The BDO and Prevent Charity Fraud Conference in London this week delivered a clear message to the sector: with economic pressures mounting and AI-enabled threats evolving rapidly, charities must shift from reactive protection to proactive prevention.
Read on to find out what else we learned...
Fraud as a strategic risk
Charities need to elevate fraud from an operational nuisance to a top-level concern by explicitly building fraud into risk management, planning cycles and board agendas. And trustees and leadership teams must champion a zero-tolerance culture.
Too often, fraud discussions are delegated to finance teams or compliance officers, but trustees need to ask informed questions about controls, incidents and emerging risks. Visibly demonstrating fraud prevention is a governance priority.
A sneak peek at the findings from the BDO Charity Fraud Survey 2025 (due to be published in early 2026) showed that whilst many charities have anti-fraud policies, far fewer have comprehensive fraud response plans or cyber response strategies ready to deploy. This gap between policy and preparedness is where organisations become vulnerable.
The challenge of size
Fraud challenges often manifest differently depending on size. For larger charities, the complexity lies in scale and structure. Diverse income streams, numerous payment channels, and large teams create more opportunities for fraud to occur, and more places where controls can break down.
Larger organisations that have dedicated finance and compliance teams are able to implement sophisticated internal controls, segregation of duties, and regular internal and external audits. They may also be able to invest in specialist fraud investigation services and could have in-house expertise.
For smaller charities, limited resources mean that individuals often hold multiple roles, making true segregation of duties difficult or impossible. A small charity might have one individual handling everything from invoice processing to HR processes, or trustees who are closely involved in day-to-day financial decisions. Smaller organisations are unlikely to invest in fraud prevention.
Both large and small charities share common vulnerabilities: an over-reliance on trust, a lack of preparedness for AI-enabled fraud, and gaps between having policies and actually implementing them effectively.
Controls and culture
The sheer volume of transactions can make anomalies harder to spot, and even well-resourced charities can lack proper incident response plans and fail and data analytics for fraud detection but strong internal controls remain the most effective line of defence. Most charity fraud is detected through internal controls rather than sophisticated technology or external whistleblowing. Dual authorisation, clear delegation limits, regular reconciliations, and periodic spot-checks reduce opportunities for fraud.
It’s often said that the charity sector is a trusting sector. Reducing over-reliance on trust doesn't mean abandoning the collaborative, mission-driven culture that defines charities. However, adopting the mindset that "anyone could be a fraudster" when designing controls can be helpful.
Preparing for the worst
Whether your organisation has already experienced fraud or not, every charity should have a clear incident response plan in place before fraud occurs. This means having an anti-fraud policy, a whistleblowing policy, and a documented fraud response plan so that people know who to tell, how to report incidents, and how decisions will be made under pressure.
And when fraud does occur, swift action is essential. The difference between unauthorised fraud (such as hacked cards or stolen cheques) and authorised push payment (APP) scams where staff are tricked into authorising payments is important as each requires different immediate responses. These include contacting both sending and receiving banks, reporting to Report Fraud (formerly Action Fraud), notifying insurers and regulators, and preserving all evidence.
New threats, new responses
The session on AI as ‘friend or foe' highlighted both the opportunities and dangers of the new technology. Whilst AI can help charities improve efficiency and detect anomalies, fraudsters are already using it for sophisticated phishing, deepfakes, voice cloning, and impersonation scams. The example of a $25 million loss via a deepfake CFO scam is enough to strike fear into the heart of every finance professional.
The defences against AI fraud include verification, double-checking instructions, in-person or multi-channel confirmation for high-value transactions, and training teams to recognise AI-enabled scams. Both fraud policies and AI governance documents need to reference these risks explicitly, with budgets allocated specifically for fraud prevention if possible.
One speaker also suggested that charities need to "fight fire with fire" and highlighted that charities should be exploring using AI tools for anomaly detection and fraud prevention whilst protecting against AI-enabled attacks.
Transparency builds trust
The most powerful message from the conference was around communication. A speaker from Macmillan demonstrated that openness about fraud incidents, when handled transparently, can actually strengthen donor trust and support. They detailed how their record of over 60 successful private prosecutions has sent a clear deterrent message to potential fraudsters whilst showing supporters that the charity takes its stewardship responsibilities seriously.
By investing in fraud prevention, investigating thoroughly, and where appropriate pursuing prosecutions or recovery action, charities serve not only their own organisations but the entire sector. Conversely, sweeping incidents under the carpet or failing to act sends the opposite signal: that charities are soft targets where fraud carries little consequence.
Additionally, post-incident reviews should not be tick-box exercises but genuine opportunities to learn, update controls, and communicate carefully with stakeholders. This transparency demonstrates accountability and reinforces that donor's money is being safeguarded properly.
Private prosecutions: another string to the bow?
The conference explored private prosecutions as a tool that is increasingly available to charities, particularly given that only a small percentage of fraud reported to police results in action.
Private prosecutions can offer greater control, potential for asset recovery and cost recovery. And importantly, with sentences of up to 14 years available for serious fraud offences, and the publicity surrounding successful prosecutions, this could help deter future fraudsters and benefit all charitable organisations in the process.
Looking ahead: ECCTA and the ‘failure to prevent fraud’
The introduction of the Economic Crime and Corporate Transparency Act (ECCTA) and its "'failure to prevent fraud"' means charities must assess fraud risks across all activities including fundraising, service delivery, research, and communications, and document ‘reasonable’ and ‘proportionate’ prevention procedures. Leadership teams need to communicate expectations regularly, providing examples of "what good looks like" rather than simply listing prohibitions.
The challenge for charities is that ECCTA remains relatively untested, with uncertainty around defining "associated persons" and what constitutes these ‘reasonable and proportionate’ measures. However, speakers cautioned that charities are likely to feature among early test cases, making it essential to act now rather than waiting for guidance to emerge through enforcement.
Eight key takeaways for charities
1. Treat fraud as a strategic risk: Build fraud explicitly into your risk register, planning cycles, and board agendas, with trustees and leadership teams visibly championing a zero-tolerance culture.
2. Invest in strong internal controls and simple processes: Implement dual authorisation, and periodic spot-checks, recognising that most charity fraud is still detected by internal controls rather than technology or external reports.
3. Reduce over-reliance on trust: Assume that anyone could be a fraudster and use proportionate vetting, look out for conflicts of interest, and segregate duties.
4. Prepare for incidents before they happen: Put in place an anti-fraud policy, whistleblowing policy, and a clear fraud response/incident plan.
5. Strengthen reporting and recovery procedures: Make it standard practice to report significant fraud to your bank, Report Fraud, insurers and regulators, and consider when private prosecutions might be appropriate to assist asset recovery.
6. Take AI-enabled fraud seriously: Train staff to spot phishing, deepfakes, voice/video impersonation. Build in ‘pause and verify’ steps, and reference AI-related fraud risks and safeguards in both your fraud and AI policies.
7. Respond transparently and learn: After any incident, conduct a structured review, update controls and training, and communicate carefully but openly with stakeholders, so they see that you take fraud seriously.
8. Get ready for ECCTA and "failure to prevent fraud": Carry out a fraud risk assessment across all activities, document ‘reasonable and proportionate’ prevention procedures, and ensure leadership regularly communicates expectations and examples of "what good looks like." Look out for more on what ECCTA means for charities in 2026.
To find out more about the BDO Charity Fraud Survey 2025 – due to be published in early 2026 – visit their website.
Useful resources and further reading
Charity Commission guidance: How to report a serious incident in your charity
Report Fraud (formerly Action Fraud) website
CFG article: Inside job: Understanding and preventing insider fraud
CFG article: The importance of internal controls – a real life example