The impact fraud can have on a charity’s good work, beneficiaries, and reputation can be immense. The National Crime Agency tell us that charities, along with individuals and the private sector, “lose billions of pounds each year to fraud”. Clearly more needs to be done to tackle fraud targeted against charities.
One established approach is to learn from frauds that have been committed and to disseminate the findings to help identify emerging risks, long term trends and provide evidence to base specific preventative action on. Until now, relatively few such studies have been undertaken on charity specific fraud, but we are working with charities and professional bodies to help address this knowledge gap.
This week we launched a new website dedicated to helping charities combat fraud and are encouraging trustees and charity staff to review their financial controls and procedures as part of the first Charity Fraud Awareness Week. These are two examples of our wider commitment to helping the sector increase its resilience to fraud and ensuring charitable funds are used for legitimate purposes.
For the first time we’ve also published an overview of the serious incident reports (RSIs) we have received about fraud to identify wider learning points for the sector. The analysis shows that during the financial year 2015/16, 178 serious incidents reported to us by charities were classified as fraud. The fraud-related RSIs we sampled affected a broad range of charities – from small, local organisations such as school parent teacher associations to large well-known charities with thousands of staff and multi- million pound budgets – and included both internal and external frauds.
Some key findings from the review of our fraud RSIs included:
• Over a third of the frauds sampled were 'internal', meaning frauds originating within the charity (i.e. perpetrated by trustees, staff or volunteers)
• The highest single reported loss to fraud was over £1 million
• Common identifiable trends in many of these fraud cases include weak governance and poor financial controls, often coupled with excessive trust placed in key individuals within the charity
• Several cases related to fraud were carried out by charities' overseas partners, where the legal and regulatory context can often be difficult to manage. This highlights the need for enhanced due diligence and oversight for those charities working with international partners; check out our recently updated compliance toolkit on working with international partners
There were also some interesting case studies and recurring themes within the serious incident reports which can help us warn others to avoid the same potential pitfalls. With the growth of technology, cyber-enabled fraud is becoming increasingly common. This can include ’Mandate’ fraud, where charities are deceived into diverting legitimate payments to fraudsters’ bank accounts, or ’Chief Executive’ fraud, where fraudsters, often using publicly available information, impersonate senior officers of the charity and trick charity staff into making payments to the fraudsters’ bank account. In one example, after receiving an email purporting to be from the charity’s Chief Executive, one Finance Director made a payment of £15,000 to an unknown bank account without making any checks on the message’s authenticity. This money went directly into a fraudster’s account. There are straightforward lessons to be learnt from this: make sure you check all payment requests are from a genuine source, challenge payments made to unknown bank accounts, and consistently apply existing controls and procedures, even when requests are made from senior staff.
In another example, a charity was defrauded of £10,600 by a telephone and online scam. The charity treasurer received a telephone call from an individual claiming to be from a major telecoms company, offering a £400 inconvenience fee for the telephone problems supposedly suffered by the charity in the previous year, and to ’clean’ the charity computer for free. When the Treasurer agreed, despite not having previously had problems with the phone, the fraudster took control of the computer and subsequently made payments to the fraudster’s bank account. The learning point: don’t be afraid to question seemingly ‘too good to be true’ offers of help, and never provide access to charity laptops to unknown and/or unverified individuals or organisations. Some of these examples may sound very basic, and I’m sure most would think they would not be fooled in these scenarios, but you’d be amazed how often the basics are missed.
There are plenty of ways in which charities can protect themselves from internal and external fraud, including the robust and consistent application of financial controls, and the implementation of the good practice available on the new Charities Against Fraud site, as well as other guidance such as the government's Cyber Essentials guide. However, equally important is encouraging a culture of professional scepticism and appropriate challenge where everyone is encouraged to play their part in stopping fraud and to come forward with any concerns, no matter how small.
And finally, don’t be afraid to report incidents to us and others. Knowing the challenges charities face allows us to warn others where necessary and help put in place better safeguards to protect charity funds. Being a victim is nothing to be ashamed of; but burying your head in the sand will only increase your vulnerability to fraud.