Charity Payment Fraud Case Studies: BEC Attacks That Cost Charities Millions
Business Email Compromise fraud — where attackers impersonate charity leadership or trusted contacts to redirect payments — has cost UK charities millions of pounds in recent years. The Charity Commission has published guidance on payment fraud following several cases where significant charitable funds were diverted. These case studies illustrate the attack patterns and the controls that would have prevented them.
UK charities report losing over £8 million annually to payment fraud — the majority through Business Email Compromise attacks targeting finance and operations teams.
How BEC Attacks Target Charity Finance Teams
Documented charity BEC cases typically follow one of three patterns: CEO impersonation (an email purportedly from the CEO or Chair of Trustees requests an urgent payment — often for a supposedly confidential purpose, exploiting the authority relationship); supplier invoice fraud (attackers compromise a supplier's email account and send a payment redirect request that appears to come from the genuine supplier); and grant payment fraud (an email purportedly from a grant funder requests bank details confirmation before a payment — capturing account information that the attacker then uses to divert the grant). All three patterns exploit the trust relationships and authority structures that are central to charity operations. Mission-driven cultures, where urgency in service of the charitable purpose is valued, are particularly susceptible to time-pressure tactics.
Controls That Prevent Charity Payment Fraud
The controls that prevent BEC fraud in charities are straightforward and largely low-cost: an out-of-band payment verification process (any payment to a new payee, or any change to an existing payee's bank details, requires a phone call to a known number — never use contact information in the suspicious email); dual authorisation for payments above a defined threshold (two authorised signatories must approve significant payments); email account MFA (so compromised email accounts cannot be used as BEC vectors from within the charity's own domain); email security with impersonation detection (Coro, deployed by Kyanite Blue, identifies CEO impersonation and domain spoofing that standard email filtering misses); and a culture where it is safe to question an unusual payment request — even from the CEO or a trustee. The out-of-band verification process alone would have prevented the majority of documented charity BEC cases.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.