half do not have practical, basic protections in place.

A culture of trust and a lack of fraud awareness training were the most widely cited reasons why charities may be vulnerable to fraud. Only one in ten charities surveyed provide awareness training for staff and three in ten have a whistleblowing policy, which could help to detect internal fraud.

4% of charities surveyed had been affected by fraud in the previous two years. Mandate/ CEO fraud (18%) and fraud relating to abuse of position (12%) were the most common types of fraud suffered.

This guide will help you spot the tell tale signs of attempted banking fraud, and offers nine simple but effective tips to reduce the risk of becoming a victim.

1 Preventing charity fraud: insights and action, The Charity Commission and Fraud Advisory Panel (October 2019)


Banking scams usually use deception to gain someone's trust, before the fraudster persuades the victim to disclose, confirm or change sensitive information. This social engineering technique can occur by phone (vishing), email (phishing), text message (smishing), the web, social media or post.

A type of scam in growing use by criminals is called an Authorised Push Payment (APP) scam, also known as a bank transfer scam. This results in someone being duped into transferring money from their personal or organisation's bank account to the scammer's account.

You could receive an expected payment request that appears to be genuine. If the request is from a fraudster, impersonating a supplier or someone in authority, the payee's details are likely to have been changed to divert the transferred funds to the criminal's bank account.

To protect yourself against bank transfer scams, always contact the payee through your existing, official communication channels, to verify changes of bank account details; or make a small initial payment.

CEO fraud: Anatomy of a phishing scam

The Finance Director (FD) of a charity delivered a presentation to an international aid conference. Her attendance was promoted in advance on the conference and charity’s websites, as well as her own social media network.

On the day of the presentation, the charity received an email claiming to be from the FD. This instructed the finance team to transfer £55,000 to a specified bank account, as part of an urgent aid-funding package agreed that day at the event. The hoax email appeared convincing, containing information about the FD and conference.

The funds were immediately transferred, as requested, but the instruction was later found to be fraudulent. The transferred money was never recovered.

Phishing scams


CEO fraud

A phishing scam in which a criminal spoofs or hacks into an organisation’s email accounts. The targeted employee receives urgent instructions to transfer money to a third-party account, with the sender's email address disguised to be from a senior manager or board member.

Mandate fraud

An employee is deceived into changing a regular payment mandate, such as a direct debit, standing order or bank transfer. Disguised as an existing supplier, the scammer makes contact by email, letter or phone, asking for the direct debit, standing order or bank transfer instructions to be amended to their 'new' bank account.


Invoice fraud

The victim is tricked into changing bank account details for a payment. Criminals pose as a supplier to the organisation and make a request for the supplier’s payee details to be changed. They may use a combination of methods, such as a phone call, followed up with an authentic-looking email or letter on headed paper.


Pressure tactics

You receive an unexpected communication asking you to take urgent action, to avoid an adverse outcome or secure a financial benefit.

The source

You do not recognise the caller, message source or their contact details. A request from a known contact is unusual or its tone is out-of-character.

The message

You are asked to disclose confidential details, the message is not addressed to you by name, it contains errors, suspicious-looking links or attachments.

Bank account

Your bank alerts you of a new payee or change of payee details that you do not recognise. Unauthorised withdrawals or payments appear on your statement.


Top tips to prevent fraud

Your charity's best defence to avoid falling prey to fraud is you - whether you are a trustee, member of staff or volunteer. Here are nine ways you can protect yourself and your organisation:

1. Use anti-virus software and firewalls

Use anti-virus software and keep it updated, to help prevent your organisation's systems being infected by malicious software (malware).

Make sure your firewall is switched on to block unauthorised access to your systems.

2. Set strong passwords

Use strong passwords that are difficult to guess. Do not use the same password for different websites or services, nor share your passwords with others. Make sure they are changed regularly.

Your bank will never ask for your PIN number or full password.

3. Encrypt all portable devices

Control the use of portable devices, such as memory sticks, tablets and laptop computers. Make sure that all portable devices that store personal, financial or other sensitive data are encrypted.

4. Be suspicious of unsolicited messages

Never click on links or open attachments in unexpected or suspicious-looking emails, especially from an unknown source. 

If you are suspicious or feel pressured, reject the request and terminate the call or delete the message.

When hanging up the phone after receiving a suspicious call, use a different phone when making another call to ensure you have a clear line.

5. Verify information requests

Never comply with requests to provide confidential, financial or payment information, without verifying the source of the request. Confirm all 'change of payee account' requests with the suppliers themselves.

Always call back using known contact details for that organisation.

6. Check payment instructions

Always ensure that you, or colleagues you entrust, verify the legitimacy of payment instructions, received from senior managers, suppliers and authorities, such as HMRC.

Make sure that invoices match records or purchase orders on file, before authorising payment.

Notify suppliers when your organisation has made a payment to them.

7. Review and follow your financial controls

Review your organisation's internal financial controls, regularly.

Notify your bank straight away whenever you need to change who is authorised to access your accounts. Reconcile transactions with bank statements, monthly, to check for discrepancies in activity.

8. Check your digital footprint

Consider carefully the nature and level of information about your organisation which is freely available online.

Raise staff's awareness of the dangers of sharing personal or organisation information across digital channels, such as social media networks.

9. Be security aware

Create a security aware culture, through clear counter fraud policies and processes, internal briefings and training for staff and volunteers.

Communicate to staff your organisation's policy on how financial transactions are requested, approved and verified.

Encourage staff and volunteers to be sceptical about unexpected, urgent or confidential requests for money or data. Remind staff of how they should report suspected scams or fraud attempts.


CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your organisation’s CAF Bank accounts have been exposed to fraud or cyber attack, call our customer service team without delay on 03000 123 456 or email

If you believe your organisation has become a victim of fraud of any kind, please report it to the Action Fraud helpline. Scottish charities should report fraud to Police Scotland, by dialling 101 straight away.

Trustees should also read their charity regulator's guidance on how to spot and report a serious incident within their organisation.

If your organisation experiences a personal data breach, refer to the Information Commissioner's Office (ICO) guidance on reporting breaches.


The following links are to external websites offering further coverage of this topic. CAF has not reviewed, does not control and is not responsible for these websites, their content or availability.

Action Fraud

A-Z of fraud - Understand the many different types of fraud that you and your organisation could be exposed to.

The Charity Commission

Tackling charity fraud guide and checklist - How trustees and senior managers can spot the signs of fraud and shape an effective response.

Reporting serious incidents - Guidance for trustees on how to spot and report a serious incident in your charity.

National Cyber Security Centre (NCSC)

Board Toolkit - For trustees and senior managers of larger charities, who want to understand cyber security from a governance standpoint.

Cyber Security: Small Charity Guide and Infographic Summary - How to improve cyber security within your charity, quickly, easily and at low cost.

The Scottish Charity Regulator (OSCR)

Fraud guidance for Scottish charities - How to reduce the risks of fraud affecting your charity.

Reporting a significant event - Guidance for Scottish charities on reporting a notifiable event, such as fraud, to the regulator.


Online security

Learn how to protect yourself and your organisation's accounts from falling prey to fraud or cyber crime.

Phishing scams

Phishing scams can defraud charities of funds earmarked to further their mission. Pick up simple tips to help you avoid becoming a victim.

Malware and ransomware

Computer viruses can have a devastating impact on a charity's operations. Reduce the risk of your organisation being infected by harmful software.