Guidance

Protect your charity from fraud and cyber crime

Information about fraud and cyber crime, how to spot it and what you can do to protect against it.

How to report fraud

If your charity has been the victim of fraud, it’s important to report it to the relevant authorities. Reporting can help you access essential advice to get your charity back on track, but will also build a clearer picture of the scale of fraud affecting the wider sector.

You should report attempted or actual fraud to Action Fraud.

Action Fraud is a national reporting centre specifically for reporting frauds and has an online fraud reporting service, available 24 hours a day. The website includes an A to Z of fraud types.

For essential advice on why, what and how to report fraud incidents to the Charity Commission, read our guidance how to report a serious incident in your charity.

Infographic: top tips for responding to fraud when things go wrong

Text version of the infographic: top tips for responding to fraud when things go wrong

If in doubt, take action and report it.

Act quickly. This will minimise harm done and maximise your legal options.

Do not panic, stay calm and follow procedure (wherever you can)

Find out in advance who needs to be informed (both inside and outside the charity)

Have a ‘fraud response plan’ ready so that everyone knows what to do and when

Take steps to preserve evidence. You may need this for investigative or legal proceedings.

Seek professional legal advice, especially if you think you might take action in the civil courts.

Report serious incidents to the Charity Commission.

Read the full guide ‘Tackling fraud in the charity sector’.

Tackling charity fraud: 8 guiding principles

This document is a one-page summary of the 8 guiding principles for tackling charity fraud (PDF, 956KB, 1 page).

Text version of the 8 guiding principles

  1. Fraud will always happen – simply being a charity is no defence. Even the best-prepared organisations cannot prevent all fraud. Charities are no less likely to be targeted than organisations in the private or public sector. Fraudsters do not give a free pass to charitable activities.

  2. Fraud threats change constantly. Fraud evolves continually, and faster, thanks to digital technology. Charities need to be alert, agile and able to adapt their defences quickly and appropriately.

  3. Prevention is (far) better than cure. Financial loss and reputational damage can be reduced by effective prevention. It is far more cost-effective to prevent fraud than to investigate it and remedy the damage done.

  4. Trust is exploited by fraudsters. Charities rely on trust and goodwill, which fraudsters try to exploit. A strong counter-fraud culture should be developed to encourage the robust use of fraud prevention controls and a willingness to challenge unusual activities and behaviour.

  5. Discovering fraud is a good thing. The first step in fighting fraud is to find it. This requires charities to talk openly and honestly about fraud. When charities do not do this the only people who benefit are the fraudsters themselves.

  6. Report every individual fraud. The timely reporting of fraud to police, regulators and other agencies is fundamental to strengthening the resilience of individual charities and the sector as a whole.

  7. Anti-fraud responses should be proportionate to the charity’s size, activities and fraud risks. The vital first step in fighting fraud is to implement robust financial controls and get everyone in the charity to sign up to them.

  8. Fighting fraud is a job for everyone. Everybody involved – trustees, managers, employees, volunteers, beneficiaries – has a part to play in fighting fraud. Trustees in particular should manage fraud risks actively to satisfy themselves that the necessary counter-fraud arrangements are in place and working properly.

How to protect against different types of fraud

Fraud is a serious problem that you can’t afford to ignore. Charities can, and should do more, to be fraud-aware. Fraud poses a serious risk to valuable funds and sensitive data, and can damage the good reputation of charities, affecting public trust and confidence in the sector as a whole.

Charity trustees have a duty to manage their charity’s resources responsibly and ensure that funds are protected, applied and accounted for.

With a total annual income of over £69 billion, the charity sector is vulnerable to fraud and financial crime. It’s essential that trustees put in place suitable counter-fraud measures – even small changes can help protect charities from harm.

It’s vital that all money given to charities is used for legitimate and lawful purposes.

Insider fraud

Fraud can come from internal sources (insider fraud), for example by employees and volunteers, or from external sources such as fake emails set up by hoaxers.

You can find out more about preventing insider fraud in this e-learning video on the Fraud Advisory Panel website.

We have also published a research report about insider fraud and how it is affecting charities. The report includes wider lessons, case studies and tips to help you prevent insider fraud.

Financial fraud

Fraud and financial crime is one of the most common types of abuse for charities. These are highlighted in our tackling abuse and mis-management reports.

Charity trustees can avoid basic mistakes and make sure their charity is well protected by:

Some charities, such as shops or trading outlets, have a higher risk of financial loss or falling victim to fraud, due to the nature of their activities.

If your charity relies upon cash-based fund raising, it may be more vulnerable to opportunist and organised fraudsters. For advice on protecting your charity from fraud and financial crime, see Chapter 3 of the Compliance Toolkit.

Charities should take a proactive approach to reducing fraud risk by following best practice advice and practical tips, such as those outlined in Charity Finance Group’s Countering Fraud Manual (PDF, 858KB, 35 pages).

The Fraud advisory Panel website has useful e-learning videos to help you prevent:

Counter fraud best practice: templates for charity trustees

We have a developed a range of best-practice templates for you to use when protecting your charity against fraud. All of the following can be adapted to suit the needs of your charity:

Anti Fraud and Corruption Policy (ODT, 32.3KB)

Anti fraud policy 1 (ODT, 16.3KB)

Anti fraud policy 2 (ODT, 13KB)

Fraud investigation plan (ODT, 14.8KB)

Quick guide to investigative interviews (ODT, 19KB)

Terms of Reference for investigations (ODT, 16.8KB)

Whistleblowing policy template (ODT, 13.2KB)

Counter fraud questions trustees should ask

Do we:

  • understand what fraud is and what our responsibilities are?
  • understand our financial systems and data, and what ‘normal’ looks like?
  • encourage staff and volunteers to voice concerns?
  • run process test checks and observe jobs in action?
  • promote fraud awareness and understanding?
  • conduct an annual fraud risk review?
  • conduct pre-employment screening and in-service checks on staff?
  • have regular and frank conversations with delivery partners?
  • have a response plan ready so that everyone knows what to do?
  • have an anti-fraud policy and code of ethics?

Infographic: counter fraud questions trustees should ask

About cyber crime and reporting a live attack

The risks to your charity from cyber crime are increasing all the time. It’s a huge problem, which all organisations need to be aware of and guard against. The vast majority of fraud is now committed online.

Cyber crimes can be quite complex and difficult to detect, often involving data breaches or identity fraud. It’s important that you consider how best to protect your charity’s valuable assets from harm online.

The National Cyber Security Centre (NCSC) has produced an e-learning training package: ‘Stay Safe Online: top tips for staff’. It’s free, easy to use and takes less than 30 minutes to complete.

The training explains why cyber security is important and how attacks happen. It then covers 4 key areas:

  1. defending yourself against phishing
  2. using strong passwords
  3. securing your devices
  4. reporting incidents

The Cyber aware website has an online assessment tool so you can check how cyber secure your charity is. Advice and guidance is provided after the assessment to help you meet the standard. You can also download Cyber Essentials documents to help you put essential security controls in place.

For an insight into the mindset of cyber hackers, you can read about the human side of cybercrime in the journal ‘Nature’.

You can learn more about protecting your charity against cyber fraud in this e-learning video on the Fraud advisory Panel website.

For more advice on guarding against cyber crime visit the following websites:

Taking a few simple actions today is a good start - you don’t need to be a technology expert to protect your charity.

Get help if experiencing a live cyber attack

Action Fraud has launched a 24/7 live cyber-attack helpline. In the event of a live cyber-attack, this helpline gives access to specialist advisors who can offer advice and support to charities or other organisations in reporting the attack. These reports are immediately sent to the National Fraud Intelligence Bureau (NFIB).

To prevent cyber criminals from operating, the NFIB will then assess whether there are any websites, bank accounts or phone numbers that can be closed down. The reports are also sent to the relevant law enforcement agency for investigation if necessary.

Cyber security toolkit for charity boards

Charity boards have an important role in improving the cyber security of their organisations. The National Cyber Security Centre (NCSC) board toolkit has been designed for larger charities, to encourage essential discussions about cyber security between the board and wider staff or volunteer body.

Board members don’t need to be technical experts, but they should be able to have a fluent conversation with their experts and understand the right questions to ask.

The board toolkit covers a range of cyber security topics, starting with an introduction to cyber security specifically written for board members. Other topics include understanding the threat, collaborating with suppliers and partners, and planning a response to a cyber incident.

Each topic has straightforward guidance and helpful questions that board members can ask their technical teams. It can be adapted to fit a charity’s own unique cultures and priorities, and was created using genuine insights from boards about what they would like to know.

Regulatory alerts about charity fraud

We publish alerts and warnings about particular risks or vulnerabilities which could affect charities and their operations. Read recent fraud alerts:

Charity Fraud Awareness campaign 2020

The campaign (19 to 23 October) aims to encourage and empower charities to talk about fraud and share best practice. It focuses on 3 simple messages:

  1. Be fraud aware
  2. Take time to check
  3. Keep your charity safe

Find out how to get involved in Charity Fraud Awareness Week 2020.

Organisations that combat fraud in charities

The following organisations carry out vital work to help combat fraud in charities.

Many of these belong to the ‘Charities against Fraud’ coalition, which is a cross-sector group of nearly 50 organisations who work together to fight fraud in charities.

Regulators

Charity Commission for England and Wales

Registers and regulates charities in England and Wales, to ensure that the public can support charities with confidence.

Office of the Scottish Charity Regulator

The independent regulator and registrar for Scottish charities, supporting public confidence in charities and their work.

Charity Commission Northern Ireland

The independent regulator of charities in Northern Ireland, ensuring charities meet their legal requirements and obligations.

The Fundraising Regulator

The independent regulator of charitable fundraising, established in 2015 to strengthen the system of charity regulation and restore public trust in fundraising.

Information Commissioner’s Office

Upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

National Trading Standards

NTS Scams team provides advice and guidance to charities to ensure that charities and their donors are protected from fraud.

Police and crime prevention

Action Fraud

The National Fraud Intelligence Bureau (NFIB) sits alongside Action Fraud within the City of London Police, which is the national policing lead for fraud.

Operation Signature

Operation Signature (West Sussex Police) is the force campaign to identify and support vulnerable victims of fraud within Sussex.

Operation Falcon

FALCON stands for ‘Fraud and Linked Crime Online’ and is part of London’s Metropolitan Police Service.

Sector organisations and initiatives

Fraud Advisory Panel

The Fraud Advisory Panel is an independent voice of the counter-fraud community. It champions best practice and works to improve fraud awareness, and build sector resilience.

Get Safe Online

Get Safe Online is a public/private sector partnership supported by HM Government and comprising leading organisations across banking, retail, internet security and other sectors. It provides factual and easy-to-understand information about online safety.

Credit Industry Fraud Avoidance Service (CIFAS)

CIFAS is a not-for-profit organisation working to protect businesses, charities, public bodies and individuals from financial crime.

Small Charities Coalition

A national umbrella and capacity-building organisation with over 7,000 members UK-wide. It helps trustees, staff and volunteers of small charities access the skills, tools, and information they need.

Foundation for Social Improvement

Builds and shares knowledge across the sector, representing small charities with policy makers and the public. FSI provides vital leadership and supports small charities to raise funds to serve their beneficiaries.

Charity Finance Group

CFG champions best practice in financial management within the charity and voluntary sector. It provides guidance to its charity members and the wider sector at large on the best practice for countering fraud.

Government departments and agencies

National Cyber Security Centre (NCSC)

The NCSC is the official government lead on cyber security. Its stated mission is to make the UK the safest place to live and do business online. It has a division which is directly responsible for charities and the wider public.

HMRC

HM Revenue & Customs (HMRC) is responsible for administering the UK’s tax system, including the management and reduction of risks to tax revenue. HMRC’s compliance and enforcement work includes tax fraud (where the law has been broken) and tax avoidance (where rules of the tax system have been misused to gain a tax advantage, but not illegally).

Published 10 October 2016
Last updated 25 October 2019 + show all updates
  1. Added 8 guiding principles for tackling charity fraud.

  2. Added a link to a new e-learning training package produced by the National Cyber Security Centre (NCSC). It is available in the 'About cyber crime and reporting a live attack' section.

  3. Added a new section about the cyber security toolkit for boards.

  4. Added a link to charity fraud awareness week helpsheets and e-learning videos.

  5. Updated the cyber-security section with a link to the new NCSC guidance for charities.

  6. A responding to fraud infographic has been added to the 'Reporting fraud' section of the guide.

  7. Cyber-fraud section has been updated to include details about Action Fraud's 24/7 live cyber-attack helpline.

  8. Added a series of links to e-learning videos to help you prevent different types of fraud.

  9. Guidance has been updated to help you protect your charity against fraud.

  10. First published.