The Fundraising Regulator has said there is no evidence that its databases have been hacked after charities were contacted by scammers posing as the regulator and requesting payment for the Fundraising Preference Service.
The regulator sent out a warning about the scam on Tuesday after several charities received a poorly written email suggesting that the charity was due to pay an invoice for the costs of the FPS.
The costs of the FPS, which enables people to block communication by post, telephone, email or text from specific charities, are being covered by the voluntary levy that has been paid by the majority of charities that spend more than £100,000 a year on fundraising.
A database manager at one of the charities that was targeted by the scam told Third Sector the email address that received the request for money was a personal one that was not publicly linked to their work at the charity.
The manager, who asked not to be named, said they thought it was likely that the email had also been sent to their work email address, but the charity’s spam filters had blocked it.
"I’m the primary contact for the Fundraising Regulator, and it seems strange to me that the scammers targeted exactly the right person and knew to send it to that account," the person said.
Although the manager acknowledged that their personal email address was available in the public domain, they said it was never linked specifically with their role at the charity and did not appear on the charity’s website.
It might be possible for someone to piece together their job with the email address, the manager said, but this would require more time and research by the fraudsters than was typically seen in such scams, especially given the number of charities believed to have been contacted.
"There is a very narrow list of people who have that address in connection with my job," the manager said. "But when you register with the Fundraising Regulator you have to give a second address, so they are on that list."
But the regulator rejected the suggestion that the scammers had used its database to work out who to target.
A spokeswoman for the regulator said: "There is no evidence to suggest that the Fundraising Regulator has been hacked. All the email addresses used by the scammers are ones that are in the public domain."
She said the regulator had not notified the Information Commissioner’s Office because there had been no breach.
The database manager said it was also possible that the Institute of Fundraising had the email address that was targeted.
A spokeswoman for the IoF said she did not believe there had been a data breach at the IoF, but was unable to confirm this in time for Third Sector’s deadline.