“The biggest change is the same as for many companies: so many people working from home,” says Catherine Livesey, the bank’s senior fraud prevention analyst. “While this has been good for business continuity, flexibility and physical safety, it poses a new set of threats.”

Partly, Livesey says, this is due to environment: “You are in your home, and if a message arrives outside the office you might not be as aware as you usually would be.”

This means there’s the need to think about enhanced security for homeworkers. “Are your employees set up safely enough with anti-malware and antivirus software?” Livesey asks. “If the worst happens and someone clicks on a fraudulent link, you need to know that all the information that your charity is working with will be protected.”

What are the main types of scam, and what do charities in particular need to be alert to at the moment? “Phishing (fraudulent emails) and vishing, which is fraudulent phone calls,” says Livesey.

There are two key types of scam that can reach frontline staff and which employees might not be fully aware of, she adds. The first is invoice redirection fraud. “This is where a supplier’s email account will be intercepted and spoofed, and the charity receives an email saying that the supplier has changed its bank account details.”

It might say something along the lines of: ‘When you pay next month’s supply of office equipment, can you send it to this account and sort code?’ followed by the new account details. It’s often only when the genuine supplier chases their money, which could be weeks later, that the fraud will be uncovered.

What should you do if you receive this kind of email? “Call the supplier on a trusted and independently verified number, say you’ve had the email, and ask them if it’s genuine.”

The second type of scam is CEO impersonation. “We see a lot of cases where someone pretends to be the boss,” says Livesey. An email might say something like: ‘I need a payment made urgently but I’m in meetings all day; don’t call me.’ Only when you speak to the boss the next day might they say, ‘I never sent that.’ There has been a sharp rise in the number of such impersonation scams, according to industry body UK Finance; they nearly doubled in the first six months of this year, with almost 15,000 cases reported.

Some £208m was lost in the first half of 2020 to authorised push payment (APP) or bank transfer fraud. However, the banking and finance industry is robustly fighting back, preventing £853m of attempted unauthorised fraud in the same time period. Perhaps the key to vigilance is to understand what criminals want, which is not necessarily as obvious as it might sound. “They want you to divulge information that is valuable – whether personal, company or financial,” says Livesey.

More important now than ever

For Alan Bryce, head of development, counter fraud and cybercrime at the Charity Commission, “those charities that provide vital services and are supporting local communities during the crisis may be especially vulnerable, with scammers increasingly using the ‘hook’ of Covid-19 to lure victims”. However, Bryce adds: “In reality, most of the frauds we’re seeing are adapted versions of the most common scams of recent years, with a Covid-related twist to them. Hence phishing, mandate, grants and procurement fraud are still up there among the priority risks to look out for.”

Something most scams will have in common is that they will create a sense of urgency. This is one of the clues that can make you alert to potential fraud: “It’s designed to rush you, and prevent you from thinking twice,” Livesey says.

So how do charities go about protecting themselves and make sure that such red flags don’t go unnoticed? “It’s through greater fraud awareness, combined with strong financial management and good governance,” says Bryce. “Our research shows that two thirds of charity frauds are identified either by financial controls or by audit, highlighting the importance of getting the basics right.”

Livesey’s advice is for any team manager to set clear expectations for employees. “Create a culture where people can query financial payments. In the office environment, you can usually speak to someone else at the next desk; working from home, you’re more vulnerable when you are solitary.”

The second part of the solution is robust mechanisms. “If you are making large payments, look into two-factor authentication,” says Livesey. In practice, “this is as simple as ensuring that someone else signs off the payment before it is processed”. What constitutes a ‘large’ payment should be defined by the individual business: “It might be anything over £1,000 for example, but will depend on the size of the charity.”

Charities are particularly vulnerable during the pandemic because their usual methods of fundraising are reduced; this means greater reliance on online platforms. “Make sure you are using a trusted online supplier of these payment tools,” says Livesey. And if you think you have been a victim, talk to your bank immediately as they will be in the best place to assist.

“I encourage all charities to make use of the information hub, which provides charities with the tools and understanding needed to combat fraud and protect their valuable assets from harm,” says Bryce. “All of this is available for free.”

Keeping your charity safe: three takeaway points

• Be fraud aware. Don’t click on links within unexpected emails or text messages. Be aware that criminals can be experts at impersonation. Know that charities have information that’s valuable to fraudsters.

• Take time to check. Be aware of red flags such as trying to create a sense of urgency. Check your bank statements regularly, and be particularly alert about being asked to change payment details. Query unsolicited offers of free help.

• Keep charities safe. Make sure you have clear processes for any financial or other important decisions. Keep full financial records and put all important decisions in writing. Perform regular data backups to different storage devices and never give remote access to your computer.

For more information visit GOV.UK.