Sadly, churches and charities are increasingly being targeted by fraudsters and are vulnerable to scams and fraud. Far from being put off by the charitable nature of these organisations, scammers actively seek them out – knowing that they’re often run by volunteers, may lack dedicated finance staff, and tend to operate in an environment of trust.
The good news is that most scams follow recognisable patterns. Once you know what to look for, you’re in a much stronger position to protect your organisation from scams and fraud. This article highlights the most common financial scams targeting churches and charities, and what you can do to guard against them.
In this article
Estimated reading time: 9 minutes
Most common financial scams for charities
1. Invoice fraud (also known as mandate fraud)
This is one of the most common and costly scams affecting charities right now.
Here’s how it typically works: a fraudster contacts your organisation — usually by email — pretending to be a supplier or contractor you already work with. They inform you that their bank details have changed and ask you to update your records. The next time you make a payment, the money goes straight to the scammer’s account rather than the legitimate supplier.
Variations of this include:
- fake invoices from companies you’ve never heard of, hoping the busy treasurer pays without questioning it;
- intercepted email chains (sometimes called “email hijacking”) where a fraudster monitors genuine correspondence and steps in at the right moment to redirect a payment.
How to protect yourself: Always verify a change of bank details by calling the supplier directly — using a phone number you already have on file, not one provided in the suspicious email. Never rely on email alone to authorise changes to payment details. Consider a formal sign-off process for any new or changed payee details.
2. CEO or leadership impersonation fraud
In this scam, a fraudster poses as someone senior in your organisation — such as your vicar, chief executive, or chair of trustees — and sends an urgent email to your treasurer or finance volunteer asking them to make an immediate payment.
The message is usually designed to create a sense of urgency and bypass your normal approval process. Common scenarios include:
- “I’m in a meeting and need you to urgently transfer £X to this account — I’ll explain later”
- “We need to pay a contractor today or we’ll lose the booking — please process this now”
- “I can’t talk right now but please buy £500 of Amazon gift vouchers and send me the codes”
That last one — the gift voucher request — is surprisingly prevalent and has caught out a number of charities and church treasurers.
How to protect yourself: Establish a clear policy that no payment above a certain threshold can be authorised by email alone, regardless of who is asking. Always verify unusual requests by speaking to the person directly. A quick phone call or face-to-face check can stop this scam in its tracks.
3. Phishing emails and fake login pages
Phishing is when a fraudster sends an email designed to look like it’s from a trusted organisation — such as your bank, HMRC, the Charity Commission, or a software provider — with the aim of tricking you into clicking a link and entering your login details on a fake website.
Once they have your credentials, they can access your accounts, divert payments, or steal sensitive data about your donors and staff.
Phishing emails have become increasingly convincing. They often:
- use official-looking logos and formatting;
- include your name or organisation name, to appear personalised;
- create urgency such as ‘Your account will be suspended unless you act within 24 hours’;
- contain links that look legitimate but lead to fake websites.
How to protect yourself: Never click links in unexpected emails — instead, go directly to the website by typing the address into your browser. Check the sender’s actual email address carefully, not just the display name. Enable two-factor authentication (2FA) on all your accounts wherever possible, so that even if a password is stolen, the fraudster can’t get in without a second verification step.
4. Donation scams and bogus donors
Not all scams involve money going out — some involve money apparently coming in.
A bogus donor contacts your charity offering a large donation. Before the funds are transferred, they ask for something in return — perhaps a smaller payment to cover ‘admin fees’, ‘legal costs’, or ‘release charges’. Or they send a cheque for more than the agreed amount and ask you to refund the difference before the original payment has cleared.
In both cases, the initial donation never arrives (or bounces), and your charity is left out of pocket.
How to protect yourself: Be cautious of unexpected large donations, especially from overseas, that come with strings attached. Never refund a difference on a payment until you’ve confirmed the original funds have fully cleared in your account — this can take longer than you think, especially with cheques. If something feels too good to be true, seek advice before proceeding.
5. Grant scams
Fraudsters sometimes pose as grant-making organisations, contacting charities to tell them they’ve been selected to receive a grant. To claim the money, they ask the charity to pay an upfront fee to cover processing, legal, or administrative costs.
Of course, once the fee is paid, the grant never materialises and the ‘funder’ disappears.
How to protect yourself: Legitimate grant funders do not ask for upfront payments to release funds. If you receive an unsolicited notification about a grant you didn’t apply for, treat it with scepticism. Always research the funder independently before engaging, and check whether they appear on recognised databases such as the Charity Commission’s register or the UK Community Foundations network.
6. Rogue traders and contractor fraud
Churches and charities often manage buildings and premises, which means they sometimes need urgent repairs or maintenance. Rogue traders exploit this by offering cheap, quick-fix solutions — taking a large upfront payment and then either doing poor quality work or disappearing entirely.
This can also happen with IT or software contractors who offer to ‘fix’ a problem remotely, gaining access to your systems in the process.
How to protect yourself: Where possible, use contractors who come recommended by people you trust. Get at least two or three quotes for significant work. Be very cautious about paying large amounts upfront before any work is completed. Never give a contractor remote access to your computer or systems unless you initiated the contact and are confident in who you’re dealing with.
7. Payroll and expense-related fraud
If your charity has employees, payroll or pays expenses, this is another area of vulnerability. Fraudsters may attempt to:
- add fictitious employees to the payroll;
- change an employee’s bank details to their own account;
- inflate expenses claims (including using AI to create fake receipts).
How to protect yourself: Separate the duties involved in payroll wherever possible. Ideally the person who sets up or changes bank details shouldn’t be the same person who approves and processes payments. Ensure you have a good process flow, like the one built in to ExpensePlus to check and manage expense and invoice payments.
Building a culture of vigilance
Beyond specific scam types, there are some broader habits that will help protect your church or charity from scams and fraud:
- Have clear financial controls – Written policies for authorising payments, changing supplier details, and approving expenses make it much harder for scammers to exploit gaps. Even a simple two-person sign-off rule for payments above a certain value can make a significant difference.
- Train your team and volunteers – Fraud awareness doesn’t need to be complicated. A short briefing at a trustee meeting or your staff team can go a long way. Make sure people know they can flag something suspicious without fear of being seen as awkward or overly cautious.
- Report it if it happens– If your charity is targeted – even if no money is lost – it’s worth reporting to Action Fraud (the UK’s national fraud reporting centre). You should also notify your bank immediately if money has been taken, as quick action sometimes enables funds to be recovered. The Charity Commission also expects trustees to report significant fraud as a serious incident.
- Don’t let embarrassment get in the way – Unfortunately, fraud can happen to even the most careful and well-run organisations. If it happens to you, acting quickly and openly is always better than hoping it will go away quietly.
Summary: quick reference guide of fraud schemes
| Fraud Type | What to Watch For | Key Protection |
| Invoice / mandate fraud | Requests to change supplier bank details | Always verify by phone using a known number |
| CEO impersonation | Urgent payment requests from ‘leadership’ | Call the person directly before acting |
| Phishing | Fake emails requesting login details | Don’t click links; use 2FA on all accounts |
| Bogus donor | Large donation with upfront fees required | Never pay fees to receive a donation |
| Grant scam | Unsolicited grant with admin fee required | Legitimate funders never charge upfront fees |
| Rogue traders | Cheap quotes, large upfront payment requested | Use recommended contractors; pay on completion |
| Payroll fraud | Fictitious employees or changed bank details | Separate duties; regular payroll checks |
Protecting your charity’s finances is one of the most important responsibilities trustees hold. The steps involved to protect your charity from scams and fraud don’t need to be costly or complicated – often it’s a matter of slowing down, asking questions, and following simple processes consistently.
How ExpensePlus can help you prevent fraud
ExpensePlus can help you protect your organisation against scams and fraud by providing and encouraging the following controls:
- ExpensePlus provides the option of two-factor authentication (2FA) for account logins, and you can set your organisation to require 2FA for all users.
- Each user has their own login to your organisation’s ExpensePlus account, enabling you to customise permissions and access to functions per user, as well as providing a clear audit trail for expenditure, giving visibility and the ability to investigate any suspicious activity.
- The ExpensePlus process flow for expenses and invoice payments provides a range of checks and controls by involving multiple people – someone to check receipts, an expense approver (the budget holder for that category), as well as the person or people setting up and authorising payments using online banking.
- When you submit a purchase, ExpensePlus checks for duplicate purchases, preventing people from claiming duplicate purchases either accidentally or fraudulently.
- In ExpensePlus you can set up dual-authorisation (two people required for expense approval) for purchases above a certain value. This enables you to require sign off by trustees or other senior staff for larger purchases.
- ExpensePlus can also be set up to mirror dual-authorisation for bank payments, if this is required for making payments from your bank accounts.
- The automated bank feed, available for most banks, provides an easy way to check bank transactions each day and spot any suspicious activity quickly, without needing to sign into your bank account.
If you’d like more guidance on financial controls and best practice for churches and charities, explore our other articles on the ExpensePlus blog:
- Financial Risk Management for Charities and Churches
- What is a conflict of Interest? Examples and Guidance for Churches and Charities
- Purchasing policy for your church or charity
ExpensePlus is a cloud-based fund accounting software package designed for churches and charities. ExpensePlus makes managing fund accounts simple and straightforward. It’s used by hundreds of charities and churches across the UK and is rated 4.8 stars (out of 5) on Google with over 1000 user reviews.
