Welcome to CAF Bank

The bank dedicated to supporting charities and social purpose enterprises. So we understand what you need.

Current account Savings Loans Security centre Help About us

How to spot and avoid banking scams

Keep your organisation’s funds safe and secure. Here are some of the more common banking scams affecting charities, and how to spot them.

Protect your charity’s funds

When it comes to avoiding being duped by banking scams, preparation is vital. Most charities think they’re doing all they can to prevent fraud, but nearly half don’t have effective protections in place*.

Make sure the funds your supporters have so generously given don’t fall into the wrong hands. Simply stay in the know, and build protection measures into your processes. We’ll show you how.

* Source – Preventing charity fraud: insights and action, The Charity Commission

What is a banking scam?

Banking scams, or bank fraud, use deception to gain your trust. The fraudster will typically attempt to persuade you to give away, confirm or change sensitive information, so that they can access your bank account and steal your money.

There are different types of scam – but one in growing use at the moment is the Authorised Push Payment (APP) scam, also known as the bank transfer scam.

Types of bank transfer scam


CEO fraud

This is a phishing scam in which a criminal hacks into an organisation’s email accounts – or ‘spoofs’ one of their email addresses. The targeted employee receives urgent instructions to transfer money to a third-party account. The key detail: the sender's email address looks like it’s from a senior manager or someone in authority, but it’s actually from the fraudster.

Mandate fraud

Disguised as an existing supplier, the scammer gets in touch by email, letter or phone. They ask for Direct Debit, standing order or bank transfer instructions to be changed to their 'new' bank account.

Invoice fraud

Criminals pose as a supplier to your organisation and make a request for their payee details to be changed. Or fraudsters may attempt to trick you into paying for goods or services from a fake company. They may use a combination of contact methods – such as a phone call – followed up with an authentic-looking email or letter on headed paper.

Sim swap fraud

This involves a fraudster tricking your mobile network into transferring your phone number to a new SIM card, owned by them. If you receive an unexpected text message saying your plan is about to be switched – or that they’re sorry you lost your phone – call your mobile operator immediately. Then call us.

What to look out for

Pressure tactics

A communication comes out of the blue, or an expected invoice arrives which has been intercepted and changed, putting pressure on you to take urgent action. Be suspicious, even if it seems plausible.

Unfamiliar sources

A communication from your usual contact sounds out of character. Or you don’t recognise the contact details of the person at all.

Unusual messages

You’re asked to give confidential details. The message isn’t addressed to you by name. Or it contains errors, suspicious-looking links or attachments.

Bank account changes

Your bank alerts you of a new payee or change of payee details that you don’t recognise. Unauthorised withdrawals or payments may appear on your statement. 

A real customer story

Before making a regular payment, a customer received the expected invoice from the supplier. It contained a request for the payment to be sent to a new bank account. Only when the genuine supplier chased the outstanding payment did the customer spot that the invoice had been sent from a different email address.

Fraudsters had stolen a copy of the supplier’s customer list. They then issued fake invoices from a new email address which imitated the supplier’s address, but with a well-disguised change of spelling.

Ten tips for fraud prevention

Make sure you keep software updated, and keep your firewall switched on to block any unauthorised access to your systems. Enable multi-factor or two step authentication on your email system to prevent internal accounts being compromised.

Keep your computers and other devices updated to ensure known security weaknesses are fixed before fraudsters can exploit them. Regular back-ups of key data will allow you to recover your systems and keep operations working, if you are exposed to a ransomware infection.

Use strong passwords or pass phrases that are difficult to guess. Never use the same password more than once. Don’t ever share a password with anyone and use two factor authentication, if available to protect your accounts. Remember, we will never ask you for your full password or Business card PIN. Read our password dos and don’ts.

Make sure all portable devices that store personal, financial or other sensitive data are encrypted. These could include mobile phones, tablets, laptop computers, external hard drives and memory sticks. That way, if your device is lost or stolen, it’s almost impossible for criminals to gain access.

Never click on links or open attachments in unexpected screen pop-ups or suspicious-looking emails – especially if you don’t recognise the sender.

If something doesn’t feel right, delete the message. If it’s a call, simply hang up. When hanging up the phone after receiving a suspicious call, use a different phone when making another call to ensure you have a clear line – fraudsters will often stay on the line and try to steal your passwords if you make another call.

Establish clear financial controls to check and verify all new and change of payee requests with suppliers, by calling back using known and verified contact details.

You or a trustworthy colleague should always check payment instructions from senior managers, other colleagues, suppliers or authorities such as HMRC. Make sure invoices match records or purchase orders on file before authorising a payment. Maintaining a good relationship with your suppliers will help you verify any payment instruction changes.

Review your organisation's internal financial controls regularly.

Whenever you need to change who can access your accounts, let the bank know straight away. Check that any transactions line up with your bank statements every month, so you can spot any unusual activity.

Make sure that at least two trusted people verify and authorise each payment. These should not include anyone who raised that payment instruction.

Raise your team’s awareness of the dangers of sharing personal or organisation information on social media. Carefully consider the nature and level of information about your organisation that’s freely available online. For example, be wary of sharing dates of birth or information about the systems and types of computers you use.

Use fraud policies and processes, internal briefings and training to create a security awareness culture. Make sure staff and volunteers are aware of the latest threats and know how to spot and report suspected fraud. Check they know the security basics, such as keeping login details safe and locking their computer when they’re not using it.

Seen something suspicious?

Find out the best way to report it to us.

report it

Useful external resources

These links are a collection of further fraud prevention resources. CAF and CAF Bank are not responsible for the content on the following websites, or their availability. 

Take Five is a national campaign offering simple advice to protect you from fraud.

Explore Take Five’s resources

For charitable organisations in England and Wales. How to spot fraud and protect against it.

Read the Charity Commission’s guidance

For charitable organisations in Scotland. How to reduce the risks for your charity.

Read the Scottish Charity Regulator’s guidance

CAF Bank Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 204451).

CAF Bank Limited Registered office is 25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4JQ. Registered in England and Wales under number 1837656.