Charity fraud is on the up, with reported losses reaching almost £8 million in 2018/19, according to Action Fraud figures, while shockingly, the real cost is thought to be as high as £2 billion a year.
Charity Fraud Awareness Week, which runs this week, from 21-25 October, is a timely reminder to check that your organisation is doing all it can to mitigate the risks of cyber-crime, including the protection of your payments and donations.
While all organisations, as well as individuals, are at risk of fraud and other cyber-crime, charities need to be particularly alert. Not only are the funds and types of data they hold attractive targets for cyber-criminals but charities can be seen as a soft target due to their reliance on volunteers, which can give fraudsters easy access into organisations. Also, people’s good faith in charities
can make them less suspicious with individuals less likely to query payments from their bank accounts to appears to be a charity (especially if it’s from a joint account), or to ask for a fundraiser’s ID.
In fact, new figures released this week by the Charity Commission show that 4% of charities have suffered at least one fraud in the past two years, with mandate and CEO fraud, and that relating to an abuse of position the most common, while fraud by trustees and volunteers has doubled since its last study back in 2009.
Thankfully, where mandate fraud is concerned, the advantage with regular giving is that Direct Debit is still recognised as the safest payment method with the Direct Debit Guarantee protecting supporters against erroneously and fraudulently made payments.
However, the financial security of supporters’ data, donations and financial details cannot be over-emphasised. It is vital to ensure your organisation is on the ball in all areas where fraud and cyber-crime are a risk, with protections in place to minimise the chances of becoming a target.
Common issues and how to avoid them
Here then are seven common issues to look out for and the steps to take:
#1 Online donation pages can be targeted by fraudsters trying to check if cloned or stolen cards are still live, so monitor activity, look out for unusual traffic such as lots of small transactions in quick succession and at unusual hours like the middle of the night.
#2 To reduce unauthorised fundraising in the name of your charity, ensure you issue fundraisers with identification and advertise that your legitimate fundraisers will be able to identify both themselves and the charity. On social media you can also set up tracking that will flag when your organisation is mentioned in case unauthorised fundraising is happening here.
#3 Fraudsters sometimes gain access to personal and financial information by volunteering, so follow up on volunteer references and consider additional checks if they will have access to financial records or sensitive information.
#4 Make sure someone is responsible for ensuring you have up to date anti-malware software and that security patches have been correctly applied to all computers. Agree too a simple policy of how patches and malware will be added to any equipment used in your organisation’s work and conduct and record regular health checks on computers.
#5 For greater data security, consider a secure file transfer protocol (FTP) service to send files rather than emails – some simple services are free – and consider storing files centrally for users to log into, rather than everyone having local copies on their machines.
#6 Ensure everyone has their own login, even with job shares, and keep a record of what access staff have to what systems. When someone leaves, revoke access that day and change passwords. Apply a password policy – some systems might do this for you and on others you can set the policy to ensure that passwords are strong and renewed periodically.
#7 If your organisation outsources to third party partners for additional expertise and technology, especially around donation management, be sure to carry out sufficient due diligence; reputation counts but also look for ISO certifications and appropriate kitemarks that can be checked, such as FSA and Bacs affiliation.
Dos and don’ts when you suspect fraud
When/if you suspect fraud, there are a number of important dos and don’ts.
Do act quickly. Document the details, report it to a member of the senior management team, and if you partner with a donations processing specialist, let them know as soon as possible.
Don’t be tempted to wait and see what, if anything, happens next or to try and look into it yourself, fraud is not something you should try to investigate on your own.
Don’t delay reporting it just to gather more evidence – time is critical in preventing further fraud
Don’t remove or change any documentation as preserving evidence is critical.
Don’t approach or accuse individuals directly, or talk about it to colleagues or friends, just in case they are involved. Fraudsters are generally good at covering their tracks.
Certainly, the rise of digital has opened many doors of opportunity to fraudsters and cyber-criminals, and with fraud and cyber-crime now so prevalent it’s important to be cautious and alert to the risks. But while threats can come from all corners, taking simple and sensible precautions such as these will help to protect both data and donations, and keep them beyond any opportunist criminal’s reach.
Jackie Lawrence is Divisional Marketing Manager at Rapidata – an Access company.