Fraud Advisory for Charities: International Charity Fraud Awareness Week
BBB Wise Giving Alliance is participating in International Charity Fraud Awareness Week (October 19-23) which is an international coalition of regulators, law enforcement agencies, charities and nonprofit associations seeking to raise charity fraud awareness. BBB WGA has produced two advisories, one for charities below and one for donors at this link.
Be Fraud Aware
- Email Compromise Fraud. This may take a variety of forms. A charity employee receives an email that appears to be from their boss, asking them to send gift cards for designated amounts or personal information on employees. The email actually comes from a scammer using the name of the supervisor. Usually this can be detected by hovering over the name and seeing the supervisor’s email address is not correct.
- Fake Check Scams. A charity receives an email from an individual announcing a large donation will be sent via overnight mail. The scammer calls after the check arrives and says an error was made and the charity needs to return some of the money via wire transfer or online for a medical or other personal emergency. After money is retuned, the charity learns the original check is fake.
- Bad Links. Alert staff and volunteers not to click on links within unexpected or unsolicited emails. This can download viruses that in some cases seek to capture personal information. Senior executive need to be especially vigilant about this. When a CEO’s or CFO’s compute is compromised, it may expose your charity’s financial accounts and personnel data to fraud or theft.
- Phony Invoices. The charity may receive an invoice for services never ordered or for listing the organization in a non-existent directory. Implementing additional internal controls can address such problems, such as creating purchase request forms.
- Charity Identity Theft. Like businesses, charities can have their identities stolen by scammers who might attempt to solicit dollars or personal consumer information in your nonprofit’s name. Guard your organization’s identify information and access as carefully as you would your own. Consider implementing email authentication protocols to help prevent spoofing of your organization’s emails.
Take Time to Check
- Check Bank Statements. Review bank statements on a regular basis to identify any unusual or suspicious activity. Make sure expenses have corresponding purchase orders and invoices.Talk with your banker and other financial services providers about implementing appropriate payment controls to safeguard your accounts.
- Verify Vendor Before Sharing Info. If an outside company contacts the charity requesting bank account numbers or other sensitive information, verify they are an authorized vendor contact and the nature of the transaction. Establish and follow strong internal control procedures for all vendor payments: your organization’s accounting firm can help advise on such procedures.
- Be Skeptical of Unbelievable Offers. Whether it’s a promise of “double your money” investments or the paper supply sale of the century, if it sounds too good to be true, it probably is. Check out businesses with the Better Business Bureau serving your area.
Keep the Charity Safe
- Remote Access No-No. Inform charity staff never to provide remote access to a laptop or computer following a cold call or unsolicited text.
- Test Payment Transactions. Before making an online or bank transfer to a vendor for the first time, test with a small amount first to make sure it runs properly.
- Put It in Writing. Agreements with outside vendors should be in writing and ensure that terms are fair to your nonprofit. Be mindful of automatic renewals and termination clauses, and carefully review terms in unilateral agreements, which are common with online vendor platforms. Ask vendors about their privacy, data security, and cybersecurity safeguards when relevant, and be sure they use appropriate procedures.
- To Enhance Cybersecurity, Charities Can Follow the BBB 5-Step Approach: (1) Identify assets, (2) Protect them, (3) Detect incidents, (4) Respond with a plan, and (5) Recover normal operations. https://www.bbb.org/article/news-releases/20833-the-5-step-approach-to-cyber-security