With fraudsters becoming ever more sophisticated in their methods of obtaining funds and valuable data through deception, few suffer the effects of fraud and financial crime quite like charities.
With charitable funds being raised to help the most vulnerable in society, the aftermath of fraudulent activity can be devastating. This makes the prevention and investigation of all financial crimes against charities crucial.
Charities will rarely have the expertise within their ranks to focus effort on prevention of fraud and financial crime. The reality for most of the 169,000 registered charities in England and Wales, along with the millions worldwide, is that they often have low levels of security to all the funds they hold, and little awareness or education on the preventative controls required to prevent fraud against them.
This is demonstrated in the statistic from Action Fraud that charity fraud figures had risen by 44% at the end of 2022 with a total estimated loss of £2.3 million and that’s only what has been reported.
There’s no getting away from it, financial crime in the charity sector is a serious problem and it is only getting worse.
As with all organisations, charities collect and store personal and sensitive data relating to a variety of stakeholders, such as donors, partners, employees, and volunteers. A data security breach instigated by cyber criminals can cost a charity dearly, both in financial terms and through the harm it can do to the charity’s reputation.
Investment in a charity’s information security should be seen as vital. However, with charitable activities being (understandably) prioritised for funding, that data security investment is often made as a last resort, if at all.
The importance of information security in charity fraud prevention cannot be understated. Imagine your charity is a house with wads of cash sitting inside and the doors have been left unlocked. From the outside, your house looks secure, but it isn’t. A fraudster is able to walk up, enter the house without issue and walk away with the money, by which time the damage is done.
If you do not have the appropriate security in place for your charity’s physical and digital systems, you are leaving your door unlocked. A failure to take the necessary steps to ‘lock up’ your charity’s information is a failure to secure the donations and data essential to your charity’s activities.
To secure your charity’s money and data from fraud, it’s important to have multiple security processes in place. Alongside physical security measures, such as access control, CCTV and alarms, the following preventative measures should be implemented for any sensitive information stored within digital systems.
If digital data is encrypted, then it remains secure even if it falls into the hands of cyber criminals. That’s because without the decryption key, it is practically impossible for them to read the data, rendering it useless.
Most encryption systems require users to enter a password before their data can be decrypted so that it can be used. This means that encryption only provides security if the password is secure. A secure password is at least 12 characters, combines upper and lower-case letters, numbers and special characters, does not contain personal information and is unique to that account only.
Ensure that only the people that require access to charity funds, and have the authority to make payments, have access to the data related to your charity’s or donor’s bank accounts, such as account numbers or PINs. If you store this data on a central computer network, access can be controlled by implementing permission rights, which determine what actions individuals are allowed to perform in relation to stored data or accounts.
Different control levels can also be put in place, e.g. having two signatories or approvers required to make payments and ensuring large payments/withdrawals are reviewed and approved by multiple personnel.
You can make it harder for hackers or other unauthorised people to access accounts and the data they contain by enabling multi-factor authentication (MFA), if it is available.
MFA systems add security steps to the login process after a password is entered, for example, by requiring users to enter an access code sent to their phone or a biometric measure such as a fingerprint. The most commonly used MFA system is two-factor authentication (2FA), which requires a password and one other security step.
It is not always possible to keep hackers out of computer systems, but a data loss prevention (DLP) system makes it harder for hackers to steal data if they do break in. A DLP system works by recognising certain types of data such as credit card numbers, or a particular file type such as a spreadsheet, and then blocking any unusual attempts to download large amounts of such data from your charity.
At ESA Risk, we have an experienced team of risk, investigations and consulting experts that are here to help any organisations in the charity sector with carrying out due diligence checks on donors, beneficiaries and local partners, and monitoring the end use of funds.
We can undertake financial crime risk assessments, advise on Know Your Donor and Know Your Partner procedures and help you set up and maintain a Suspicious Donations Log. ESA Risk can also assist with the reporting of any fraudulent activity to the Charity Commission. If you’re a charity trustee who is signing up to the Stop Fraud Pledge, we can support you with all six of the pledge’s steps: Appoint, Ensure, Consult, Create, Perform and Assess.
Please get in touch for an initial chat with our experienced consultants. You can contact Ali Twidale, Banking & Financial Fraud Consultant at firstname.lastname@example.org, on +44 (0)843 515 8686 or via our contact form.
This article was published as part of Charity Fraud Awareness Week 2023.