This week, October 19th through October 23rd, is the third annual International Charity Fraud Awareness Week (ICFAW). The ICFAW is led by an international coalition of over 40 charities, regulators, sector and professional representative bodies, and other interested stakeholders. The goal of this week is to raise awareness of, and to share good practices for, tackling fraud and cybercrime among non-profit organizations.
In support of this important initiative, the HBK Non-Profit Solutions group and HBK Risk Advisory Services is teaming up to provide the following information. We encourage everyone to learn more about ICFAW here: https://www.fraudadvisorypanel.org/charity-fraud/get-involved/
If you are a charitable donor:
- Make sure that a charitable organization is legitimate before donating.
- Watch for suspicious e-mails, text messages, and phone calls.
- Remain vigilant.
Charitable scams are incredibly common, especially as we move into the holiday season. Before you decide to write a big check in support of a charity, make sure you check that the organization is legitimate on the IRS website (https://www.irs.gov/charities-non-profits/tax-exempt-organization-search). GuideStar (https://www.guidestar.org/) is also a great resource to research whether or not a charitable organization is worthy of your support. Often, its best to research the organization on both platforms to ensure information is accurate.
Other great resources to vet the organization include your state’s registry of non-profits and the Better Business Bureau.
Social engineering threats, such as phishing e-mails and fraudulent advertisements, continue to increase at alarming rates due in part to COVID-19. As a general best practice, avoid clicking links received via email and text. If you find a message or organization of particular interest, its often best to access their webpage via an internet search or typing their URL directly into the address bar of your browser—after ensuring they are legitimate, of course (Item #1). This extra step will reduce the risk of being misdirected to a fraudulent webpage. Remember, fraudsters often create exact replicas of common webpages making it difficult to spot the difference.
To avoid falling for a fraudulent webpage, make sure you look at the domain name and web address populated in your browser. Does it match the intended organization? Are there any glaring errors or misspellings? Sometimes these may not be so apparent, so be careful. Simple tricks such as switching a lowercase “L” to a number “1” (l vs 1 –no, those are not the same character) may be the only difference between a legitimate page and a fraudulent one.
If you are absolutely certain the email is trustworthy, take a second to hover over any URL’s contained in the body of the e-mail to ensure that it leads to a trusted website. Again, keeping an eye out for misspellings or swapped characters. However, avoiding the click will eliminate the need for vigilance at this stage.
Lastly, we recommend similar actions for voice calls. Rather than disclosing your billing information and contributing money over the phone, advise the representative that you will donate via webpage or mail in check. Securely navigate to the trusted website via search engine or known URL.
Once you’ve made your contribution its important to remain vigilant. First, make sure you receive your donor acknowledgment letter in a timely manner. These should typically be received soon after your donation is processed and before the end of the year. Secondly, make sure your transaction is processed or check is cashed promptly. Slow processing could indicate your account information is being used for other things. Lastly, remember to review your account statements at least monthly. Daily monitoring of transactions is preferred where feasible.
If you are a charitable organization:
- Watch for suspicious e-mails, text messages, and phone calls
- Stay educated.
- Establish and maintain processes and internal controls.
Charities can be a treasure trove of donor information and financial records—information that is very attractive to fraudsters. As discussed above, avoid clicking links in emails and texts and be suspicious of unsolicited phone calls. If its too good to be true, it probably is. Always verify the source and do not be rushed into a decision.
Maintaining an educated workforce is critical. Fraudsters are having an easier time given the recent pandemic as the workforce is largely working remotely. As such, cybersecurity awareness has never been more important. Consider undergoing awareness trainings to remain educated on the latest threats and how to avoid them.
Established processes and sound internal controls have always been critical, but prior to COVID-19, few organizations faced the task of migrating these processes and controls to remote work environments. COVID-19 and a new environment is no excuse to stray from these fundamental concepts. In fact, it’s more important than ever to ensure your processes and controls migrate to, if not strengthen, this new environment.
It should be noted that cybersecurity insurance coverage may be lost if these controls do not remain implemented, so make sure you understand the requirements of your insurance policy. The dispersed and remote work force is introducing greater risks, and we are seeing a rise in malicious attacks. Your employees are also out of their routines and may find new ways to accomplish old tasks that could put the organization at risk. This increased risk coupled with a potential loss of coverage can be disastrous.
If you would like to discuss ways in which you can protect yourself, your organization, and/or your employees from fraud and cybercrime, please reach out to your HBK advisor.
For more information about Charity Fraud Awareness Week, visit the Fraud Advisory Panel website.