Articles

Charities are not immune to fraud and can even be more vulnerable to it. Learn how to protect your charity from fraud and how to report it…

According to the National Crime Agency, fraud is the most common crime in the UK and accounts for 40% of all crime in England and Wales. With such a high prevalence, charities are not immune to fraud. In fact, according to the National Cyber Security Centre (NCSC), charities are particularly vulnerable to falling victim to cyber crime. So what can your charity do to minimise its risk of fraud and protect itself?

Types of fraud

Fraud is defined as ‘wrongful or criminal deception, intended to result in financial or personal gain’. There are many different types of fraud, but ones that charities should be alert for in 2024 as follows.

AI fraud and phishing

Phishing is when emails or messages are sent from scammers, who are impersonating reputable companies, in order to obtain information such as passwords or personal details to then use nefariously. ChatGPT, an AI tool, is now being used to help fraudsters create phishing emails that closely resemble a legitimate business, in order to convince the recipient of its authenticity.

Phone scams

This refers to fraud that can take place via phone call or text message. In May 2024, a community charity in Cumbria received a phone call from someone posing as an employee of their bank to alert them to suspicious transactions. They were so convincing that the charity employee provided everything they needed to check the ‘suspicious transactions’ when in reality they were accessing the account to empty it of all the funds.

Malware and ransomware attacks

Malware and ransomware is malicious software which could cause a device, such as a laptop, to become unusable. It can also steal, delete or encrypt data. In the case of ransomware, an organisation is told they need to pay a ransom in order to unlock their computer/system and to access their data.

Internal fraud

While it’s difficult to believe that anyone working at a charity would defraud them, sadly it does happen. In one recent case, a charity worker has been accused of 25 offences relating to £1m in Gift Aid fraud. It’s essential to have processes in place and additional security measures to minimise the risk of internal fraud by employees.

How charities can protect themselves from fraud

Fraud can strike any of us at any time. Below we explore some ways that charities can prevent fraud.

Sign up to the Active Cyber Defence Programme

The NCSC provides a range of free cyber security services and tools as part of its Active Cyber Defence Programme.

Carry out a risk assessment

Identify where your charity may be at risk from fraud and what level of risk each area poses. For example, everyone working for a charity is at risk of receiving phishing emails, however not everyone would be exposed to the threat of internal financial fraud.

Provide training

It’s important that employees understand the ways that fraud can occur, especially new types of fraud. Practical training can help them identify suspicious activity, as well as how to report it internally — or even externally in a whistleblowing scenario.

Strengthen your IT

You can strengthen security by implementing two-factor authentication for email etc as well as ensuring that software is regularly updated via automated updates. The latter is sometimes referred to as ’patch management’. 

Putting the right cyber security technology in place is essential. A range of cyber security products are available on the Charity Digital Exchange at a discount, meaning protecting your charity doesn’t have to break the budget.

Use fraud detection tools

The NCSC provides a free Early Warning service. By registering, your charity will be alerted to the presence of malware and vulnerabilities affecting your network, including high level alerts that suggest your system has been compromised.

Have a response plan

Ensure that everyone knows the steps they need to take in the event of fraud or a major security breach. An incident response plan can help you to respond quickly, and effectively, and potentially minimise the damage.

Take out cyber insurance

According to the 2022 Cyber Security Breaches Survey by the Department for Digital, Culture, Media and Sport, 30% of charities identified a cyber attack in the last 12 months. Yet only 22% of charities had cyber security insurance (as part of a wide insurance policy) and just 5% had a specific cyber insurance policy. With the rise in technology and AI fraud, charities should ensure that they have cyber insurance.

What to do if your charity has been a victim of fraud

If your charity has fallen victim to fraud, there are several things that you will need to do.

Report the fraud

For serious incidents, such as a significant loss of money or a ransom attack, you must report it to Action Fraud, which is the UK’s national fraud and cyber crime reporting centre. Trustees must report the incident to the Charity Commission as soon as possible.

Review your risk register

Make sure that you review and update your risk register at your next board meeting.

Step up security

If necessary, step up security. For example, if the fraud occurred internally then set up a system whereby two people need to sign off payments. If it was cyber fraud, ensure that your IT systems are up-to-date, purchase additional security software and ensure staff are trained to spot anything suspicious. 

)