Tough economic times can be a driver for an increase in fraudulent activity – which may unfortunately include the charity sector.
As Charity Fraud Awareness Week 2022 gets underway, we speak to Molly Sandquest, Senior Manager in our Forensic Services team, to understand where charities could be vulnerable, why the risk of fraud is heightened now, and – crucially – what they can do to better protect their funds and operations.
There are two broad types of fraud that charities are exposed to, and which, in our experience, can be most harmful.
The first are external cyber threats – fraudsters from outside the organisation, breaking in through a charity’s digital systems. Recent research from the Charity Commission found that one in eight (12%) UK charities had experienced some form of cybercrime in the last year.
This is not always a hard ‘hack’. Often, we see fraudsters engineer relationships with unwitting personnel to gain access to sensitive information and divert funds. In some cases, they may offer free services to the charity – such as website design, or consultancy – which gives them the direct digital access they need.
Tactically, cyber fraud can also involve fraudsters ‘phishing’ – essentially trying to lure charity personnel into providing information, diverting funds or taking a malicious action on a computer or phone, such as clicking a bad link. This can include impersonating a key individual in an organisation such as the CEO or Finance Director, or a third party such as a supplier or a recipient of funding. By clicking on a malicious link, charity personnel can also inadvertently download ransomware, which encrypts a charity’s data until a ransom is paid to release it – potentially hamstringing a charity’s ability to carry out its day-to-day functions.
Alternative methods include ‘vishing’ (or ‘voice phishing’) where fraudsters steal confidential information or funds over the phone – for example, by pretending to be from HMRC or a grant recipient – and ‘smishing’ (‘SMS phishing’), which involves attempting to obtain information or funds via text message.
A few factors can heighten the risk of these cyber breaches happening:
The second broad category is the misappropriation of funds by personnel or trustees – often referred to as ‘insider fraud’. This can include false invoicing, inflating expenses and amending bank details. This is particularly prevalent among charities, for a number of reasons:
Insider fraud is, in our experience, often conducted by individuals who have been in their role for many years – people who have built up trust, have access to financial records and who are rarely, or never, challenged on their actions.
For a fraud to occur, there are typically three factors at play: motivation, opportunity and rationalisation.
During times of economic hardship, there can be an increase in motivation for an individual or a firm to commit fraud. People may face financial pressures which make it more likely for them to consider defrauding the organisation they work for. This may be to provide for their families or simply to maintain status or lifestyle spending they have been accustomed to. If borrowing is too expensive elsewhere – as a result of increased inflation and interest rates, for example – extracting funds may be as a ‘short-term solution’ or last resort.
Charities may also be under pressure to serve more people, more quickly, resulting in cut corners in procedures; they may see a reduction in personnel headcount or availability if volunteers prioritise paid work, thus potentially reducing oversight; or they may face increased pressure on performance or the need to create new partnerships or collaborations, which can introduce additional risk. All of this can contribute to more fertile conditions for fraud, from both internal and external threats.
In times of crisis a charity could see a surge in demand for its funds or services, making the opportunities for a fraudster even greater. There may be an increase or change in requests for charitable funds from fraudsters impersonating key grant recipients and suppliers, or impersonation of the charity itself can divert donations away before they are known to or received by the charity.
It is perhaps simple to say, but a lack of adequate controls is the primary factor in allowing, or making a charity vulnerable to, fraud. Reviewing processes, policies, procedures and systems and controls to ensure they are as robust as possible is key.
There are a few things to focus on here:
Fundamentally, leadership teams need to make sure that they are being proactive – taking steps now, rather than waiting until an incident occurs. And this can’t be a one-off. Threats are constantly evolving, and charities need to continue to adapt their checks and controls to keep pace. In addition, this should include taking time to reach out to personnel, particularly those in need in times of crises, and supporting them where you can.
If a charity suspects, or suffers, a fraud, they should report it to the Charity Commission and Action Fraud – the UK’s national centre for cybercrime reporting.
Support from an independent Forensic Services team may also be helpful for investigating the fraud or providing suggested improvements to policies, procedures and controls. Proactive reviews can assist with identifying risk points and recommending solutions for mitigation.