Finance sector facing cyber attacks

Posted on by Admin Admin

The 2021 Cybersecurity Census Report shows that, on average, finance companies each suffered approximately 60 cyber attacks over the past year. Cyber criminals typically target the finance sector via cyber attacks due to the vast amount of sensitive data that they hold.

Many of these attacks occur due to weaknesses in cyber security, for example employees reusing an existing password at work, or using login credentials such as ‘password’ that are easy to guess and hack. Others are due to system vulnerabilities or a lack of knowledge in knowing how to spot cyber attacks.

Some of the most common cyber attacks are:

  • Bots – automated programmes that can attack either directly through web requests to manipulate or disrupt a website, or indirectly, for instance through spam emails or by cracking passwords.
  • Ransomware – a type of malware that encrypts files and operating systems and can lock you out of your device. Until a ‘ransom’ is paid, the attacker keeps a hold over the system.
  • Web application attacks – web applications are easily accessible to hackers, who might trick users into clicking malicious links or install redirects.
  • Phishing – when users are targeted by email, telephone or text message and lured into providing sensitive data.

Financial institutions are also commonly being impersonated by cyber criminals who are tricking customers into transferring their funds into fake holding accounts. For instance, Monzo and Santander have received multiple fraud complaints due to criminals using phishing techniques on customers, baiting them with a text message and then holding long phone calls during which they convince victims to transfer all of their money into a ‘safe account’.

Combatting the risk of cyber attacks in the finance sector

In order to combat these cyber security risks, financial institutions must firstly ensure staff are trained to recognise attack attempts and know how to ensure systems are secure. Policies for locations and devices that staff can login from, as well as the level of access, can also minimise the risk of attack.

Investing into software such as anti-phishing web browsing software can also help prevent phishing emails from reaching employees’ inboxes. IT teams can put email and link filtering in place, making use of blacklists to block malicious content.

Conducting cyber security risk assessments is important in identifying threats and technology and software updates. Holding an audit or having an external professional scrutinise the cyber security of the institution can also provide an objective, thorough viewpoint into noticing blind spots and improving systems. Businesses should be thorough in making sure basic cyber security protections are put in place to protect data in the finance sector from cyber attacks.

“One of the main cyber risks for the finance sector is to think that cyber risks don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business whatever sector, and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.”

Larger financial institutions should go beyond installing basic systems. Antivirus software and secure VPN, systems such as Avast can all provide an extra layer of cyber security. Financial institutions must prioritise building a defence against advanced attacks and cyber security threats to the financial sector, so that these can be identified at an early stage.

Mitigation and prevention, as well as dealing with live attacks, is paramount within the finance sector. If an institution is armed with fraud prevention technologies, cyber criminals are more likely to be deterred from attacking. Therefore, installing security software that enables live detection alongside defensive walls against cyber threats is extremely important in ensuring that the internal and client-based information of the institution is protected.

If you require advice on cyber security systems or would like to know more about cyber threats to the financial sector, contact Cyber Risk & Security Consultant Graeme McGowan at graeme.mcgowan@esarisk.com, +44 (0)343 515 8686 or via our contact form.

Risk management strategy: Utilising your workforce

Posted on by Admin Admin

A positive risk management culture

All businesses should aspire to foster a positive risk management culture within their organisation, as part of risk management strategy. The issue is how do you go about creating a positive culture? There is no single solution, but there are a number of key factors that contribute towards achieving the right outcome.

Organisations with a positive culture are characterised by a process of open communication and sharing information within an environment of mutual trust that enables issues to be discussed thoroughly in order to serve the best interests of the company.

Put simply, risk management works best when employees are empowered to speak up and take action when they believe there is something they need to raise.

Employees – an asset or a liability?

Your own employees can put your organisation at risk in many ways, as security threats are not always external. The greatest risks often come from within an organisation. Even wellmeaning employees can unintentionally open an unsolicited email and with the click of a link jeopardise the security of the company’s IT system.

In an era of increasing technological complexity, the threats of hacking and cyber crime, the cost of adverse incidents and ever-greater regulatory scrutiny, the effective management of employee risk can reduce the overall risk faced by an organisation. If well managed, it can provide the business with a competitive edge.

Practical steps

There is no perfect solution, but you can follow some practical steps to instilling the right culture and strategy for risk management within your enterprise:

  • Explain the risks faced by the business to your employees and the benefits of sound risk management so that it is understood by all staff.
  • Take time to explain the idea behind any risk management initiative in straightforward terms-tell them why a companywide commitment is important.
  • Allow employees to feel safe to voice any concerns about anything that could go wrong and encourage them to come forward when they see something could be done better.
  • Develop training programmes for each part of the business – consult employees on the particular risks each set of employees is likely to face and the control measures they are expected to follow to mitigate such risk.
  • Recognise good behaviours and reward them. Spell out that bad behaviours will have consequences.
  • Encourage feedback from employees and allow sufficient time for any changes in practice to be implemented.
  • Lead from the front and by example by being seen to act when risks are reported.

Utilising your workforce as part of your risk management strategy

Your employees are at the core of your business; daily operations, customer interactions, online interactions, decision making – the list of where your workforce can make the difference is almost endless. They play an integral part in the running, reputation and, fundamentally, the success of a company. It is therefore vital that the unique knowledge that employees have of their work is effectively harnessed and exploited as part of your risk management strategy and framework.

Taking the time to engage your workforce to help create a positive risk management culture will challenge them to develop new and better ways of working and deliver measurable rewards in terms of greater productivity and profitability.

If you require advice on risk management strategy or would like to know more about creating a positive workplace culture, contact Mike Wright, Risk Management and Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

ESA Risk consultant is boxing for Cancer Research UK

Posted on by Admin Admin

Our very own Mario Ovsenjak, Hotel & Leisure Management Consultant, will be putting his body – and face – on the line in December as he enters the ring for his debut 3 rounds of boxing.

Anyone who’s met Mario, General Manager at Manchester’s glitzy, 5-star Hotel Gotham, will know he’s more at home in a 3-piece suit than boxing gloves and, as he puts it, “far more likely to be seen with a glass of sherry than fighting”.

Incredibly, Mario will be stepping into the ring after only 8 weeks of preparation. He’s following a gruelling training and nutrition regime to ensure he’s fighting fit by the time of the event at Bowlers Exhibition Centre in Manchester on 18th December.

All of this is in aid of Cancer Research UK (a charity supported by ESA Risk’s Mike Wright earlier in the year). Cancer research is an ever-important cause – statistically, 1 in 2 people will have cancer in their lifetime. Cancer Research UK works tirelessly on improving our chances of surviving all sorts of cancers.

Find out more, including how to make a donation, on Mario’s Just Giving page.

Why small businesses need business consulting

Posted on by Admin Admin

Business consulting can remove some of the burden, enabling business owners to manage their time and energy better.

What is a business consultant?

A business consultant is both experienced and educated in business management and helps improve efficiency and the performance of the business they are working with. They can provide solutions to help strategy management, smoother running of operations and with increasing revenue. Any challenges the company is facing can be tackled in partnership with the consultant, who is fundamentally an asset to the growth of the business.

Having an objective, expert opinion can save both time and resources for a company director. Consultants aren’t as personally invested in operations in the way that managers or employees may be, so having an outside view is helpful in making improvements. A consultant’s broader knowledge in business trends, new processes and industry challenges enables them to give relevant advice. They know the best practices and can identify inefficiencies or issues quickly.

So, how do small business consulting services work?

Good consultants will customise their services to your business, rather than use a generic toolkit. Consulting should be tailored to the individual, or the company, so a consultant should first learn about your business and goals, before devising a strategy that works for you.

Consultants can:

  • Provide expertise in specific markets
  • Provide advice for financial planning or funding
  • Identify challenges and problems and offer practical and pragmatic solutions
  • Provide training
  • Strategically refocus the business to increase revenue and reduce costs
  • Expand the business into new markets or target growth in current markets
  • Reorganise the business model.

Once the consultant has learnt as much as possible about the business from the owner and employees, including the physical space, company materials and, of course, finances, they can implement and plan for any of the above changes.

Consultants should do this with empathy for the client’s situation, discretion about operations, flexibility to adapt to the company environment and openness to adapt to the situation, including what resources are available and the lengths the client is willing to go to make changes to the company.

The evaluation phase comes next, where the business consultant has reached a deeper understanding of the company and then works to identify where change is needed. Strengths, weaknesses and problems are evaluated here, alongside solutions and ideas of opportunities to increase profits and grow the business.

During this phase, the consultant should communicate with the client and employees throughout and begin to implement changes, so it is important for everyone within the company to remain open and cooperative. The client and consultant will then agree on a plan to make adjustments to, or restructure, the business. Here, the consultant may have to eliminate liabilities, for instance by making recommendations based on staff performance or disposing of old systems. They should also build on assets, expanding what already works well.

“Consultants bring their ‘best practice’, as they draw on their experience from across many companies and a number of sector specific industries in order to make the relevant changes and improvements to your business.”

Business growth consultants can help you plan for the future to achieve long-term goals, but also provide short-term solutions and advice. Consultants know effective strategies for expansion that have already been tried and tested, so in this way can effectively help your business grow.

Business consulting is like a partnership that helps business owners save money and time and reduces the stress of running all aspects of the business.

If you require small business consulting services or advice on managing company finances and improving your strategy, please contact Charlie Batho, Financial and Forensic Accounting Consultant, at charlie.batho@esarisk.com or on +44 (0)343 515 8686 or via our contact form.

Email spoofing

Posted on by Admin Admin

In this article, I’ll answer the questions:

  • What is email spoofing?
  • How do spammers spoof an email address?
  • What does a spoofed email look like?
  • How can you prevent email spoofing?

According to Proofpoint, 3.1 billion spoofed emails are sent every day, with attacks costing businesses $26 billion (about £18.8 billion) since 2016. The goal of email spoofing is like phishing, as fraudsters attempt to obtain sensitive information from the recipient or get them to download a malicious attachment. However, instead of simply imitating the email address of a trusted source, spoofed emails manipulate the way emails are delivered.

How do spammers spoof my email address?

Email spoofing is possible because of the way email providers send and deliver messages. When someone sends an email, it doesn’t simply go from the person who created the message to the intended recipient. Rather, it goes through an SMTP (Simple Mail Transfer Protocol) server configured in the client software.

You can think of this process like a sorting office for physical post. The SMTP takes an incoming message and routes it to the relevant email server, which then directs it to the relevant user inbox. This gives criminal hackers the opportunity to input a bogus address in the ‘Sent’ field, because the SMTP doesn’t have a process to authenticate this information. As such, attackers can make it look as though the email has been delivered from someone else.

What does a spoofed email look like?

Now we’ve answered the question ‘what is email spoofing?’, let’s examine what a spoofed email looks like. Below is a real-world example of a spoofed email received by multiple members of the ESA Risk team last week, purporting to be from ESA Risk’s Marketing Director. This email was caught by our spam filters, so it didn’t make it into anyone’s inbox, but it did arrive in their spam folder, so required manual intervention to fully eliminate the potential threat.

 

—–Original Message—–
From: xxxxxxx@staging.esarisk.com <rebeccasmith0900@gmail.com>
Sent: 20 October 2021 08:25
Subject: RAPID INTERVENTION

Good morning,

Hope you don’t have a lot of work to do? Well in case you do, peg it now because i have a task for you to carry out urgently.

Drop your number so i can brief you about it all.

Thanks.

Xxxx xxxxxxxxxxx @staging.esarisk.com

Sent from iphone

 

Spot the obvious issues with the above.

Here is another example of what someone might see when they receive a spoofed email:

what does a spoofed email look like

There is nothing here that reveals the true nature of this message. The ‘From’ field displays the address provided by the scammer, but, crucially, this is not necessarily the email address from which the message originated. Only by investigating the email header (sometimes known as the envelope) can you tell if the ‘From’ field has been manipulated. This information isn’t typically displayed on email clients and will require you to look in your settings.

In most versions of Outlook, you can do this by double-clicking the message to get it to open in a separate window, then selecting ‘File’ and ‘Properties’. You’ll be presented with a long string of information, but within that you should see something that looks like this:

email spoofing

You can see here that, although the message says it’s from the employee’s boss, there is a different address in the reply field. When the recipient responds, the message isn’t going to ‘boss@company.com’ but to ‘scammer@scammail.com’. This is a big clue that the original email address has either been forged or compromised. A bogus email address won’t always be as easy to spot, however. You may well encounter the same technique as standard phishing attacks, with the attacker replicating the email address of a genuine organisation.

In this example, the sender might register the email domain ‘conpamy.com’ – transposing the ‘n’ and the ‘m’. This can be tricky to spot, and it’s why organisations should adopt SPF (Sender Policy Framework). SPF is a security protocol that works alongside DMARC (Domain-based Message Authentication, Reporting and Conformance) to detect malware and phishing attacks. It does so by comparing the IP address from which the email was sent to the address in the ‘From’ field.

If you’ve implemented SPF, the email header will contain a string of text that looks like this:

prevent email spoofing

You can see that this message failed the test, because the client’s IP is not permitted to send messages from the company domain. Implementing SPF helps flag suspicious emails and reduces the burden on employees to spot scams. However, for it to work, the domain holder (which in most circumstances will be your organisation) must configure a DNS TXT entry specifying all IP addresses authorised to send email on behalf of the domain.

How to prevent email spoofing and what to do if your email has been spoofed

At this point, I’m sure you’re asking the question: ‘How can I stop spoofing emails coming from my email address?’ Technical solutions such as SPF can help protect organisations from email spoofing. They can be implemented alongside spam filters and anti-malware software to give you the best chance of flagging suspicious messages before they reach employees’ inboxes.

However, these tools are never foolproof, and scammers are always finding clever ways to bypass security mechanisms and they may ask you the recipient to confirm that the email is real and valid, so it’s down to the recipient to decide. As such, you must ensure that employees are trained to detect, and respond appropriately to, suspicious emails.

Phishing emails always contain clues that can help you spot their true nature and ESA Risk provide training for you and your teams on these issues and all things cyber security.

If your email has been spoofed, you want to prevent email spoofing or you have any other cyber security questions or concerns, please contact us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form for advice.

Asset tracing: A guide

Posted on by Admin Admin

What is asset tracing?

Asset tracing is the process of locating financial assets, property or valuables through formal investigations. Investigators undertake detailed research to determine a subject’s asset profile and whether that profile is sufficient to meet their outstanding debts or potential claims. Asset tracing can spearhead investigations in finding additional evidence such as unknown associates and lifestyles which can lead to a greater understanding of the target’s activities. Once the research has been conducted, the investigators then identify assets and can assist in asset recovery litigation and collections processes.

Asset tracing services can be extremely useful if a client is wondering whether a claim is worth pursuing. There is no point in a client spending good money after bad only to get a pyrrhic victory; therefore, conducting asset tracing prior to the commencement of any litigation is a worthwhile practice.

Tracing assets before escalating a case to litigation can also save clients’ money. Possessing a clear understanding of the subject’s asset position can provide leverage in early-stage negotiations and may negate the need for expensive litigation.

When further expertise are required, forensic accountants can be utilised to follow the paper trail; forensically analysing bank statements and transactions to pinpoint where money has flowed and, ultimately, how the layering and laundering process has taken place.

Both investigators and forensic accountants use digital forensics and numerous software tools to assist with the processes. Together with open-source intelligence (OSINT) and human intelligence (HUMINT) sources, a full picture can be obtained.

Tracing assets is not easy and requires the most skilled investigative professionals in the field. ESA Risk’s investigators have great experience and knowledge of asset tracing, understanding the way assets are identified through both covert and overt means. People may try to hide from insolvency and debt but usually there is an audit trail which we can find. Cash assets, however, can be moved around the world in seconds, and each country operates their privacy laws differently, making assets a lot more difficult to identify and recover, but by no means impossible.

The process is even further complicated by the constant movement of fraudsters and debtors themselves, in evading payments or concealing assets. Money could either be converted into other assets or hidden in fictitious companies and trusts. The dissipated assets may then be sold, used or transferred into offshore accounts across borders via online platforms, making asset tracing a task that heavily relies on technology, resources and investigative experience. The initial intelligence-gathering phases are usually undertaken electronically, but having a global network of intelligence agents who can undertake in-country investigations is a must.

Asset tracers have access to confidential global databases and deep web tools, where they can build out the asset puzzle, identifying the lifestyles and behaviours of the individuals they are looking for. Whether it’s checking if they’ve been on holiday to their villa recently or purchased a new boat, investigators can access intelligence and trace the assets required.

Download the ESA Risk Asset Tracing brochure

A guide to how asset tracing works

1. Identification

Asset tracing commences with full background intelligence research undertaken through online data sources. Investigators examine financial information and digital records, such as emails of the targets. Then by forensically analysing commercial databases and social media platforms, investigators obtain intelligence. Intelligence agents, who are in the field, can then further conduct covert enquiries to help build the intelligence profile.

Researchers constantly examine open-source public records, including those of real estate, licensing, criminal court proceedings and the civil court. Certain data sets are restricted, however, with the correct strategic legal approach and understanding of data protection laws, in many circumstances restricted data can be legally obtained.

2. Conversion

Investigators must turn intelligence gathered into meaningful information and obtain proof that traced assets are connected to the targets and are ultimately recoverable. This process can require speed. However, in certain cases – especially complex cross-border cases – it can take time to convert the intelligence into evidence. Access to information and data in certain countries can be challenging, as systems aren’t digitised. In addition, careful planning of surveillance teams and systems can take time, as understanding the lifestyle of individuals can be time-consuming, especially when ethical social engineering is a strategy.

Sophisticated fraudsters also use tools and techniques to stay one step ahead of their pursuers, and that is where expeditious investigations are required. Working with on-the-ground, in-country resources and local authorities assists the pace of investigations and ensures that asset tracing is a process that is swift, personalised and confidential. They can assert disclosure or search orders, as well as freezing onshore accounts, if necessary.

3. Recovery

A good litigation strategy should be in place from the outset to allow the investigators to understand which assets the lawyers would like to go after. It is also important to understand how the litigation and investigations are being funded and whether litigation funders are required. While investigators identify the assets, expert lawyers in litigation, debt recovery or insolvency are required for clients to obtain the most likely chance of successful recoveries. At ESA Risk, we have access to both experienced lawyers and litigation funders who will be able to assist in such recoveries.

Asset tracing services from ESA Risk

When it comes to tracing assets, we are the experts. ESA Risk’s team will deliver concise but comprehensive results which will enable you to make the decision on which way to proceed. With a network of trusted partners covering every part of the world, our investigation capability – and therefore yours – is truly international.

To instruct us on an investigation or for more information on our asset tracing services, contact Mike Wright, Risk Management & Investigations Consultant at mike.wright@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

 

Download the ESA Risk Asset Tracing brochure

Charities: What to do if you suspect fraud

Posted on by Admin Admin

Before getting into practical advice on what to do if you suspect fraud, how to report charity fraud and the investigation of suspected fraud, I think it’s important to mention the current state of affairs in the charity sector. Statistics from the Fraud Advisory Panel show that fraud within the charity sector is significantly underreported.

Charities appear to be concerned – maybe even scared – about the reputational damage fraud reporting could do to their organisation. A fraud-related prosecution or a case involving a charity with a high-profile may well enter the public domain through the media, and charities are concerned that might have a negative impact on public confidence in their organisation and their work.

This may well be as a result of recent high-profile scandals involving UK charities. While those cases didn’t involve fraud, the potential impact of bad press has been felt by the sector.

Most often, when people give their money to a charity, it’s because they believe in the work that charity does and believe that their money will be put to good use. Charities worry that anything that could dispel that idea in people’s minds could, in turn, lead to a reduction in support and donations received.

This is especially true when fraud is on the inside of a charity.

Fraud could be external to an organisation – for example, someone creating a fake website or page on a site such as Just Giving, pretending to be a charity / collecting on behalf of a charity, then syphoning the funds raised – but the potential for reputational damage in these situations isn’t as high.

The reluctance of charities to report fraud is a huge source of concern. And it should be a source of concern for the Charity Commission and other bodies involved in the charity sector and in fraud prevention.

What should a charity do if it identifies fraud within its organisation?

For me, I think it’s most important for charities to focus on insider fraud – the fraud that occurs within charities.

I think the first thing that charities should do is, as quickly as possible, to lock down all systems and controls. Whoever is responsible for governance and fraud prevention in the charity should press the brakes on everything as soon as possible, especially if fairly large amounts of money are involved.

It’s important to stem the flow quickly, as we know that the longer a fraud goes on for within an organisation, the bigger that fraud becomes. Fraudsters often test the waters. They may start off by syphoning off maybe only a few pounds or a few hundred pounds. Once they realise that there are gaps and weaknesses in the system that they can take advantage of, it emboldens them to think bigger. Stealing £100 then becomes £200 the next time, then £1,000, then £5,000 and so on. Unchecked frauds then grow exponentially.

I’m not suggesting that whole organisations should lock down as soon as they see £100 missing from their accounts. For smaller amounts of money, there may be a very simple explanation – a misunderstanding or an accounting error, for example. But, as soon as you think money may have been defrauded or stolen, that is when you need to quickly review what may be going on.

In the first instance, that means speaking to the responsible people in the organisation. That could be the head of finance, or the bookkeeper or treasurer. At the same time, the systems and controls in place should be checked to ensure they’re working properly. If there’s no clear explanation for missing money, that’s the time to take further decisive action.

Your response should be proportionate to the amount of money involved and to the size of your organisation. The tipping point will likely be different for different charities.

As a charity, the action you’re able to take may depend on the type of charity you are, too. If you’re dispersing funds, you may not be able to put the brakes on everything, because you have people and organisations that depend on you.

What does ‘locking down’ systems and controls involve?

When you suspect a fraud, the key objectives of your response are to identify and close any gaps, bolster any weak areas and mitigate the risk of more money disappearing. Typically, this is about access and authorisation. Access to systems and to finances should be limited to those people who absolutely need it. Authorisation processes can be strengthened simply by adding another level. For example, especially in smaller organisations, moving money might need to be authorised by only 1 person. Adding a second signatory to that process immediately adds another layer of security.

Once the potential risks have been mitigated, an organisation can start putting in place the next part of their response.

Investigation of suspected fraud

To ascertain exactly what has gone on in the case of a suspected charity fraud, you need to carry out a thorough investigation.

Whether you choose to undertake an internal investigation of suspected fraud or bring in external investigators, it’s important to involve people with the right expertise early on. Think about who needs to be involved in the investigation, and what skillsets you need to bring in from external parties. Do you need to bring in forensic accountants? Do you need to bring in economic crime investigators? Do you need to bring in auditors? External experts might be needed only for advice and can help guide the charity to make its determination about how it goes about its own investigation. Alternatively, the whole investigation can be outsourced to an independent external organisation.

The investigation needs to be quick and it needs to be addressed in depth. One reason for this is the obligation to report serious incidents to the Charity Commission. As soon as you’re able to ascertain a 60 or 70% likelihood that the case is fraud, it should be reported to the Charity Commission.

Internally, the investigation team needs to report into someone. In charities, the governance committee is the most likely candidate for this role. Even if there’s suspected involvement in a fraud by the charity’s trustees, the governance committee usually works independently of the charity’s management structure.

The investigation itself is the same for charities as any other organisation. Once the investigation team is in place, the next stage is to determine where the material is that can assist with uncovering what has happened. In a fraud investigation, that means working closely with members of the finance and audit functions within the organisation. Crucially, at this stage, you want to make sure that any information that could assist in the investigation is secured. Ensure that no material is destroyed or deleted (although digital forensics can help with recovering deleted digital files and emails).

When the potential evidence has been secured, you start your process of understanding what’s happened by virtue of interviews, reviewing the material and interrogating the accounts (which is where forensic accountants can add real value).

Prevention is better than the cure

Many UK charities are small bodies with limited resources, which can result in them having few fraud prevention controls in place and a mindset of ‘we haven’t got the money for this’. But it’s often the case that charities really can’t afford not to invest in fraud prevention. The fallout of a fraud case or another type of scandal could spell the end for smaller charities, whereas investing, say, a few thousand pounds in prevention tools could avoid the loss of tens of thousands to fraud down the line.

An area I always look at when conducting investigations is what controls were in place pre-incident and how can those controls and processes be improved to avoid future issues? One side of the investigation is, of course, discovering the truth about the case at hand, but the other side is analysing the preventative risk management elements within an organisation. Whether or not a crime is identified during an investigation, the organisation’s risk controls are left in a stronger position for the future.

Relentless risk management is the best chance an organisation has for preventing fraud.

That means continually undertaking risk reviews, looking at systems and processes. Transparency and accountability at all levels are really, really important.

How to report charity fraud

In relation to reporting charity fraud, trustees should be mindful of their obligations to the Charity Commission. Once it becomes clear that a fraud has been committed, it must be reported.

Another body charities may want to report suspected fraud cases to is Action Fraud, which gathers data about fraud across all sectors.

Finally, if you think a crime has been committed, there’s a decision to be made on whether (and when) to bring in the police.

The bottom line is that charities shouldn’t bury their heads in the sand. Each situation should be considered carefully and a quick decision should be taken on the most effective and proportional way to manage that particular (potential) problem.

Charity fraud: How ESA Risk can help

At ESA Risk, our team includes experienced fraud investigators and risk management experts, meaning we can support charities at every step – from offering advice on fraud prevention to conducting full investigations of suspected frauds.

If you suspect a fraud has been committed in your organisation or you want help to secure your charity against fraud, contact Lloydette Bai-Marrow, Serious Fraud and Economic Crime Consultant at lloydette.bai-marrow@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

This article was published as part of Charity Fraud Awareness Week 2021.

Money laundering and the charity sector

Posted on by Admin Admin

Arguably, the effects of money laundering and financial crimes are even more devastating for charities, as their funds have been raised to help the most vulnerable in society. This makes the prevention and investigation of all financial crimes against charities extremely important.

The reality for most of the 169,000 registered charities in England and Wales, along with the millions worldwide, is that they often have low levels of security to all the funds they hold and little awareness of good money laundering and financial crime prevention controls. This is demonstrated in the distressing statistic from the Charity Commission, the UK charities regulator, that an estimated £8.6 million was lost in 2020. And that’s only what has been reported.

There’s no getting away from it, financial crime in the charity sector is a serious problem and it is only getting worse.

Money laundering is defined in the Proceeds of Crime Act as “the process by which the proceeds of crime are converted into assets which appear to have a legitimate origin, so that they can be retained permanently or recycled into further criminal enterprises” and the three main stages are Placement, Layering and Integration.

How are charities used to launder money?

In a charity sector context, a really simple example could be a large donation to a charity of ‘dirty money’ or proceeds of crime which is then layered in with legitimate funds that the charity holds. A fake beneficiary is then set up as a front which will receive the freshly laundered funds from the charity, all clean and appearing legitimate. Sadly, there are many more examples of how charities have been used and abused by criminals.

A bona fide charity may have criminal employees, funnelling off hard-won monies.

As well as the charities being victims of financial crimes themselves, the actual charity entity could be a sham. In the most shocking examples, fraudsters have taken to brazenly setting up fake charities and fundraising for donations which are then simply pocketed or used for other illegitimate activities.

Critically for non-criminal (i.e. most) charity employees and trustees: if they fail to report any suspicions of money laundering, then they could be liable to prosecution or a hefty fine.

Not only is the financial loss devastating for charities, but the next biggest impact is reputational damage. Imagine hearing that a major charity had been involved, or had been used, in vast amounts of money laundering of funds… You would probably think twice about donating to that charity – if they’ve lost money previously, what’s to say it won’t happen again? Charities hugely depend on funding from donors so if those sources of income diminish or dry up, it could signal the end of that organisation.

How ESA Risk can help fight money laundering in the charity sector

At ESA Risk, we have an experienced team of risk, investigations and consulting experts that are here to help any organisations in the charity sector with carrying out due diligence checks on donors, beneficiaries and local partners, and monitoring the end use of funds.

We can undertake financial crime risk assessments, advise on Know Your Donor and Know Your Partner procedures and help you set up and maintain a Suspicious Donations Log. If you’re a trustee who’s signing up to the new Stop Fraud Pledge, we can support you with all 6 of the pledge’s steps: Appoint, Ensure, Consult, Create, Perform and Assess.

Equally, we can carry out enhanced due diligence before you make a donation to an organisation (to avoid fake charities, for example).

Please get in touch for an initial chat with our experienced consultants. You can contact Ali Twidale, Banking & Financial Fraud Consultant at ali.twidale@esarisk.com, on +44 (0)343 515 8686 or via our contact form.

This article was published as part of Charity Fraud Awareness Week 2021.

Liverpool networking event

Posted on by Admin Admin

Last week, we met for our fortnightly networking event, hosted by ESA Risk’s Mike Wright (Risk Management & Investigations Consultant) and Roger Dugan from our co-host, Asertis.

The evening took place in Liverpool Gin Distillery, a picturesque bar in central Liverpool. We brought together professionals from law firms, insolvency practitioners and more, to network over a few drinks.

Roger Dugan shared that “it was a great evening, to be with old faces and new faces alike”.

The 500 Club series of events takes place fortnightly across the UK in cities including London, Leeds and Manchester. We aim to bring together professionals from various industries to connect in an informal setting. We’ll be at Bunghole Cellars in London at the end of this month. There’s a good chance we’ll be coming to a city near you over the next few months.

If you’d like to be added to our invite list, please contact us.

Cyber fraud and cyber crime in the charity sector

Posted on by Admin Admin

The Cyber Security Breaches Survey 2021, published by DCMS, found that 26% of almost 500 voluntary sector organisations surveyed had reported cyber fraud over the previous year. The report shows that while charities generally compare favourably with private sector businesses – 39% of which said they had suffered cyber security breaches or attacks – the number rises to 51% among charities with annual incomes of £500,000 or more. A quarter of those organisations that had suffered attacks said they had to deal with them on a weekly basis.

The survey, which took place between October 2020 and January 2021, found that the most common type of cyber attack for charities was phishing, identified by 79% of respondents. Phishing often involves trying to con recipients into giving away personal details or passwords. This was followed some way behind by impersonation attacks, suffered by 23% of respondents, where emails are sent out impersonating the charity. Among the charities that identified breaches or attacks, the survey found that 18% ended up losing money, data or other assets.

And even if money, data, or assets were not lost, 4 in 10 charities were still negatively affected for reasons such as requiring new, post-breach measures or having staff time diverted to deal with the problem, the report found – a reputational risk for any charity.

The fallout of such attacks was highlighted last year when more than 100 UK charities reported being caught up in the Blackbaud cyber attack, which targeted commonly used financial software.

While the DCMS report makes it clear that cyber security is still a major issue for many charities, the proportions reporting negative effects of breaches or attacks in 2021 are significantly lower than in previous years. This is not because attacks are any less frequent, the report says, but it could be due to more organisations implementing basic cyber security measures following the introduction of the General Data Protection Regulation (GDPR) in 2018.

Cyber security is also higher on the agenda of trustees, researchers found; 68% of charities said it was a high priority for them, compared with 53% who said the same in a previous study in 2018.

Charities are bigger cyber attack targets than they realise

Many charities, especially the smaller ones, fail to realise the value of the data they possess, according to a report by the National Cyber Security Centre (NCSC). Unfortunately, cyber criminals do realise the value of this data, making charities vulnerable targets to a cyber attack.

While the average person may find it unconscionable to steal from a charity, there are a number of perpetrators looking for some financial gain, besides the typical cyber criminal. This may include:

  • Suppliers and third parties – it’s common for charities to outsource the responsibilities of running, maintaining, and securing their data.
  • Terrorists – terrorist groups are likely to deface websites and publish victims’ personal details online, which is a process known as doxing.
  • Nation states – nation states use cyber crime to further their agendas.
  • Insiders – one of the biggest threats, and disgruntled staff with access to employer’s data may commit cyber crimes seeking money or simply for revenge.
  • Hacktivists – hackers will target charities if they disagree with the charity’s purpose or are motivated by a specific cause.

In order to prevent cyber-criminals from accessing your charity’s valuable data, the NCSC Small Charity Guide recommends taking these precautions:

  • Back up your data and protect it with strong passwords
  • Protect your organisation from malware
  • Keep your smartphones and tablets safe.

Simple advice and a sobering but easy way to protect against cyber threats

Here is an example of how small differences in passwords can make a huge difference to would-be cyber attackers.

Password Time to crack
charity 22 milliseconds
Charity 18 hours,

58 minutes,

27 seconds
Charity1 5 months,

2 weeks,

3 days
CharityNo1 1 millennium,

7 centuries,

6 decades

How ESA Risk can help charities become cyber-secure

At ESA Risk, our Cyber Security consultants have years of experience in the industry that equip them to protect your confidential data and your money from cyber criminals. Get in touch with us at advice@esarisk.com, on +44 (0)343 515 8686 or via our contact form, to find out how we can help make your charity cyber-secure.

This article was published as part of Charity Fraud Awareness Week 2021.

Deep dive for the answers you need
TAKE A DEEP DIVE
Or contact us on +44 (0)343 515 8686 or at advice@esarisk.com.

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?

Take a deep dive
Continue browsing