What Save the Children’s $1m fraud can teach small UK charities

by Ben Grave - Wed 10 Jun 2026

When a global charity like Save the Children can be tricked into sending $1 million to a fraudster’s bank account, it is a wake‑up call for every UK charity, no matter how small. If it can happen to them, with their budgets and expertise, it can certainly happen to you.

In this blog looks at what happened, why it worked, and the practical lessons small UK charities can apply without big‑organisation money or complexity.
What actually happened in the $1m Save the Children fraud

In 2017, cyber criminals compromised the email account of an employee at Save the Children Federation, the US arm of the international charity. Once inside the mailbox, they patiently studied how the organisation communicated and how payments were approved.

They then:

• Created convincing fake invoices and documents
• Claimed funds were needed to buy solar panels for health centres in Pakistan, where the charity has a long‑standing presence
• Directed nearly $1 million to a fraudulent bank account in Japan

By the time the fraud was spotted, the transfer had cleared and most of the money had gone, although insurance later covered all but about $112,000. The incident is a textbook example of a Business Email Compromise (BEC) scam: attackers hijack a real email account and then use it to request or redirect large payments.

Save the Children responded by tightening security, including stronger verification checks for new suppliers and bank details. But for smaller charities, the more important question is: what can you learn from this, and how do you stop something similar happening to you?

 

Lesson 1: If they can get into email, they can get into your money

The whole fraud started with one compromised email inbox. For a small charity, email is often the “front door” to everything else: banking approvals, payroll instructions, gift aid claims, supplier invoices, and even donor data

Key takeaways:

• Treat email as a critical financial system, not a casual messaging tool
• Assume cyber criminals will try to hijack it and then “be you” to your colleagues, suppliers or bank
• Recognise that carefully crafted phishing emails still work and remain a major cause of these attacks

Practical steps for small charities:

• Turn on multi‑factor authentication (MFA) for all staff and trustees on Microsoft 365, Google Workspace and any other core systems
• Use unique, strong passwords, ideally via a password manager
• Regularly review sign‑ins and security alerts for unusual activity in your tenant or email system

These are low‑cost controls that drastically reduce the chance of an attacker walking straight into your most sensitive accounts.

Lesson 2: Clever frauds piggy‑back on your real work

The criminals didn’t ask for something obviously absurd; they asked for money for a project that sounded entirely plausible: solar panels for health centres in a country where the charity had worked for decades. That realism made the fraud much harder to spot.

For small charities, the same pattern applies:

• Fraudsters use the names of real projects, partners or countries you already work with
• They mirror your tone of voice and internal language, often by studying your website, social media and earlier emails
• They time requests to coincide with busy periods like year‑end, big campaigns or staff holidays

The lesson is that familiarity is not proof of legitimacy. A request that “sounds like us” might be the most dangerous kind.

Practical steps:

• Train staff and volunteers to be politely sceptical of urgent or unusual payment requests, even if they appear to come from a trustee, CEO or long‑standing supplier
• Make it culturally acceptable to slow things down and ask, “Can we quickly double‑check this before we send the money?”

You are not being difficult; you are protecting the charity.



Lesson 3: Simple internal controls beat clever frauds

One of the starkest lessons from the Save the Children case is that this was not a sophisticated technical exploit. It relied on human trust and routine payment processes. The good news for smaller charities is that many of the most effective defences are simple, cheap internal controls.

The Charity Commission’s refreshed fraud guidance for trustees stresses straightforward measures such as dual authorisation on payments, routine reconciliations, and clear separation of duties.

Practical internal controls for small charities:

• Dual approval on payments: Require at least two people to authorise any payment above a modest threshold, and always for new bank details.
• Segregation of duties: Avoid the same person setting up suppliers, approving invoices and making payments, even if that means involving trustees or volunteers.
• Documented finance procedures: Even a short, clear one‑page process for “how we pay people” reduces ad‑hoc decisions under pressure.

These controls are exactly what regulators and professional advisers recommend, and they do not require enterprise‑grade systems or big budgets.

 

Lesson 4: Always verify changes to bank details out‑of‑band

After the incident, Save the Children introduced policies that required employees to verify new vendors and bank account changes via phone, rather than relying solely on email or invoices. That one change would have made the fraud dramatically harder to pull off.

For small charities, this can be turned into a non‑negotiable rule:

• No change to supplier, partner or staff bank details is actioned without an independent check via a known, trusted phone number or face‑to‑face conversation (check our blog on Phishing Emails)
• Never use the phone number or email address printed on the invoice or in the change request; instead use details you already have on record or public, verifiable sources
• Build in a short “cooling‑off” period for large or unusual payments so you are not bounced into immediate action

This “call back and confirm” habit is a powerful, low‑tech defence against both BEC scams and traditional invoice fraud.



Lesson 5: Cyber security is a governance issue, not just an IT issue

Save the Children’s case was written up in regulatory and media reports, which means trustees and senior leaders will have had to explain what happened and what changed. In the UK, the Charity Commission’s updated guidance makes clear that trustees are expected to understand and manage fraud and cyber‑crime risks, not leave them entirely to staff or external IT providers.

For small charities, this means:

• Trustees should ask basic but probing questions about digital risk, fraud controls and incident response, rather than assuming “the IT person” has it covered
• Fraud and cyber risk should appear on your risk register and be discussed at least annually, alongside safeguarding, finance and fundraising
• You should have a simple, written fraud and cyber incident plan so that everyone knows what to do if something goes wrong
  

Useful trustee‑level questions include: “How would we spot a fraudulent payment?”, “Who would lead our response to a cyber incident?”, and “Do staff feel confident challenging suspicious requests?”

Lesson 6: You need a plan for when things go wrong

Save the Children was able to recover most of the stolen funds through insurance; many smaller charities will not be so fortunate. However, the way you respond to an incident can limit damage, protect your reputation and support any investigation.

Current guidance from the Charity Commission and other sector bodies stresses the importance of:

• Acting quickly to contain the harm and secure systems
• Reporting serious incidents and fraud appropriately, including to Action Fraud and, where relevant, the Commission
• Engaging specialist support (legal, IT, forensic) when needed
• Learning lessons and updating controls afterwards

For a small charity, a simple incident playbook is enough:

• Who you will contact first (trustee, IT support, bank, police)
• How you will temporarily freeze payments or accounts
• Who will handle communication with staff, beneficiaries and supporters
• Where you will log decisions and evidence for later reporting
  

This is as much about organisational resilience as it is about technology.


Practical checklist for small UK charities

You do not need a million‑dollar budget to apply the lessons from a million‑dollar fraud. Here is a practical, “start this month” checklist, based on current UK regulatory guidance and real‑world incidents.

• Turn on multi‑factor authentication (MFA) for all email and cloud accounts, and encourage staff and trustees to use a password manager.
• Introduce dual authorisation for payments above a modest threshold, and for all new or changed bank details.
• Make “phone‑back verification” mandatory for any new or changed bank details, using contact details you already hold (not those in the request).
• Write a one‑page procedure that explains how invoices are approved, paid and reconciled, and make sure people follow it.
• Run a short annual briefing for staff and volunteers on phishing, email scams and how to challenge suspicious payment requests.
• Check you have working backups of key systems (such as Microsoft 365, finance and donor databases) and that you know how to restore them.
• Put fraud and cyber risk on the board agenda at least once a year, and ask clear questions about controls and any incidents.
• Draft a simple fraud and cyber incident plan, including who you will contact first and when to report to Action Fraud and the Charity Commission.

Even picking three of these actions and completing them properly will significantly reduce your risk.


Bringing it all together

The Save the Children fraud was not just an unfortunate one‑off; it is part of a wider pattern of business email compromise and charity fraud affecting organisations of all sizes. You cannot eliminate the risk, but you can make yourself a much harder target.

Strong email security, simple financial controls, confident trustees and a clear incident plan will do more for your fraud resilience than any expensive technology alone. In a sector built on public trust, those are investments you cannot afford not to make.