Fraud in Professional Membership Organisations
Vikram Sandhu, Director at haysmacintyre.
As we approach our exit to a period of instability, one area for PIMBs organisations to continue monitoring is the resultant increased risk of fraud from both an internal and external perspective. The COVID-19 pandemic has seen a rise in fraudulent activity from criminal opportunists. Reports suggest 65% of not for profit organisations feel the pandemic has increased their risk of fraud, expressing concerns of remote working and virtual sign-off processes as key factors contributing to this increase. Below, we explore how not for profit organisations can implement changes to fight fraud and stay one step ahead.
A report by the Charity Commission in October 2021 showed charities reported almost £8.6m of lost funds in the last financial year and 1,059 separate incidents of fraud were reported by charities during this time. However, the true scale of fraud against charities is believed to be much higher.
The economic impact of the pandemic provides plenty of motivation for fraudsters as many people face an uncertain financial future, and the cessation of the furlough scheme has meant that some employees have been forced to accept lower pay. The PIMBs sector has adapted well to remote working, but changes to usual practices may mean that controls have not yet been updated or tested. In circumstances where administrative headcount has been reduced, there remains the possibility of a reduction in certain internal controls, such as segregation of duties.
The most common areas for organisations of external fraud relate to procurement and payroll. It has been noted that phishing emails continue to be the most effective way for fraudsters to carry out their activities. Normally, these request that payments be made to the fraudsters’ bank accounts with emailed instructions appearing to be coming from the Chief Executive, Finance Director, or suppliers.
Additionally, over the last few years membership organisations have been targeted by fraudsters placing themselves in the middle of communications, such as membership renewals. More recently, the hacking of senior management email addresses have resulted in their monthly salaries being paid into the fraudsters’ bank accounts. Unfortunately, this trend shows no signs of abating.
The use of portals can help mitigate the risk of interception, although many rely on email correspondence which remains the most susceptible to fraud. In several instances there has been a strong element of manipulation, as fraudsters build trust with members through contact by phone, email, or other direct messaging.
We have set out below a range of suggested mitigating procedures for you. Organisations should:
- Ensure all administration staff are aware of this fraud
- Ensure staff are aware of cyber-protection protocols and understand NOT to open links or attachments from unexpected or suspicious emails. Doing so may compromise the organisation’s email system.
- Review password protocols and ensure those that are used are strong, as long as possible, and contain a combination of letters, numbers, and symbols
- Consider using a ‘payment gateway’ for the receipt of funds from clients
- Ensure computer systems are secure and that antivirus software is up to date
- Help to combat ‘typo squatting’ by considering registering similar domain names
How can organisations protect themselves from fraud?
- Communicate and raise awareness
Employees are the first line of defence when it comes to spotting and preventing fraud – refresh their training often.
- Review your fraud risk assessment
Fraud risk assessments need to be reconsidered through the lens of the COVID-19 environment. PIMBs organisations should be asking themselves: what has changed with respect to payments exiting the organisation; has there been a change in segregation; and are review processes being adhered to?
- Look for exceptions
Be diligent with the basics, such as a review of high-value transactions and changes to supplier and employee bank account details, to uncover irregular historic transactions or red flags.
In summary – stay vigilant!
haysmacintyre, in partnership with Memcom, are running a series of events around risk as part of the Risk Ready Workstream. Find out more here.
Risk Ready Workstream with haysmacintyre