Around £3.5m has been stolen from charities by fraudsters during the pandemic, according to a report from the Charity Commission. Of course, as is often the case, this figure is expected to only be the tip of the iceberg as many incidents go unreported. The charity regulator has received approximately 645 reports of fraud and cybercrime between the months of March and September, suggesting a continuation with the level of fraud identified in 2018 and 2019.
It believes that remote working, virtual processes and vulnerable infrastructures combined with charities tendencies to place trust in individuals has made for a perfect storm, leaving the door open to fraudsters. Further, it suggests that charities providing services and support to local communities may be amongst those at greater risk following reports of criminals using PPE as the basis of financial scams. Yet, no matter the underlying cause, the outcome is the same: in an economy shaken by an unprecedented pandemic, charities cannot afford to overlook the need for better protection.
In light of these recent figures, our charity law experts have come together to provide guidance on the most common types of charity fraud to look out for in the coming year.
Ransomware
Inadvertently granting a fraudster access to sensitive financial information isn’t hard to do. In fact, as techniques grow in sophistication, they become more difficult to detect. As the name suggests, this type of cyber-attack involves holding data and devices to ransom for thousands of pounds. All it takes is for one employee to click a link that looks legitimate – suddenly, a piece of malicious software has been triggered to infect a computer system and lock files in order to extort money from charity bosses. However, ransomware techniques are ever-changing. Malware can be concealed within emails, web pages, pop-ups and storage devices. As such, the need for regular training and reinforced data security couldn’t be more paramount in reducing the chances of this happening to your organisation.
Phishing
During the pandemic, charities have been seen an increase in the number of spam emails hit their inboxes. By April, the National Cyber Security Centre (NCSC) had already taken down 2,000 scams including 471 fake online shops trying to trick people seeking coronavirus related services. While it’s easy to instruct your employees never to respond to unsolicited messages or phone calls that ask for financial details, scam emails are becoming increasingly difficult to distinguish – particularly on a backdrop of a global health crisis. Examples that have been detected include the sale of vital personal protective equipment (PPE), such as face masks and gloves, online. Once the payment has been made, no products are delivered. In other cases, charities have received communication from fraudsters posing as legitimate organisations providing a list of at-risk elderly people in a local community who require help from the charity. In response to the growing number of phishing emails, the NCSC created a world-leading scam reporting service for people to flag suspicious emails for the NCSC to assess and take down malicious content.
Banking Fraud
Over the course of the last year, banking fraud has risen to become one of the most common types of fraud affecting charities. A culture of trust and a lack of fraud awareness have been cited as the reasons for the increase, with only one in ten charities surveyed as part of a Charity Commission report providing training for staff. Banking scams depend on trust; they can occur by phone, email, text or social media post and they prey on those who won’t immediately question legitimacy. A growing form of banking scam is an Authorised Push Payment scam, whereby an individual is tricked into transferring money from their personal or organisation’s bank account to the scammer’s account. To protect your charity from banking scams, always contact the payee through your existing communication channels to verify or make a small initial payment before transferring the requested amount.
Payroll Fraud
Not all cases of fraud come from external sources. Unfortunately, employees and even high-ranking members of staff in charities are regularly found to be conducting fraudulent activity for their own financial gain. An example that made headlines this year was when Stephen Coleman, the former chief executive of the Prevention of Cruelty to Animals charity was found to have doubled his salary from £47,500 to more than £111,000 during his 10 years at the charity by doctoring the minutes from board meetings. The case resulted in seven years of jail time, but it is by no means an isolated incident. Mitigating the risk of payroll fraud requires trustees to enforce strict processes in this area of the organisation. This could translate into executive approval of all pay checks and bonuses, manager approval of timesheets or the addition of sophisticated technology that requires a unique employee passcode to be entered when clocking in.
In good news, the Charity Commission research into how voluntary organisations respond to fraud, conducted last year, found that 73% of affected charities do go on to strengthen their internal controls. However, prevention is better than a cure. In a landscape rife with criminal activity and a rise in the number of fraudsters willing to take advantage of the goodwill of charities, extra vigilance is essential. Tackling fraud requires an ongoing commitment, but identifying the key risks, providing training and acting fast to instate a strong counter-fraud culture are the key steps that trustees must take to protect their charities from harm.
For specialist advice on identifying and mitigating against the risk of fraud in your organisation, get in touch with our charity law experts via the online chat service or through our contact form.