diff --git a/app/controllers/schemes_controller.rb b/app/controllers/schemes_controller.rb
index 616659935..d9dccab5d 100644
--- a/app/controllers/schemes_controller.rb
+++ b/app/controllers/schemes_controller.rb
@@ -16,6 +16,7 @@ class SchemesController < ApplicationController
 
   def show
     @scheme = Scheme.find_by(id: params[:id])
+    render_not_found and return unless (current_user.organisation == @scheme.organisation) || current_user.support?
   end
 
 private
diff --git a/spec/requests/schemes_controller_spec.rb b/spec/requests/schemes_controller_spec.rb
index e4f17022c..add918717 100644
--- a/spec/requests/schemes_controller_spec.rb
+++ b/spec/requests/schemes_controller_spec.rb
@@ -214,9 +214,9 @@ RSpec.describe SchemesController, type: :request do
       context "when coordinator attempts to see scheme belogning to a different organisation" do
         let!(:specific_scheme) { FactoryBot.create(:scheme) }
 
-        it "returns 401 unauthorized" do
+        it "returns 404 not found" do
           request
-          expect(response).to have_http_status(:unauthorized)
+          expect(response).to have_http_status(:not_found)
         end
       end
     end