Helping charities, NGOs and not-for-profits stay safe
20 October 2020: Heightened levels of uncertainty combined with the hugely increased number of people working from home has created a perfect storm for fraudsters in the charity world, reports Mark Blayney Stuart.
“The sudden switch to home-working in March meant that financial processes had to be adapted quickly, and fraudsters have used this opportunity to exploit weaknesses in internal controls,” says Kristina Kopic, Head of Charity and Voluntary Sector, ICAEW.
By raising awareness of how scammers are trying to trick organisations into parting with data or money, International Charity Fraud Awareness Week is designed to ensure organisations and workers don’t get caught out.
“At the onset of the pandemic there was a surge in frauds using COVID-19 as a hook, as fraudsters tried to exploit vulnerabilities, anxieties and fears to take advantage of the new socially distanced ways of living and working,” says David Clarke, Chairman of the Fraud Advisory Panel.
However, generally speaking, it is not the case that the crisis has led to the development of new types of scam – many of the common risks to charities remain relatively unchanged. “Phishing emails, ransomware, computer viruses and malware, payment diversion and mandate fraud, procurement fraud, CEO fraud and insider fraud are still common threats,” Clarke says. “Data breaches resulting from the rapid shift to home working, the use of new online communication and collaboration tools, and inadequate cyber defences, have also been reported.”
Common risks include:
- Phishing (emails) and vishing (phone scams). Knowing how fraudsters are likely to reach you is the first step to combat their activities.
- Payment diversion. Someone claiming to be a supplier says they have changed their bank details and wants you to pay a different bank account.
- Impersonation. Someone pretends to be the CEO and says they need an urgent payment.
- Ransomware. Clicking on a link that allows a virus into your machine, crippling it unless you pay a fee.
What companies should do
“Make sure everyone involved in your charity – from the most senior down to the most junior member of staff – has the knowledge and skills to recognise the tell-tale signs of fraud and knows what to do if they think they’ve spotted one,” Clarke says.
ICAEW’s Kristina Kopic adds, “it’s important for all organisations to regularly review their internal controls to ensure they’re still fit for purpose, especially when ways of working have changed.” This does not have to be an onerous box-ticking exercise, she emphasises. “A good starting point is to step back, adopt a fraudster’s perspective to identify where your organisation is vulnerable or relies on trust, and then strengthen the controls in those areas.” It’s also a good idea to involve staff and volunteers across the organisation in this risk assessment, as they can provide valuable insights.
What about the numbers – has fraud been on the rise this year as a direct result of COVID? “Anecdotally, many organisations haven’t yet seen a rise in the number of frauds being uncovered since the start of the pandemic,” says Clarke. “However, there is every chance that more frauds will slowly come to light over the coming months as businesses, charities and individuals are put under financial strain.”
Perhaps there is the risk that charities (and businesses more widely) might take their eye off the ball whilst COVID is still with us. The very human need to press on with the business in hand, along with everything else that is going on in the world, means we might not be as aware as we should be of the ever-present threat of fraud. “This means that now is not the time for charities to be complacent,” Clarke says; “fraud and cybercrime should be on the radar of every trustee board.”
Additionally, the local lockdown rules across the country and social distancing regulations have limited charities’ regular routes to fundraising – with charities more reliant than ever on online donations, the possibilities for fraud increase.
This week and beyond
The ICAEW’s Charity Finance Professionals Community will host a webinar at 12pm BST on Tuesday, 20 October to highlight COVID-themed scams and cyber-attacks. In the webinar Alan Bryce, Head of Counter Fraud & Cyber-crime at the Charity Commission will also reveal findings from the largest-ever survey of both fraud and cybercrime targeted against charities.
This complements a previous webinar, COVID-19 and charity fraud: what to look out for and how to stay safe, produced back in May, which takes a closer look at phishing emails – according to Clark, one of the most common cyber risks. “It also looks at some of the basic financial controls that every charity can put in place to protect their funds during the pandemic.”
What does ICAEW hope the outcomes of Charity Fraud Awareness Week to be? “The week is a timely opportunity to raise fraud awareness and to showcase good practice in tackling fraud and cybercrime,” Kopic says. “Our Charity Governance Update on 5 November will highlight potential new risks and suggest some basic internal fraud controls for smaller charities.”
David Clarke wants all charities to be involved. “A wealth of free resources is available on the Charity Fraud Awareness Hub,” he says, “including practical tutorials, help sheets, webinars and case studies to help charities build their fraud resilience. This includes examples of common types of charity fraud and how to spot and stop them.”
If your organisation wants to take part, the supporters’ pack is available at the Fraud Advisory Panel website.
Finally, whilst the week is designed for charities, the information and advice can be applied to all businesses – taking time to assess unexpected requests, having good processes and practices in place, and knowing that fraudsters are becoming very good impersonators.
“Many charities are providing crucial support to those in financial and emotional distress and it is now more important than ever that charities take time to be fraud aware,” says Clarke. “We would encourage all those involved in the sector – whether charity staff, volunteers or professional advisors to the sector – to get involved in the week.”
Three things to remember:
- Don’t be rushed. Fraudsters almost always use a sense of urgency to persuade you to act without thinking through. Consider what you are being asked – could this lead to data loss or divert cash?
- Have processes in place. If you’ve had a strange or suspicious request, check with someone else; for large payments, at least two people should be required before authorisation.
- Be fraud-aware. Understand that your charity has information that is useful for scammers.
To find out more about the Charity Finance Professionals Community click here.