Be fraud aware


Criminals are exploiting the coronavirus outbreak to scam the unwary. Discover the warning signs of attempted fraud and seven tips to protect yourself.

Since the start of the coronavirus outbreak, UK fraud investigators1 have received reports of hundreds of coronavirus-related scams and thousands of phishing attempts by criminals looking to exploit people's fears over the pandemic.

Many of these scams trick people into purchasing products and services relating to COVID-19, such as protective face masks, hand sanitiser or testing kits, that are never delivered. Some seek to capitalise on the temporary closure of bank branches by deceiving people into switching to online banking. Another recently reported scam is a fake email soliciting donations to buy medical supplies for the NHS.

Criminals have also seized on the sudden shift to home working, to target malicious attacks on remote access and collaboration tools, such as audio and video conferencing services. So it's very important to keep updated your operating software and apps running on home computers and other devices.

Fraudsters use a range of communication tactics and methods, including emails (phishing), telephone (vishing) and text messages (smishing), the web and social media. However, there are clear warning signs to look out for and simple steps that you can take to protect yourself and your organisation.

This guide will help you spot scams during the pandemic and shares tips on ways to stay safe and secure. You will also see links to other useful resources. Linking does not imply our endorsement of third party sources.

1 Fraudsters exploiting Covid-19 fears have scammed £1.6 million, The Guardian (4 April, 2020)


Phishing emails and other hoax electronic communications aim to steal confidential information and assets, such as usernames, passwords, bank details (and money), from you or your organisation.

These communications are disguised to look as if they are from a trusted person or body. Criminals can dupe you to expose personal or financial information, by clicking on a harmful link or opening a malicious attachment. Doing so could infect your device or systems with a computer virus. This could expose your security and banking details, leading to loss of data or money, or preventing access to your device and network, unless you pay a ransom.

Examples of coronavirus-themed phishing scams are:

  • Emails from criminals posing as the World Health Organisation (WHO) and Centers for Disease Control and Prevention (CDC) , which provide fake information or claim to be raising donations for medical research
  • Emails impersonating HMRC and other government agencies, that say you are entitled to a tax refund
  • Bogus requests from senior people or organisations, for an urgent payment to be made. These deceive people to transfer money from their personal or organisation's bank account to the scammer's account
Phishing scams


Purchase scam

This is where a victim pays in advance, on a website, social media network or other online platform, for goods or services that are not received. The criminal seller persuades the purchaser to pay by bank transfer, rather than by a secure payment method. After the payment is transferred, the seller disappears and the order never arrives.

Trust your instincts; if an offer looks too good to be true, it probably is. Always use secure payment options offered by reputable online retailers.

Charity donation fraud

When fake charity collectors or fundraisers prey on your goodwill by asking you to make a donation to a charitable cause. They may falsely claim to represent a genuine charity or that their cause was recently set up in response to the COVID-19 pandemic or another topical event.

Never make a donation before checking that a cause is genuine and the fundraiser is authorised to collect money for that charity. You can check registered charities' details on the Charity Commission and OSCR websites, or by using our charity search.

Bank transfer fraud

Also known as an Authorised Push Payment (APP) scam. The victim receives a payment request that appears to be genuine. The criminal who made the request, impersonating a supplier or someone in authority, changes the payee's details to divert the transferred funds to his or her bank account.

Always contact the payee through your existing, official communication channels, to verify changes of bank account details; or make a small initial payment before transferring the balance.


A scam message from an unknown source, disguised to be from a trusted person or organisation. Spoofing manipulates the phone number, displayed sender's details or a website address to impersonate someone or an organisation you might recognise.

Be suspicious of messages encouraging you to click on links or open attachments, even from people or organisations you know. Look out for the tell tale signs of a scam message


Pressure tactics

You receive an unexpected communication asking you to take urgent action, to avoid an adverse outcome or secure a financial benefit.

The source

You do not recognise the caller, message source or their contact details. A request from a known contact is unusual or its tone is out-of-character.

The message

You are asked to disclose confidential details, the message is not addressed to you by name, it contains errors, suspicious-looking links or attachments.

Bank account

Your bank alerts you of a new payee or change of payee details that you do not recognise. Unauthorised withdrawals or payments appear on your statement.


Here are seven ways you can protect yourself and your organisation:

1. Keep software and apps updated

Protect your computer and devices, by keeping operating software, anti-virus software and apps updated. When installing new apps, such as work collaboration tools, it’s much safer to use the official app stores. Check your firewall is switched on to block unauthorised access.

2. Set strong passwords

Use strong passwords that are difficult to guess. Do not use the same password for different websites or services. Change your passwords regularly.

3. Safeguard your personal and financial details

Do not disclose your personal or financial details, or share passwords or other security credentials.

4. Ignore unsolicited communications

Do not respond to unsolicited telephone calls or messages. If we call you, please feel free to call us back on our published numbers

5. Be suspicious of links and attachments

Do not click on links or attachments until you have validated the source of an email or text message.

6. Verify payment requests

Never comply with requests to transfer money, unless you know and trust the person, have checked the payment details are correct and validated the source of the request using known contact details.

7. If you feel pressured, end the call or delete the message

Remember, neither your bank nor the police will ever ask you to move your money to a safe account, or to divulge your PIN number or full password. 


CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your organisation’s CAF Bank accounts have been exposed to fraud or cyber attack, call our customer service team without delay on 03000 123 456 or email scamreporting@cafonline.org

If you believe you or your organisation have become a victim of fraud of any kind, please report it to the Action Fraud helpline. In Scotland, you should report fraud to Police Scotland, by dialling 101 straight away.

Trustees should also read their charity regulator's guidance on how to spot and report a serious incident within their organisation.

If your organisation experiences a personal data breach, refer to the Information Commissioner's Office (ICO) guidance on reporting breaches.


Online security

Learn how to protect yourself and your organisation's accounts from falling prey to fraud or cyber crime.

Phishing scams

Phishing scams can defraud charities of funds earmarked to further their mission. Pick up simple tips to help you avoid becoming a victim.

Malware and ransomware

Computer viruses can have a devastating impact on a charity's operations. Reduce the risk of your organisation being infected by harmful software.