Blog

20 October 2017, 17:43

How safe is your charity from cybercrime?

John Baker of Moore Stephens looks at what charities need to do to reduce their risks of becoming a victim of fraud. Cybercrime, including deviant phishing scams, ransomware, and mandate fraud are becoming more prevalent as charities are receiving more donations online than ever.

Even when a charity has a strong corporate governance framework in place, it cannot guarantee it’s safe from fraud. Every organisation and individual is vulnerable to fraud; unfortunately, charities are not exempt. Fraudsters (including cyber-criminals, often sitting in their homes) do not care about their impact on society, people, animals or the environment as long as money can be made.

Sadly, given the size of the prize on the table and with focus (correctly) on the beneficiary, this means charities are very attractive and, if the fraudster is successful, it’s not only funds at risk, it’s reputations, resulting in donations and funding drying up. Given the good intentions and focus on beneficiaries, it’s a hard message for people working or volunteering in the charity sector to hear.  Many charity workers or volunteers do so because they want to make the world a better place, and they tend to see the best in people. This can mean all attention is focused on the charity’s aims with little left for reducing crime, exposing the risk of fraudulent acts by others with less honourable intentions.

The risk of fraud can be affected by a number of factors, such as the physical distance between the charity’s HQ and the ultimate charitable activities. The HQ may have strong controls and a robust ethical culture, but what guarantee is there that the same exist on the other side of the globe? Another risk factor is the number of links in the chain between HQ and the charity’s beneficiaries; the greater the number of middlemen, the bigger the risk. There has been a sharp increase in the number of mandate frauds against charities. This is where a fraudster will engineer a change to the direct debit, standing order or bank transfer mandate, by purporting to be an organisation with whom the charity transacts. It’s not helped by the massive rise in cyber-crime as the opportunities presented by technology and improved systems connectivity grows. Breaches in the confidentiality, integrity or availability of data is significant, but the loss of donors’, beneficiaries’ and other key stakeholders’ trust is devastating. Staggeringly, there were over 1.5 billion accounts compromised last year, ranging from user names and passwords, to credit card details, often made worse as many people use the same passwords for multiple accounts.

Worryingly, ‘ransomware’ (a computer virus that encrypts a user’s data and demands a ransom so that the files are returned to normal) is rocketing. A lack of user education and basic security controls can allow malicious software to bring down company databases, make hospitals switch to using pen and paper, divert shipping and threaten to close down blast furnaces. Malicious software is most commonly sent using phishing emails. At present, the threat of ransomware shows no signs of slowing down despite huge efforts to stamp it out. Well, that’s all very depressing isn’t it?  It doesn’t have to be! A large percentage of fraud can be prevented through simple steps and education. Here are a few tips to reduce the risks in the two areas we are seeing most losses in this year already:

Ransomware

• Don’t click on links or attachments for emails you suspect or don’t recognise. This is the main method of attack and this simple step will reduce risk dramatically.
• Ensure your anti-virus software is up to date. A good anti-virus will still stop a huge number of threats.
• Being an administrator may make it easier for you to install applications. Unfortunately it also makes it a lot easier for ransomware to spread, especially over computer networks, so be extra careful if you are an administrator.
• If one account is in a data breach many others may be – alert people and report it.
• A ‘password manager’ may be useful to keep track of your passwords.
• Setting up two step authentication can help protect against unauthorised access.

Mandate fraud

• All changes to key contacts should be verified with the outgoing key contact and verified with the supplier’s senior management team (via the main switchboard).
• No important instruction, such as payment, should be given by telephone or email – they must all be made in writing on letter-headed paper (and check the letter against those you have on record) with a follow up telephone call to the key contact (via the company switchboard).
• Confirm exactly who is making the request for change.
• You should check the supplier history, e.g. have they requested any other changes to their standard data? Are they a high transaction supplier?
• Be careful not to volunteer private or confidential information, such as supplier numbers and details.

Fraud and cyber-crime is enabled through poor controls, but rarely is it the control that is poor – it’s the application. Therefore, it’s important to think objectively about your risks to develop appropriate defences. You can never be 100% secure, but you can take steps to reduce your vulnerability.

Ask yourself:

• If you were a fraudster, what weaknesses in your charity could you exploit?
• What steps are you taking to build the right anti-fraud tone from the top and cascade it through your organisation?
• How are you conducting due diligence on your donors, beneficiaries and participants in your distribution chain?
• How are you ensuring transparency across your organisation so that fraudulent behaviour is harder to hide?
• Are you using technology as effectively as you can to reduce your risk of fraud?
• What are you doing to educate your people (including trustees, donors, beneficiaries and contractors/suppliers) in what to look out for, and how to respond?

CFG is proud to support Charity Fraud Awareness Week 23-27 October. Sign up to the CFG Counter Fraud Pledge and we'll send you a toolkit to get you started on your journey to preventing fraud in all its forms: www.cfg.org.uk/fraudpledge