Australian charities need to get better at mitigating fraud risks

To mark Charity Fraud Awareness Week, Carol Chris, regional general manager of Australia and New Zealand at GBG, shares some of the processes and policies that charities and not for profits can put in place to help minimise the risks of fraud occurring. 

Cybersecurity incidents in the not-for-profit sector are increasingly common and sophisticated, with recent attacks experienced with Anglicare Sydney, UnitingCare Queensland, and Oxfam Australia, to name a few. However, recent research by PwC highlights that in-house cybersecurity skills are not being prioritised, reflecting a dire need for charities to cost-effectively invest in technology that can prevent and protect them against the latest threats.

While any organisation can be at risk of fraud and scams, charities, NGOs and NFPs are even more susceptible to fraud and financial crime as they are usually perceived as easy targets by fraudsters due to a number of characteristics most charities have in common. Fundamental to any NFP, is the need for public trust. NFPs are commonly established and managed by people who have a deep sense of responsibility to give something back to society, and this underlying objective is what inspires a high level of public trust and confidence, which recent research shows is growing.

 Once a fraud is committed and discovered, a NFP faces the potential loss of support and credibility from not just its existing ambassadors and board members, but also from society and potential new donors with a wavering level of continued trust towards the institution, which could take several years to rebuild.

While the pandemic and subsequent regulations have changed the world and driven mass digital adoption, fraudsters have also refined their approaches. Digital transformation across the board has completely changed the dynamics between business risk and financial crime. The rise in losses from fraud, data breaches and reports of incidents of non-compliance are indicative of Financial Crime 4.0 – the continuous evolution in digital fraud and identity theft, which unfortunately significantly impacts the NFP and charity sector.

In the current era of smart technology, we are seeing social engineered first-party fraud, cyber engineered fraud and hybrid use of social and cyber engineered fraud working together and seamlessly coordinated by fraudsters. The pervasiveness of digitally connected devices and personal data sharing resulting from increasing use of social media, the internet of things (IoT), and eCommerce, mean that charities now have multiple channels through which they can accept donations. But unfortunately, this also opens new ways for fraudsters to take advantage of charities.

While there is no foolproof method of preventing fraud, there are some processes and policies NFPs, charities and NGOs can put in place to help minimise risks and the likelihood of such instances occurring. 

1. Conduct a risk assessment

All charities should conduct a risk assessment to gain visibility of their vulnerabilities. Organisations should collaborate with staff from all functions to determine the key risk areas and their likely impact if the risks do eventuate.

Once the high-risk areas have been identified, charities, NFPs and NGOs are in a better position to develop and implement a prevention and mitigation strategy to minimise the impact of those risks. 

2. Establish strict internal controls

Fraud against NFPs are split into two main categories – internal and external fraud. Internal fraud refers to frauds that are committed by someone within the NFP such as volunteers, employees, senior management or the board. External fraud refers to frauds that are committed by someone outside the NFP, such as cyber criminals, program participants, suppliers, or beneficiaries.

Any charity should ensure it has effective internal controls in place to mitigate the identified risks. Internal fraud in NFPs usually happens mainly due to segregation of duties as they have limited resources and often channel funds towards meeting their core objectives, rather than on salaries and administrative costs.

Internal controls for charities can be in the form of providing different levels of access to makers and checkers, setting up a committee for cross accountability when authorising movement of funds, and ensuring an audit trail is maintained to show the review of documents. There should also be regular reconciling of the charity’s bank statements against its accounts, to identify any suspicious or unusual expenses. 

3. Anti-fraud policies

It is best practice for any organisation of any size to develop a comprehensive fraud prevention policy. The fraud policy should include the clear definition of fraud along with a few examples of what may be deemed as fraudulent activity. It should include the overall responsibility of management, instructions and procedures to prevent, detect and deal with fraud, processes to be followed by a whistleblower when fraud is suspected, and how the whistleblower will be protected. 

Charities need to have a whistleblower policy in place to encourage employees to report any suspicion of fraud. 

4. Mitigate cybersecurity threats 

Educate and regularly share examples of fraud, identity theft, and cybersecurity threats with employees, donors, and beneficiaries. Heightened awareness and understanding of the various modes of fraud attacks like phishing emails, access requests over calls or text messages, and more can help deflect attacks in the first place.