Email security for charities: protecting donors and your name

A charity's most valuable asset is not on its balance sheet. It is the response its name produces: emails get opened, appeals get read, payment requests get trusted. Decades of goodwill, compressed into a sender address.

That is precisely why charities are disproportionately targeted by email fraud. Between November 2023 and October 2024, the Charity Commission opened 603 fraud cases and 99 cybercrime-related cases, with phishing the most common type of cyber-enabled fraud (Charity Commission). Behind those numbers sits an uncomfortable asymmetry: charities carry the trust profile of a bank with the security budget of a village hall - and criminals know it.

This guide is for trustees, directors and operations managers. It explains how charity email fraud actually works, what the Charity Commission expects, and a practical, genuinely affordable way to close the biggest gap. No technical background needed.

How the frauds work

Donor impersonation. The criminal sends appeal emails that appear to come from your charity's domain - same name, plausible wording, often timed to a real campaign, disaster appeal or Gift Aid deadline. Donations flow to the fraudster's account. The donors believe they gave to you; when the truth surfaces, the damage lands on your reputation, not the criminal's. For a small charity, donor trust is not a recoverable asset on any quick timescale.

Supplier and payment fraud. Emails "from the charity" to its suppliers or partners - or "from a supplier" to the charity - diverting invoice payments or grant disbursements to new bank details.

Trustee and executive impersonation. A message apparently from the chair or CEO instructs the finance officer to make an urgent, confidential transfer. Charities are especially exposed here: trustees are part-time, often communicate from personal addresses, and the deference culture around a chair's "urgent request" is strong. A compromised or spoofed trustee identity also matters for governance - serious incidents, including significant frauds and cyber attacks, must be reported to the Charity Commission.

The common thread: in most of these, nothing of yours is hacked. The criminal simply sends email as you - which, unless your domain says otherwise, email's original design freely allows.

What the Charity Commission expects

The Commission does not mandate specific technical controls, and we will not pretend it does. Its guidance on fraud and cybercrime - developed with the National Cyber Security Centre (NCSC) - expects trustees to take reasonable steps to protect the charity's assets and reputation, and points to NCSC-recommended practice. Within that practice, the control for email impersonation is DMARC (Domain-based Message Authentication, Reporting and Conformance): a single public record that tells every receiving mail server in the world to reject email claiming to be from your domain that cannot prove it is genuine.

Framed for a trustee meeting: your charity's name is an asset; it is currently either protected or available; finding out which is a governance question, not an IT one.

The affordable, practical defence

The good news for stretched budgets is that the high-impact steps are cheap or free:

1. Find out where your domain stands - free. Your email security settings are publicly visible; the only question is whether you have looked before a criminal does. SealedMail's Free Domain Health Check audits your SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI and blacklist status and emails a scored certificate in plain English. No sign-up, no obligation, no sales call - and the certificate doubles as a clean paper for the next trustee meeting.
2. Get DMARC to enforcement, guided by its reports. Most charity domains we check have no DMARC record or sit at p=none - monitoring mode, which blocks nothing. The journey to a blocking policy is done safely by watching the reports for a few weeks first, so legitimate mail (your newsletter platform, your donation system, your CRM) is not caught in the net. What is DMARC? explains the whole system in plain English.
3. Verify payment changes by phone, always. Any change of bank details - supplier, grantee, payroll - is confirmed by calling a number you already hold. Free, and it defeats even the frauds DMARC cannot touch.
4. Multi-factor authentication on every mailbox, including any charity business done from trustees' accounts.

On honesty, because charities deserve it more than most: DMARC stops criminals using your exact domain without authentication. It does not stop look-alike domains or a genuinely compromised mailbox - steps 3 and 4 exist for those. The wider anatomy is in Business email compromise: what UK firms need to know. And one boundary note on a related standard: BIMI, which displays a verified logo beside your emails, is optional, requires DMARC enforcement first, and involves certificate costs running to four figures a year - for most charities it is a later luxury, not a priority. Focus on enforcement first.

Where SealedMail fits - if you want it to

The free health check stands alone; many charities will take the certificate, hand the findings to their IT volunteer or supplier, and need nothing more. For charities that want the ongoing monitoring handled - reports received, interpreted, and explained in one weekly plain-English email a trustee or operations manager can actually read - that is SealedMail's service: £49 per domain per month, monthly rolling with no contract, UK-based, with one named specialist accountable for it. The weekly reports also serve as standing evidence of the "reasonable steps" trustees are expected to take.

Either way, the first step costs nothing and takes two minutes.