We are probably all aware of how unscrupulous individuals can set themselves up with a collecting bucket pretending to be a bona fide collector, but have no intention of passing on the donations to the named charity. Generally, the unsuspecting donors lose out on a few bits of change and thus the individual loss is fairly low, with little reputational damage for the charity unwittingly involved.
But, as we read or hear about daily, telephone and cybercrimes are becoming more sophisticated and prevalent. Sums of money stolen can be large and the potential for reputational damage much higher, as an example provided recently to CFG by a member charity shows. A very distressed woman called the charity, concerned that she had been contacted via email by someone pretending to be from the charity. The email had been sent by “George Faga” and “Susan Jones” – the latter being listed as the Procurement Officer. In time, the woman had been convinced to part with a substantial amount of money with the promise of a return on her investment. Needless to say, the donor’s bank told her that she is very unlikely to get any of her money back. The person who had been defrauded was very upset and made it clear to the charity that she would be going to the press and naming names. Whilst the charity concerned is wholly innocent, the incident does pose potential reputational risks as well as being upsetting and time-consuming for staff and volunteers to deal with. Preventing this type of fraud is extremely difficult, if not impossible; it is all too easy for someone to set up a spoof website and email addresses using data and logos from the official website.
Charities can take some steps however to reduce reputational damage:
• Let your current donor base know how you will contact them, and encourage donors to talk to you if they have any concerns
• Monitor domain names that are close to yours; you don’t need to purchase them but put in place a strategy to alert you should others buy them; this might indicate future malevolent use
• Prepare a procedure for staff and volunteers to follow, including a communication plan, should your charity be used in this way
• Ensure that this type of crime is managed in line with your overall fraud policy and procedures
Direct Cyber attack:
In December, the Charity Commission issued a regulatory alert concerning two prevalent ‘phishing’ frauds involving emails purporting to:
• Come from the police giving notice of prosecution
• Give ‘Crime Prevention Advice’ The attachments to the email contains key logging software, thus enabling the scammers to log passwords, or software which collects bank logon details. These are two specific examples of emails, but they continually evolve.
The Charity Commission advises:
• If you’re unsure, check the email header to identify the true source of communication - information on how to locate email headers can be found at https://mxtoolbox.com/Public/Content/EmailHeaders/.
• Always install software updates as soon as they become available, as the update will often include fixes for critical security vulnerabilities.
• If your current software does not offer an ‘anti-spyware’ function, consider installing software which does, as this can detect key loggers.
• Undertake regular backups of your important files to an external hard drive, memory stick or online storage provider - however, it’s important that the device you back up to is not left connected to your computer, as a malware infection could spread to that device too.
• If you suspect your bank details could have been accessed, you should contact your bank immediately. The above are examples of just some of the many different types of fraud. Your trustees need to have a complete fraud policy in place to protect the charity.
CFG is proud to support Charity Fraud Awareness Week 23-27 October. Sign up to the CFG Counter Fraud Pledge and we'll send you a toolkit to get you started on your journey to preventing fraud in all its forms: www.cfg.org.uk/fraudpledge
« Back to all blog posts