Sarah Booth, IASME Consortium
According to the National Crime Agency, fraud is now the most prevalent type of crime in England and Wales and a significant rising problem for charities.
In the tax year 2020-21, charities reported 1,059 separate incidents of fraud to Action Fraud which included almost £8.6 million of lost funds. The true scale of fraud against charities is believed to be much higher.
Fraud is simply the intent or the act of misrepresentation – fraudsters lying about themselves or their actions and services to steal money or information. It is important that a charity recognises that a fraud can come from anywhere, from third parties that aren’t connected to the charity, from their customers, from their supply chain and even their own volunteers and staff members. It is widely recognised that up to 90% of fraud is now “cyber enabled” which means fraudsters increase the scale and reach of their crimes with the use of internet connected computers.
Whereas it’s true that good cyber security can mitigate a large volume of online fraud, it is just one tool in a multi tool approach. Fraud remains very much a people problem, and this is why awareness, staff training and monitoring are crucial for counter fraud, as well as having polices and strategies in place to prevent and detect crime. Nobody can provide a single solution to prevent all fraud, but charities can help themselves by using controls to reduce the risk of fraud.
An essential part of protecting a charity from the threat of fraud is training staff and increasing the awareness within the organisation. Ideally people will recognise if fraud has occurred or even better, that their awareness and actions have prevented fraud.
The most common technique that fraudsters use to target many people at the same time is to send emails (phishing) and text messages (smishing) or make phone calls (vishing) pretending to be a trusted source such as your bank, a delivery company or even the police. These methods attempt to trick their victims into revealing sensitive information such as bank details, credit card information or passwords. In an email, there will often be a link that you are asked to click on to address an urgent problem. The link or attachment is likely to contain malware.
These common types of fraud are often used to set up many more serious attacks. These include ransomware attacks which are a major threat to all businesses and charities. Ransomware is a type of malware that encrypts files to make them unusable. The files cannot be decrypted without a mathematical key known only by the attacker and this is how an organisation’s data is held to ransom. Making an untraceable bitcoin payment to the attackers may release the files but there is no guarantee.
Bank Transfer fraud (also known as Authorised Push Payment fraud) is another serious form of fraud that uses social engineering. Criminals can intercept business emails and therefore find out about upcoming transactions and the movement of large sums of money. When the time is right, they will contact an organisation via phone call or email pretending to be a client or a bank manager and instruct payments to made into a new, different or ‘more secure’ account. Once the member of staff has been tricked and money is transferred into the criminal’s account, it is swiftly moved on elsewhere making recovery of the funds very difficult.
Another threat that is on the rise is from the fraudulent insider. Many organisations need to take on extra staff quickly to cope with increased demands at busy times of year and scrutiny of new employees may be rushed through or disregarded. Dishonest people exploit times of pressure to place themselves within an organisation to carry out crime.
It is important for charities to be aware of these risks and to implement controls to help address and reduce the risk of fraud.