Charity fraud and cybercrime: Managing the risks

To mark Charity Fraud Awareness Week on 21 October Shoosmiths hosted a webinar with Jonathan Taylor, head of charities and care at Innovation Broking, entitled ‘Charity fraud and cybercrime: prevention and cure’.

New figures show charities reported £8.6 million of lost funds in the last financial year and more than 1,000 incidents of fraud to Action Fraud, but the true scale of fraud against charities is believed to be much higher. Around 65% of charities consider that the pandemic has increased their risk of fraud.

Charities know there is a threat, and know they need to take more action to address it.


Financial loss and reputational damage can be reduced by effective prevention. It is also far more cost-effective to prevent fraud than to investigate it and to remedy the damage done.

All charity trustees are under a duty to protect their charities’ assets and should manage risk appropriately.  Charities should have effective processes to help avoid fraud and cybercrime.

Organisations can reduce opportunity by taking the following action:

Identify and manage risks
For most charities the biggest risk will be its people. It is important for every charity to assess the risks specific to its operations and to take steps to manage them.

Internal financial controls
This includes implementing policies (such as an anti-fraud policy with a clear policy statement), procedures and training. Fraud should be a standing item on the agenda of any charity, particularly if it is operating in high-risk jurisdictions. The controls put in place need to be monitored and reviewed.

Culture – perhaps the most important
An anti-fraud culture is a complex mix of factors and might be described as the culture within an organisation in terms of senior and junior employee attitude towards anti-fraud behaviour and the policies and procedures designed to prevent, detect and respond to instances of fraud.

Trustees in particular should manage fraud risks actively. The trustees and senior management should lead by example, and executive management and the charity’s staff and volunteers be responsible for ensuring that the controls put in place by the trustees are actually implemented. There should be a willingness at all levels to challenge unusual activities and behaviour, and a culture of using near misses as an opportunity to develop organisational learning.

Fraud Response Plan
A Fraud Response Plan should enable a charity to respond in an appropriate, measured and consistent way to any allegation of fraud, minimising the financial, reputational and legal risk. A good plan should be bespoke, flexible and link to other policies, such as those relating to whistleblowing and disciplinary procedures.


Emotional response/pragmatic response
Once fraud is discovered an initial reaction is likely to be anger and to want to bring those responsible to justice but if you are looking to recover what you have lost then the head should rule over the heart.

Implement your Fraud Response Plan
A good fraud response plan will minimise financial loss, identify perpetrators, optimise recovery of lost assets, prevent loss or damage to evidence and reduce reputational damage. It should set out objectives, identify key personnel, detail measures for securing evidence, include a damage assessment, set out reporting procedures and consider other issues such as media, insurers, suspects and police.

Gather evidence
While incidents should be reported to Action Fraud and local police economic crime units, it is possible that stretched police resources may not be allocated to dealing with charity fraud. Instead consider whether your charity should retain control and take the initiative.

The initial response is critical – the ‘golden hour’ where opportunities for securing evidence in a secure and sanitised way are greatest (they then deteriorate with time).

Instructing lawyers at an early stage means an organisation can then undertake the internal investigation with the benefit of legal professional privilege.

Recovery through a civil claim
Various tools are available to charities affected by fraud, where the risk of dissipation of assets and evidence is high and the time to react effectively is limited: in particular, freezing injunctions, search and seizure orders, third party disclosure applications.

All these options are time-intensive, likely to involve IT and accountancy experts as well as lawyers and so will be expensive – which means it is important to consider from the outset the cost and benefit of taking action. Charities will not want to take steps to recover a £500 debt when ‘holding the ring’ and securing evidence will cost tens of thousands of pounds.

Taking a claim to trial can take time (it is not uncommon to expect up to two years before a trial date) but even if a charity eventually secures a court judgment and an order requiring a defendant to contribute towards the charity’s costs, will the fraudster be good for the money?

If not, then what has been the point of taking any action? The charity will be further out of pocket and have invested a great deal of the time of staff and trustees as well as even more money – all to achieve a pyrrhic victory (although there can be a deterrent benefit in being seen to take such action).

This underlines the importance of charity trustees making balanced and proportionate judgments from the outset, acting reasonably in the best interests of their charity to protect its assets and continually re-assessing the situation in light of changing circumstances and the receipt of further information.


Jonathan Taylor of Innovation Broking explained that even if charities don’t think they have been affected by cybercrime it’s probable that they have at some point – they just don’t know it.

There are two key mitigation strategies all charities should adopt:

  • Instil a culture of cyber risk awareness, honesty and good governance. Large organisations should have a cyber risk committee chaired by somebody outside the line management of the Chief Technology Officer. Smaller organisations should consider an external cyber readiness audit.

Good education is key to minimising human error, for example making charity staff pause before clicking to open a weblink and downloading malware.

  • Good insurance is a must (while it remains available) to address risks such as phishing, network damage, data breaches, ransomware attacks and consequent business interruption.

Cover is only likely to be available for well-run charities which in particular use multi-factor authentication.

How we can help

Not every incident of fraud will necessitate a report to law enforcement authorities and by conducting a proper investigation, management will have the option of disposing of the matter in a number of ways including disciplinary action, civil recovery or indeed a referral to the police or other agency.

Legal advice is also likely to be useful for identifying and prioritising any regulatory reporting obligations, addressing potential liability issues and identifying any additional financial crime implications.

If you would like to discuss how we could help your charity address the risk or incidence of fraud please get in touch.


This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2024.


Listen to the webinar

View all upcoming webinarsDownload the webinar slides


Read the latest articles and commentary from Shoosmiths or you can explore our full insights library.