Fraud Happens: A Practical Guide for Nonprofits to Reduce Their Risk

By Vincent Thomas

Fraud is a possibility wherever sensitive information changes hands. This may be at an external gateway along your security fence, such as when a donor makes a contribution, when vendors are paid, or when communicating with members, banks, and other financial service providers. Here are six ways to secure your digital perimeter when it comes to payments.

  1. Automate all donor or member payments. Train employees to never take credit card information over the phone. Instead, accept payments through a secure online system or an automated pay-by-phone option. Not only does payment automation protect employees, but it also creates a record of the transaction that can be verified if needed.

  2. Create controls for checks and ACH payments. Organizations with satellite chapters that pay bills and create relationships with vendors independent of the parent organization will want to establish guidelines for how those payments are made. In all chapter organizations, it is important to create check authorization procedures, but particularly in organizations that are run by volunteers. These guidelines could include limiting the number of chapter members who have authorized access to the chapter’s accounts, requiring multiple approvals for payments made by check, blocking ACH payments, and using a prepaid debit card to make vendor payments.

  3. Establish rules around sensitive information. Never send passwords via email, internally or externally. Use only https websites, which add extra layers of encryption when making payment transactions Shred sensitive documents that are no longer needed. Close unused accounts. Regularly change passwords.

  4. Develop a system for investigating irregularities. Create a security SWAT team that includes a small group among top management, including IT and accounting. In cases of irregularities, let the donor, member or vendor know you will stop at nothing to understand what has occurred, and correct it if possible. Talk to credit card companies and banks, and document every conversation. Obtain a copy of the police report if the donor or member has filed one.

  5. Achieve PCI compliance. A reported 96 percent of record breaches involve credit card numbers/data. If you are handling donor or member credit card numbers, your organization should be certified as PCI (Payment Card Industry) compliant. Learn more at www.pcisecuritystandards.org. Remember that compliance is an ongoing process, not a one-time event.

  6. Protect transactions. Secure Sockets Layer technology encrypts information sent over the internet between your organization and anyone who uses your website for online transactions. VeriSign is one of the most commonly used SSL certificate providers.

Setting Behavioral Expectations: Walking the Talk
An organization’s leadership can set the tone for desired behavior by providing a model for ethical behavior and by communicating expectations of ethical behavior for employees. When employees feel abused, ignored or mistreated, they may be more willing to commit fraud. In contrast, empowered employees may be more attuned to the nonprofit’s mission and less willing to let inefficiency or fraud go unreported. Here are some ways to help everyone in your organization walk the talk:

  1. Create an audit committee. In addition to your annual audit, create an audit committee that regularly reviews irregularities and procedures for gaps.

  2. Conduct an SSAE audit. Rather than focusing on the financials, an SSAE audit will examine internal procedures and processes and make recommendations for improvements. Learn more at www.ssae16.org.

  3. Set up a fraud tip line. Employees, volunteers, vendors and customers can call to confidentially report a suspected fraud or irregularity. Publicize the tip line regularly in internal communications.

  4. Require background checks for key personnel. It just makes sense to request official checks on all employees and volunteers who will have access to cash, accounting software or other sensitive information. Also consider background checks of new board members who will have oversight of accounting data.

  5. Educate employees and volunteers. Allegations of fraud can cause serious harm to an organization’s reputation and can degrade the organization’s mission. Teach employees and volunteers to recognize fraud red flags. Even small missteps, such as expensing a lunch that was purely social, can lead to more serious infractions. Make sure your employees know they can make use of the confidential tip line to report their concerns.

  6. Protect employees with need-to-know-silos. The IT department should be the only employees with access to network pass codes and other sensitive technology logins, while the finance department should be the only folks with access to accounting software.

Beyond Payments: Checking the Locks
What’s your most precious information asset? Is it your donor or member database? Your accounting software? Your clients’ records? This information once might have been safely locked in your desk drawer. While computers and web connections have increased productivity and communication, they have also made it necessary for organizations to change the way they protect their assets.

According to the 2011 Data Breach Investigations Report, a study conducted by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit, the number of records compromised over the last three years have been dramatically decreasing, from 361 million records compromised in 2008 to 4 million records compromised in 2010. While the report declined to speculate as to whether this is a trend, suffice it to say that better security measures must be making the average hacker’s job harder.

Summary statistics from the report indicate that 92 percent of data breaches came from outside the organization. Hacking and malware were the top two breach crimes and 92 percent of those breaches did not involve highly sophisticated attacks but were crimes of opportunity. Most telling of all, 96 percent of breaches were avoidable through simple or intermediate controls.

If you are concerned that the locks on your data tend toward the flimsy, here a few cyber deadbolts for you to consider:

Secure your network. The report recommends that organizations install and maintain a firewall configuration to protect your systems, then use and regularly update antivirus software.

Monitor access. This includes changing default logins for newly installed systems, ensuring that every computer user has a unique login ID and password, and reviewing user information to ensure all current users are valid employees or volunteers.

Secure personal information. TRUSTe is an independent nonprofit organization enabling trust-based privacy for personal information on the internet. TRUSTe or another privacy provider can help you ensure that website privacy and email policies provide protection to donors, members, volunteers, and employees.

Vincent Thomas is founder and CEO of Billhighway, a provider of cloud-based financial management solutions for nonprofit organizations. Email: vthomas@billhighway.com.