Fraud Prevention - If You Don't Have a Plan, You Are Unprepared.
Need a resolution for next year? How about fraud prevention?
Fraud is stealing or misusing an organization’s resources intentionally. It is expensive and can cause a lot of damage. Nonprofits are especially vulnerable because employees are assumed to have altruistic values, they often can’t afford fraud resources like electronic controls or staff to facilitate separation of duties, and employees tend to wear multiple hats, so oversight can be limited.
Generally fraud occurs when weaknesses appear in checks and controls and an opportunity appears. The fraudster might have financial pressure or is able to rationalize this bad behavior. The environment becomes right when change occurs, potentially causing chaos–good for fraud–and controls are bypassed.
Well, what does fraud look like?
The most recent fraud to hit headlines is Federal Fund fraud. Fraudsters utilized the paycheck protection program which was processed through fintechs and banks. These fintechs and banks had less stringent controls and missed red flags like fake businesses and organizations which even had the same address for multiple businesses. Other fraud around this included inflating payroll to secure higher funding. There now is talk about taking action against lenders who failed to do appropriate due diligence.
An example of this at an extreme level is the Feeding our Future fraud case where millions of dollars were allocated to feeding children in need, but instead were used to buy luxury goods.
A more old school example (but still very relevant) for nonprofits to be aware of are Payroll Scams. These can look like overpayments, unapproved pay rate changes, checks that fall outside normal pay periods, false time and hour reporting, and ghost or fictitious employees. The best prevention of payroll scams is to have separation of duties. No one individual should be able to prepare, approve, and distribute payroll payments. A second set of eyes should always be involved and be looking for anomalies, odd time records, and excessive overtime. You can also get employees verified by social security if you are concerned about ghost/fictitious employees.
Organizations need to be mindful of payroll tax fraud as well which includes failing to remit payroll taxes.
The Elwyn Organization made headlines after a payroll scam involving over 40 employees and one million dollars.
In the last ten years, cyber fraud has become an ever growing form of chaos. Typically, cyber fraud is an external person that gains access to organizational data from someone on the inside of your organization. These are becoming more and more common as our work shifts online.
These scams are costly, interruptive, incur reputational damage, and also could result in the loss of data. There are many types of scams including:
Phishing - the classic, sending fraudulent emails
Spear phishing - targeted attacks to individuals or groups
Spoofing - impersonating a person the target knows
Vishing - spoofing with phone calls
Smishing - phishing through text messages
These messages can look like a request from the Executive Director requesting money or gift cards, a social media quiz to gain answers to security questions, requests to click on links, etc. When someone on your team takes the bait, you can fall victim to ransomware which may include funds being stolen, blackmail, or data theft.
Train yourself and your team to recognize the red flags including poor grammar, lack of a signature line, suspicious links, urgent/odd requests, missing or deleted emails, replies for emails you didn’t send, mouse over that doesn’t match the emails sender, unusual email addresses, the sender refusing to communicate over the phone, prepayment requests from new vendors, and multiple logins. This type of fraud is constantly evolving and becoming more sophisticated. It is prudent for all levels of your organization to stay educated on cyber fraud prevention.
Philabundance, a hunger relief nonprofit in Philadelphia, was scammed out of nearly a million dollars when a fraudulent bill was paid via wire.
Finally, Digital Giving Risks are on the rise. Your donors might experience these as messages soliciting fraudulent donations about urgent relief efforts that link to credible looking websites. Your team might witness card cracking on online giving forms. Fraudsters make small donations to test whether or not stolen cards are usable. Your organization can incur chargebacks, fees, and potential business disruptions. Accepting donations of cryptocurrency potentially opens your organization up to additional risk. You should decide who will create, maintain, and safeguard the digital wallet and private keys and it is best practice to liquidate it quickly. Also consider using 3rd parties to receive, liquidate, and remit digital donation proceeds. This can mitigate the risk.
You can lower your risk by educating your donors about official pipelines for donations, enhancing internal controls when setting up and monitoring digital gifts, and using address verification and recaptcha.
These types of scams have been more in the news as crisis relief efforts, like the war in Ukraine, have motivated people to donate.
So what can you do? Here are the best practices for fraud prevention:
Education and training. Create a culture of fraud awareness that is specific about rules, including employee and board codes of conduct and conflict of interest policies.
Assess your fraud risk. Identify key areas and regularly review.
Setup and maintain a whistleblower hotline. This is a very common way to uncover occupational fraud.
Create and maintain management and board oversight. Make sure to review your financials monthly for any unexpected activity.
Being an outsourced financial partner, we can often help with your segregation of duties and advise if certain inquiries appear legit or not. We pride ourselves on our integrity and fiduciary guidance for our nonprofit partners and provide impartial oversight to your finances.
If you are looking for a more comprehensive fraud prevention, we recommend our preferred partner, Tami Benus Associates, to get your best defensive fraud protection plan in place.