Fraud – How to mitigate risk and what to do if fraud is identified
Hazra Patel, 13 March 2026
Hazra Patel, 13 March 2026
Charities exist to benefit the public, and it can be difficult to understand why someone would target them with malicious intent. However, fraud does occur in charities and it can cause significant financial and reputational harm.
As such, it is vital that you are able to take the relevant precautions to protect against fraud.
Fraud can occur both externally and internally, so it is important for charities to implement clear policies and systems that protect them from a variety of risks.
A strong approach typically includes a clear culture for raising concerns, such as a whistleblowing policy, and ensuring trustees, staff and volunteers understand their responsibilities and know how to identify and report concerns.
Cybercrime is also a significant risk and charities are not immune. Practical steps such as staff training to recognise phishing attempts, secure access controls and good password and device practices can help protect funds and data.
Maintaining appropriate internal financial controls can further reduce the risk of fraud and loss. This may include segregation of duties (for example, different people authorising and processing payments), clear approval limits, regular reconciliations and restricting system access to those who need it. Controls should be proportionate and balanced with operational needs.
If you suspect fraud, try to act promptly and calmly. Seek professional advice as appropriate and take steps to protect the charity’s assets, secure relevant records and preserve evidence. Keep clear documentation of what has been identified and the actions taken.
Depending on the circumstances, trustees may need to submit a serious incident report to the Charity Commission and may also need to report the matter to the relevant authorities.
The Commission’s guidance explains when and how to report serious incidents, and notes that allegations or incidents of fraud and cybercrime should be reported via Report Fraud, while theft should be reported to the police, obtaining a crime reference number where applicable.
If the incident involves loss or compromise of personal data, you may also need to consider reporting obligations to the ICO.
Trustees should take reports of suspected fraud seriously and ensure concerns are assessed and investigated appropriately, maintaining confidentiality where required. Poor management of fraud risk and response can damage public trust and confidence.
Seeking professional support can help you evaluate whether your policies and controls are proportionate and effective. This overview is intended as general guidance only and does not constitute legal advice.
Our experienced charity and not for profit team are happy to help organisations and trustees with a wide range of issues, including reviews of the systems and control environments for weakness and improvement. For a confidential discussion, please get in touch with Partner, Hazra Patel (hazrapatel@lubbockfine.co.uk)
Our specialists regularly share insights, guidance and practical updates to help organisations navigate change with confidence. If you’d like to receive future charity related updates from our team, you can sign up here.
