Preventing, detecting and responding to fraud
Prince Harry’s charity Sentebale is said to have become a target for “cyber crooks” who are “making sustained attempts to exploit the charity…by luring potential supporters into making donations to bogus online accounts”, according to the Daily Mail.
Fraud not only impacts hugely on the vital work charities do but can also be extremely damaging from a reputation management perspective. The estimated annual fraud loss in registered charities in 2017 was approximately £2.3 billion and more recent indications suggest that this figure is only set to increase.
Fraudsters are becoming ever more sophisticated in their methodology and whilst we are still seeing regular instances of internal fraud, such as misuse of charity money, and external fraud, such as false invoicing and fake fundraising, there can be little doubt that cyber fraud is on the up.
The Department for Media and Culture estimates that in the last year 22% of charities have experienced cyber security breaches with the most common forms of attack phishing emails, others impersonating an organisation online (as is reported to be the case with Sentebale) and viruses or other malware, including ransomware (a form of software preventing effective control of data stored on a device until a ransom is paid).
Experience shows that prevention is the best cure when it comes to any kind of fraud. Charities, irrespective of size and stature, need to prioritise reflecting on their own potential exposure and working to not only protect against fraud but also to have a plan in place to ensure an effective response if fraud is detected.
The first step for all charities is to conduct a thorough risk assessment. Whilst any such assessment would be specific to each organisation this would be likely to include considering which of the charity’s activities leave it most vulnerable to fraud, the level of existing fraud awareness within the charity and whether the charity has an appropriate anti-fraud policy in place.
A charity’s potential vulnerabilities are far ranging but some of the most common include reliance on multiple volunteers with a high turnover (who are therefore difficult to closely monitor), cash-based fundraising, the numerous complexities involved with international work (see further below) and technological advances such as mobile banking.
Something also often seen is one individual at a charity having sole charge and responsibility for all financial processing and reporting. This clearly leaves the charity unnecessarily exposed. The introduction of internal controls to ensure adequate checks are in place for making and authorising payments, or rotating responsibility for certain tasks in high risk areas to ensure no one person has control for an extended period of time, are relativity straightforward ways to alleviate this risk.
Project funding, particularly abroad where there might be inadequate legislation surrounding bribery and corruption, is another significant risk area. It is of course vital that funds hard- earned for a particular cause end up in the right place. Without carefully monitoring, and the appropriate level of checks of a charity’s partners on the ground, it is sadly too often the case that this does not happen.
As to awareness, training should be implemented to ensure that employees at all levels have a basic knowledge of potential threats as well putting in place the appropriate mechanisms to alert the charity to potential new fraud risks. Recent examples of cyber fraud might include phishing, ransomware, cyber-hacking of financial accounts and interception of email communications to third parties containing sensitive financial information.
Electing a senior staff member (or members) to keep on top of industry news and take responsibility for circulating updates and guidance is a good starting point.
For example, in December last year it was reported that the Save the Children Federation (part of the global Save the Children organisation) had fallen victim to a scam whereby the fraudster had accessed an employee’s email account and used that to channel requests for approximately $1 million of charity monies to be transferred to an unauthorised third party.
Alerting employees to reports like this, as well as formal guidance such as that recently issued by the Charity Aid Foundation in relation to fraudulent emails, can only serve to bolster a charity’s fraud defence.
An appropriate anti-fraud policy is central to a charity’s ability to reduce the risk of fraud and can also act as a deterrent to potential fraudsters. The purpose of the policy is to provide a definition of fraud and define authority levels, responsibilities for action, and reporting lines in the event of suspected, attempted or actual fraud.
When it comes to fraud detection, it is important to know the warning signs of a potential fraud. Red flags might include irregular invoicing, a sudden change in an employee’s behaviour or missing documents or records. Thorough checks and controls are central to identifying possible anomalies.
For example, an obvious reoccurring theme with fraudulent activity is the processing of false financial or other documentation and therefore producing an internal document highlighting some of the possible warning signs provides a relatively straightforward additional layer of protection.
One often sees fraudulent payments made to an account seemingly in the correct name, but on closer inspection historically the formatting of that name has previously been different (i.e. an initial for the forename instead of the full name or the surname has featured first). Whilst this is a very subtle difference to an untrained eye, it is not difficult to spot if working to a checklist alerting the employee to look out for such a change.
It is common knowledge that an organisation’s eyes and ears are its employees and therefore ensuring that they are comfortable in reporting a suspected fraud may help to minimise any potential fall out.
A culture of transparency and clear communications, and making it known that everyone associated with the charity has a responsibility for being vigilant and keeping an eye out for any signs of fraud are important. As is a written procedure that deals with how to report suspected fraud confidentially. It should be borne in mind that an internal disclosure is likely to be less damaging than a report made to an external third party.
A question that often arises is the extent to which an accountant or auditor is expected to spot fraudulent activity. This is not always clear cut. Best practice guidance issued by the Financial Reporting Council (with reference to the International Standards on Auditing) records:
“The auditor of a charity is responsible for forming an opinion as to whether financial statements show a true and fair view and to this end the auditor plans, performs and evaluates the audit in order to have a reasonable expectation of detecting material misstatements in the financial statements arising from error or fraud.”
Ultimately however, it is the trustees of a charity who are responsible for the prevention and detection of fraud.
Failure to react quickly and properly investigate a fraud can have potentially disastrous consequences, not least the possible destruction of crucial evidence necessary to pursue criminal or civil proceedings. A taiIored fraud response plan clearly setting out what steps should be taken when a suspected fraud is first identified (and subsequently) will assist greatly in ensuring a considered but efficient response should the worst occur.
A checklist of steps likely to be required within 24 hours of a fraud being detected is as follows:
- Contact the charity’s legal advisers and ensure that they are copied in to correspondence relating to the investigation to preserve legal professional privilege.
- Assemble an investigation team (a core team of people to work together to investigate and combat the fraud).
- Determine the charity’s objectives in conducting the investigation in order to develop a strategy for moving forward.
- Review how the potential fraud and related investigation could affect the charity’s public relations were details to be made public.
- Consider privacy and data protection issues.
- Secure evidence lawfully. Capture relevant data and preserve it.
- Ensure that the suspected fraudster is not aware that the potential fraud has been identified.
- Identify and interview witnesses ensuring detailed records are kept of each witness’s account.
- Keep under review whether it is necessary to notify the Charity Commission of, or update it on, the suspected fraud/investigation.
- Review any loss that has been suffered and any risk that this might increase.
- Follow and preserve the charity’s money/assets putting in place restrictions as required.
Once a thorough investigation has been completed it will then be necessary to consider next steps including the legal options. It is possible that the police may need to be involved and steps taken in relation to a criminal prosecution or civil action pursued to recover funds.
Trustees have a general duty to act in the best interests of their charity. They have a duty to protect a charity’s assets and where necessary to recover assets belonging to the charity. The risks and consequences of any potential legal action, including the potential costs and time ramifications, should always be carefully considered in light of these duties.
The Charity Commission, in partnership with the Fraud Advisory Panel, has recently launched a fraud resilience survey with the aim of getting a better understanding both of charities’ resilience to fraud and their levels of cyber security. One awaits with interest the outcome of this survey but in the interim can only reiterate the importance of taking preventative steps now to seek to best protect your organisation.
Charities are built on foundations of public trust and confidence and every effort should be made to avoid the potential financial and reputational damage of falling victim to fraud.