Tips to protect your Charity against external fraud

Within the Not for Profit (NFP) sector the annual cost of fraud is estimated at over £2.5 billion for 2019. This is expected to have risen significantly in 2020.

Examples of fraud

The following gives examples of some common internal and external frauds to which a charity may be vulnerable:

Procurement fraudAbuse of credit card
Fake invoice creation
Hijacking the bank account
Supplier bank details fraudulently changed
Diversion of incomeCreation of “shadow” accountsFalse fundraising in name of the charity
Cheques / cash / donated goods stolen
Payroll fraudCreating fictitious employees

This blog focuses on instances and prevention of external fraud, following on from our blog last week on internal fraud.

External fraud

We have focussed heavily on fraud perpetrated from within the organisation so far, as many charity frauds are internal, both in terms of number of incidents and value. However, charities are also as susceptible as any organisation – perhaps more so than many – to external attacks. A couple of common methods are covered below.


Cybercrime can involve hackers gaining access to your system and either (but less commonly) holding your data to ransom or carrying out less sophisticated attacks to steal funds having accessed passwords and login details. A few simple steps can improve your security and so reduce the threat of falling victim to a cyberattack:

  • Use, and keep up to date, anti-virus software
  • Use a firewall to stop unauthorised access
  • Use strong passwords and use different ones for different accounts
  • Be wary of links and attachments in unsolicited emails
  • Always install software updates
  • Be careful what personal information you publicly share on social media

CEO fraud

CEO fraud occurs when an often junior member of the finance team receives an urgent email, apparently from the CEO of the trust, giving orders to make an immediate transfer to a third party account.

This may be to a known existing supplier who is reported to have changed their bank details. However the new account given belongs, of course, to the fraudster. A fake but convincing email account has been used to dupe the staff member that the sender’s identity is genuine.

Their absence from the recipient’s location is crucial and the apparent sensitivity and time criticalness of the matter can be enough to ensure that the action is taken:

  • Ensure staff are aware of agreed and approved processes and controls, and of the potential consequences of circumventing them – to the organisation and to them
  • Encourage staff to be sceptical of and alert to anything out of the ordinary, especially where they are being put under pressure to act quickly and need to override processes to do so
  • Provide training to make staff aware of potential forms of attack
  • Ensure there is a clear whistleblowing policy in place, that staff are clear on how they act and try to avoid a culture of fear in using it

Where can I go for more information?

Charity Fraud Awareness Week took place this month between 18th-22nd October. The annual event is headed up by The Charity Commission. This year, Charities and NFP’s are being asked to make a difference by signing the pledge to actively prevent fraud wherever it may occur in their organisation.

For more information about fraud, cyber crime, how to spot and prevent it and tips on what you can do to protect you and your charity against it visit the Gov.UK website.

For further advice or tips, get in touch with a member of our Charity and Not for Profit team on 01903 234094.