Wednesday October 19, 2022

The challenge for the third sector, and how charities can protect themselves

Tough economic times can be a driver for an increase in fraudulent activity – which may unfortunately include the charity sector.

As Charity Fraud Awareness Week 2022 gets underway, we speak to Molly Sandquest, Senior Manager in our Forensic Services team, to understand where charities could be vulnerable, why the risk of fraud is heightened now, and – crucially – what they can do to better protect their funds and operations.

In general, what types of fraud do charities see and how do they come about?

There are two broad types of fraud that charities are exposed to, and which, in our experience, can be most harmful.

Cyber fraud

The first are external cyber threats – fraudsters from outside the organisation, breaking in through a charity’s digital systems. Recent research from the Charity Commission found that one in eight (12%) UK charities had experienced some form of cybercrime in the last year.

This is not always a hard ‘hack’. Often, we see fraudsters engineer relationships with unwitting personnel to gain access to sensitive information and divert funds. In some cases, they may offer free services to the charity – such as website design, or consultancy – which gives them the direct digital access they need.

Tactically, cyber fraud can also involve fraudsters ‘phishing’ – essentially trying to lure charity personnel into providing information, diverting funds or taking a malicious action on a computer or phone, such as clicking a bad link. This can include impersonating a key individual in an organisation such as the CEO or Finance Director, or a third party such as a supplier or a recipient of funding. By clicking on a malicious link, charity personnel can also inadvertently download ransomware, which encrypts a charity’s data until a ransom is paid to release it – potentially hamstringing a charity’s ability to carry out its day-to-day functions.

Alternative methods include ‘vishing’ (or ‘voice phishing’) where fraudsters steal confidential information or funds over the phone – for example, by pretending to be from HMRC or a grant recipient – and ‘smishing’ (‘SMS phishing’), which involves attempting to obtain information or funds via text message.

A few factors can heighten the risk of these cyber breaches happening:

• In an understandable attempt to ensure that as much money as possible is supporting its cause, a charity may not invest sufficiently in digital security or ask personnel to share or use personal devices. This makes it harder to track and monitor devices such as laptops and phones and increases the risk that they fall into the hands of, or are compromised by, someone with nefarious intentions.
• Following the pandemic, more charity personnel and trustees may also be working remotely, which increases the vulnerability of personnel to be approached by fraudsters and spreads IT hardware outside of the oversight of a central office.
• Similarly, charities may have moved more towards online or digital fundraising options, which fundamentally creates more opportunities for cybercrime to occur.

Insider fraud

The second broad category is the misappropriation of funds by personnel or trustees – often referred to as ‘insider fraud’. This can include false invoicing, inflating expenses and amending bank details. This is particularly prevalent among charities, for a number of reasons:

• Firstly, charities’ operations have historically been cash-based, creating easy opportunity for money to be quickly stolen. As the sector moves increasingly towards digital giving, this is less of a risk – although digital, as discussed above, opens its own unique avenues for fraud.
• Secondly, charities often rely on the goodwill of individuals and volunteers. Some people can rationalise the misappropriation of goods or funds as a form of ‘payment’ for the services they provide.
• Finally, many charities typically rely on a low number of individuals as key decision-makers or those with financial control. Combined with relatively small back-office functions, this can lead to significant trust and responsibility placed in one person – often with minimal administrative oversight.

Insider fraud is, in our experience, often conducted by individuals who have been in their role for many years – people who have built up trust, have access to financial records and who are rarely, or never, challenged on their actions.

Why is there heightened risk of charity fraud now?

For a fraud to occur, there are typically three factors at play: motivation, opportunity and rationalisation.

During times of economic hardship, there can be an increase in motivation for an individual or a firm to commit fraud. People may face financial pressures which make it more likely for them to consider defrauding the organisation they work for. This may be to provide for their families or simply to maintain status or lifestyle spending they have been accustomed to. If borrowing is too expensive elsewhere – as a result of increased inflation and interest rates, for example – extracting funds may be as a ‘short-term solution’ or last resort.

Charities may also be under pressure to serve more people, more quickly, resulting in cut corners in procedures; they may see a reduction in personnel headcount or availability if volunteers prioritise paid work, thus potentially reducing oversight; or they may face increased pressure on performance or the need to create new partnerships or collaborations, which can introduce additional risk. All of this can contribute to more fertile conditions for fraud, from both internal and external threats.

In times of crisis a charity could see a surge in demand for its funds or services, making the opportunities for a fraudster even greater. There may be an increase or change in requests for charitable funds from fraudsters impersonating key grant recipients and suppliers, or impersonation of the charity itself can divert donations away before they are known to or received by the charity.

What can charities do to help protect themselves and their personnel?

It is perhaps simple to say, but a lack of adequate controls is the primary factor in allowing, or making a charity vulnerable to, fraud. Reviewing processes, policies, procedures and systems and controls to ensure they are as robust as possible is key.

There are a few things to focus on here:

• When it comes to payments, charities should ensure that all payment details are corroborated by multiple parties, and using official contact routes – for example, by having a multi-stage sign-off system for payments within the organisation, and then verifying the organisations or individuals being paid by cross-referencing with records such as the Financial Conduct Authority’s Financial Services Register, or the charity register.
• It may sound strange, but it is important that leadership teams ensure personnel take regular holidays, and holidays of adequate length. This is not just from a wellbeing perspective. It ultimately means individuals hand over certain responsibilities to colleagues – reducing the risk of hiding fraud within their day-to-day work and increasing the chance it will be uncovered by someone else.
• Appropriate due diligence on personnel, trustees and key suppliers or partners, together with regular reconciliation and review of financial information and independent oversight or scrutiny is a key mitigating action.
• Fostering a culture of openness and transparency is important to ensure personnel feel empowered to speak out when they suspect wrongdoing, and makes it harder to conceal fraud.
• It is important to invest in training for all personnel – at all levels – on digital security and fraud awareness. This can be supported by free online resources such as the National Cyber Security Centre’s board toolkit or the information on Get Safe Online.

Fundamentally, leadership teams need to make sure that they are being proactive – taking steps now, rather than waiting until an incident occurs. And this can’t be a one-off. Threats are constantly evolving, and charities need to continue to adapt their checks and controls to keep pace. In addition, this should include taking time to reach out to personnel, particularly those in need in times of crises, and supporting them where you can.

If a charity suspects, or suffers, a fraud, they should report it to the Charity Commission and Action Fraud – the UK’s national centre for cybercrime reporting.

Support from an independent Forensic Services team may also be helpful for investigating the fraud or providing suggested improvements to policies, procedures and controls. Proactive reviews can assist with identifying risk points and recommending solutions for mitigation.