Welcome to CAF Bank

The bank dedicated to supporting charities and social purpose enterprises. So we understand what you need.

Current account Savings Loans Security centre Help About us

Understanding cyber crime

Understanding cyber crime

Online fraud threats evolve all the time. Knowing which warning signs to look for can help keep you and your organisation secure. 

Common types of fraud

In the age of online banking and remote working, the threat of fraud has grown. You no longer need to protect just one computer in your office, but multiple accounts accessing cloud services from many different locations. Scammers are using advanced techniques to get past your security.

Don’t worry, you can help protect your organisation by staying in the know. Here are the common types of fraud and how to spot them. 

image computer lesson

Social engineering

Fraudsters will use a range of techniques to trick you into sharing banking information or transferring money – usually over the phone, by text message or email. Often criminals use more than one approach to build a level of trust. These tactics are known as social engineering. 

They can be especially effective because people are generally easier to manipulate than technology. The best way to protect yourself against social engineering is to be aware of the kinds of techniques used. Some of them are very subtle, making them hard to spot.

How to defend yourself

1. Resist pressure

A criminal will try to prompt you into action by creating a sense of urgency or making you feel guilty. Would a senior manager really email you to arrange an emergency payment?

2. Beware of emotion

Social engineers may act emotionally to try and dissuade you from challenging them.

3. Check who you’re talking to

They can often imitate your colleagues, partners, suppliers or friends. If something seems unusual, contact that person yourself using known contact details.

4. Be suspicious of saviours

A fraudster may create a problem for you, then offer to resolve it in exchange for your information or money.

5. Don’t divulge information

If you don’t know who you’re talking to, don’t answer lots of questions. What might seem innocuous can help them collect sensitive data, so be guarded.

Invoice fraud

With more information being shared online all the time, it’s now possible for fraudsters to find out who your suppliers and clients are, then start sending fake invoices.

These attempts can be convincing and can catch the unwary off guard. It often begins with a simple email request to amend payment details for a transaction, from what appears to be a genuine contact.

Read our banking scams guide for tips on spotting and preventing invoice fraud.

Real customer stories

A customer received an email from an existing supplier asking them to send a payment to the supplier’s new bank account. This came from a known email address, so the customer changed the details and made the payment.

In a similar case, after accepting a quotation, another customer was asked to send a part-payment to a different bank account to pay for materials which their supplier had ordered.

In both examples, the reality was that fraudsters had hacked the suppliers’ email accounts and provided fraudulent bank details. The scams were only uncovered when the genuine suppliers requested payment. Unfortunately, the money was long gone by the time the frauds were noticed.

Purchase scams

Using the internet to pay for goods and services is quick and convenient. But making purchases online does come with risks. Learn how to spot a fake website, the questions to ask yourself and steps you can take to avoid being duped.

What is a purchase scam?

A purchase scam is where fraudsters sell goods and services, typically online and at discounted prices, to dupe interested buyers. You are deceived into making a payment for the ordered item which does not exist and will never be delivered.

Look out for these red flags

• The offer looks too good to be true, or has limited availability, urging you to act quickly
• You see the offer advertised on a website, social media or other online marketplace
• You are persuaded to send money before receiving the good or service
• You are asked to pay by bank transfer, rather than by a secure payment method.

Ask yourself these questions

1. Is the offer to good to be true?

Do a little research to check if the advertised deal is fair, when compared to similar goods or services

2. Is the website secure?

Look for a closed padlock and ‘https’ in the website address bar, to check the website connection is secure

3. Is the website genuine?

Is the company name in the URL may be slightly different to what you would expect? Is the site badly designed, or can you see spelling or grammatical errors?

4. Is the supplier legitimate and credible?

Check Gov.uk to see if it’s a registered company and search online for any warnings or poor reviews about the firm

5. What am I committing to?

Read the supplier’s terms and conditions and privacy notice.

 

Reduce the risks

1. Use Get Safe Online’s scam website checker tool

to see if a website is likely to be legitimate or fake [i.e. embedded hyperlink into the text 'website scam checker tool'

2. Never pay by bank transfer

if you don’t know the seller. Use a debit or credit card, secure payment site or other payment method that offers some protection against fraud

3. Never share your bank account or card details

unless you’re sure who you are dealing with

4. Check your bank and card statements

to ensure the correct amount has been debited

5. Provide training

to build a security aware culture among staff and volunteers and ensure everyone understands your fraud prevention policies and processes. 

Malware and spyware

Malware is the common name for malicious software – often installed onto your computer without your knowledge as a way for hackers to access your data. Common symptoms are a slow computer, pop-up messages or being re-directed to malicious web pages. The impact of malware can include disruption to the running of an organisation’s services, theft of information or loss of critical data.

Spyware is a specific type of malware that monitors and logs your activity to steal personal information without you realising.

Read our guide to discover simple tips for safeguarding your organisation’s systems and operations.

Phishing and scam emails

Phishing is when fraudsters send emails embedded with links to websites where you’re asked to provide confidential personal or financial information. These emails can be designed to look legitimate and the website may even look like one you’re familiar with.

A real customer story

An email from a colleague may not always be what it seems. A charity’s Finance Manager received an urgent request from the Finance Director, asking for a large payment to be made on behalf of the Chief Executive. The Finance Director promised to send the paperwork authorising the payment the next day, as he was taking his daughter to hospital and would be unavailable for the rest of the day.

The Finance Director had responded to a phishing email, which gave fraudsters access to his email account. They then used this to send the fraudulent request to the unsuspecting Finance Manager.

How to protect yourself

If you’re in any doubt, don’t reply. Never click on links in an email that you are not expecting or looks suspicious in any way. The safest action is to get in touch with the company using contact details that you’re sure are genuine.

If you get an email claiming to be from us asking for personal information. or your Online banking log-in details, forward it straight away to us at scamreporting@cafonline.org

Social media fraud

Social media fraud is any scam or malicious activity in which a fraudster uses social media to steal personal information or money. There are numerous ways social media can be used to commit fraud, these are constantly evolving and changing. Fraudsters usually impersonate known contacts or legitimate entities such as businesses or official bodies.

Woman on laptop and phone

How to protect yourself

1. Social media companies offer free privacy checks

use these to ensure you aren’t exposed. These checks can be found in a social media site's 'safety centre'

2. Never buy via social media unless paying through a protected method

always check the PayPal URL and if unsure, consult the app

3. Adjust your privacy settings

make sure that your personal information is private, and previous posts can only be seen by accounts you know

4. Be cautious with your personal social media accounts

consider what information you have shared on social media. Could it be used to cause you harm if a fraudster had access to it?

5. Multi-factor authentication

use an authenticator app or check the security tab of a social media website to set up multi-factor authentication when logging in

6. Consider authenticity

if something is too good to be true, such as a deal or offer, then it probably is. This can be the case with 'celebrity' impersonations, fake sweepstakes, giveaways etc.

Examples of social media fraud

1. Hacking into a social media account

gaining access to a social media account to steal personal information and bank account details. Avoid using obvious or default passwords

2. Phishing

a message is sent containing a harmful link from an account to that account’s ‘friends’. Be wary about clicking on any link in a message, even from someone you know, unless you are expecting it

3. Fake shop or product is created in a social media marketplace

fraudsters use this method to collect payments, bank account details and personal information. 'Too good to be true' or 'limited time offers' are techniques often employed by scammers

4. Information scraping

social media posts and comments on a bank's or other provider's social media pages may hint that you are a customer; fraudsters can use this information as a starting point to attempt to commit fraud

5. Illegitimate apps

fake apps, which request access to social media as a form of log in. in order to steal your login details and passwords.


If you think you have been a victim of social media fraud

Our IT security experts advise that you first change your password and second contact the social media provider's support.

Vishing and phone scams

If you receive a phone call from someone asking for your personal information, you’re likely the target of a vishing scam. Normally, the caller will claim to be bank staff, police or someone else in a position of trust.

During the call they will quickly try to convince you to transfer your money to protect it from some other imagined threat. They will typically ask you to withdraw cash and hand it over to the fraudster, or share personal financial information they can use to access your finances.

Another example is the computer takeover scam. A cold caller impersonating a banking, telecoms or internet service provider requests access to your PC or online banking service to help resolve a problem.

You're then asked to visit a website or enter a command on your computer. This gives over control of your computer remotely. From there, the scammer can attempt to capture your bank account details.

How to protect yourself

1. Be wary of unsolicited calls

especially if you’re asked to provide personal information, or to grant access to your computer or software applications.

2. Don’t be afraid to hang up

if you’re suspicious or feel vulnerable, simply end the call. They may stay on the line, so make a call to a colleague to make sure the fraudster isn’t still connected.

3. Watch out for call spoofing

fraudsters can fake the telephone number shown on your caller ID to make it look like a genuine bank telephone number. If you’re suspicious at all, contact us yourself.

4. Never share your details

we will never ask you for your PIN number or full security details over the phone

5. Don’t give out your card

we’ll never send someone to collect your CAF Bank Business card from you.

A real customer story

Our customer received a call from someone claiming to work for their internet provider. The caller claimed there were issues with the customer’s broadband, and asked for some details to fix the issue. This included security details for the customer's online banking accounts. Worried about being disconnected, the customer provided the details over the phone.

After the call, the customer received a text message from CAF Bank to let them know that a new payee had been set up on their account. The customer phoned us to explain the situation and make sure no payment was sent.

Thanks to the customer having text alerts active on their account and contacting us swiftly, this case had a positive outcome.

Always remember that the criminals may already know your name, address, or account sort code – this only means they’ve done their research. If a call sounds suspicious, it probably is.

Seen something suspicious?

Find out the best way to report it to us.

Report it

CAF Bank Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 204451).

CAF Bank Limited Registered office is 25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4JQ. Registered in England and Wales under number 1837656.