Mitigating Fraud at Your Not-For-Profit: Lessons Learned

During the recent webinar, Unmasking Fraud in Not-for-Profits: Five Key Schemes and Five Preventive Steps, we engaged with hundreds of accounting and finance professionals from not-for-profit entities across the country. Individuals shared their thoughts and perspectives on the fraudulent activity they are seeing in their organizations and methods to mitigate risk.

Below are the top four fraud categories that emerged—phishing schemes, credit card fraud, check fraud and cash theft—along with key insights to help protect your organization.

Threat #1: Phishing Scams and Email Fraud

In many phishing schemes, hackers either impersonate an email account or take over a trusted email account, using several methods to steal funds from organizations. The most common tactics include:

  • Gift Card Scams: These scams typically involve social engineering, whereby a fraudster poses as a senior leader and attempts to trick your team into handing over sensitive information without having to crack your security systems. The hacker requests someone to purchase gift cards for customers or colleagues and then asks for the numbers on the back of the cards, including the PINs. Once they have this information, they quickly use the gift cards online, leaving the organization with the expenses.
  • Fake Vendor Invoices: The hacker impersonates a vendor and sends a fraudulent invoice for payment or attempts to reroute regular automated clearing house (ACH) payments. They use a scam technique called typosquatting, where they register domain names that look similar to legitimate ones but contain slight variations, such as bankofarnerica.com (using “rn” instead of “m”), to deceive employees.
  • Rerouting of Customer Proceeds: After gaining access to an organization’s email account, usually someone in the accounting department, the hacker sends invoices to customers. These invoices appear legitimate but include altered payment instructions directing funds to the hacker’s bank account.

How to Protect Your Organization from Phishing Scams

Here are a few ways you can help your organization avoid falling for phishing scams.

  • Implement security awareness training to help employees recognize phishing attempts and attempted fraud.
  • Use IT security measures like Domain-based Message Authentication, Reporting and Conformance (DMARC) and DomainKeys Identified Mail (DKIM) email authentication processes or email filtering. Require multi-factor authentication on all accounts.
  • Hire a cybersecurity specialist to conduct penetration testing, also known as ethical hacking. The specialist will attempt to hack into an organization’s system to identify weaknesses in security protocols.
  • Restrict personal email access on company devices to reduce exposure to malware and phishing attacks.
  • Encourage employees to pause and verify urgent financial requests—scammers create urgency to manipulate victims.

Threat #2: Credit Card Fraud

Credit cards are a frequent concern for not-for-profits. The most common types of fraud include:

  • Unauthorized personal purchases: An authorized employee uses a company-issued credit card for personal items, either accidentally or intentionally.
  • Compromised accounts: Hackers obtain a company credit card’s information and use it for unauthorized purchases online or in person with a cloned credit card.

How to Protect Your Organization from Credit Card Fraud

Here are a few ways to protect your organization from accidental or fraudulent credit card use.

  • Limit the number of company credit cards and issue them only to employees who need them for their jobs. Following a standard expense reimbursement policy may be a more secure process.
  • Set internal policies restricting the amount employees can spend on a credit card without prior approval from a superior. Work with your financial institution to set spending limits and merchant restrictions.
  • Review credit card statements monthly and require employees to submit receipts or invoices for all purchases. Statements alone may not provide enough detail to distinguish business from personal expenses.
  • Establish clear credit card usage policies and revoke cards from employees who violate them. Small violations can escalate into fraud.

Threat #3: Check Fraud and Theft

Even though paper checks are decreasing in popularity, check theft and fraud remain a threat to organizations. However, your organization can take steps to reduce the risk.

How to Protect Your Organization from Check Fraud

With a few changes to your processes, you can decrease the chances of your organization experiencing check fraud.

  • Use Positive Pay: This feature, offered by most banks, matches issued checks with those checks being presented for payment. If details don’t match, the bank rejects the check. Consult with your bank to determine which check characteristics they can verify (e.g., payee, amount, date) and the specific process they use.
  • Reduce reliance on physical checks and consider ACH or an automated payment system that hides account details from vendors.
  • Perform timely bank reconciliations to detect fraud early. Assign an employee without check-signing authority to handle bank reconciliations.
  • Require dual signatures on checks above a certain amount. While banks may not enforce this requirement, it increases both real and perceived fraud detection.
  • Follow U.S. Postal Inspector recommendations for mailing checks.
    1. Drop checks off at the post office.
    2. Hand envelopes containing checks directly to a mail carrier.
    3. Drop checks in a blue United States Postal Service (USPS) collection box before the last pickup of the day to prevent overnight theft.
  • Use gel ink pens, which are more resistant to check washing.
  • Cancel and reissue stale checks. When required, escheat uncashed checks to the state.

Threat #4: Cash Theft

With in-person events and volunteers, theft of petty cash or donations and register skimming are common issues for not-for-profits.

How to Protect Your Organization from Cash Theft

Here are a few easy steps your organization can take to limit the opportunities for cash theft.

  • Minimize the number of cash collection containers and locations.
  • Ensure cash containers are secure and, if possible, within view of security cameras. This will assist in investigating any theft allegations and decrease the risk of theft by increasing the perception of detection.
  • Conduct frequent cash counts and reconcile to cash register listings to detect discrepancies early.
  • Ensure that when collecting cash donations, there is always more than one employee present.

Key Takeaways

While not-for-profits operate with a mission-driven focus, they are not immune to fraud risks. Being proactive is the best defense and there are simple steps organizations can take today. According to the Association of Certified Fraud Examiner’s Report to the Nations, the longer the fraud goes undetected, the greater the financial loss. If preventing fraud is not possible, detecting it early is critical. By implementing these safeguards, your organization can reduce vulnerabilities and ensure that financial resources remain dedicated to your mission.

Jon Klerowski, CPA, CFE, ABV; Alexander Buchholz, CPA, MBA, CGMA; and Robert Gaines, CISSP, CECI, CCFI and C|OSINT co-authored this post.