Guidelines for Charities
Published on ‘Get Safe Online’
https://www.getsafeonline.org

Trustees of Registered Charities have overall responsibility for keeping the assets of the charity safe. Every kind of organisation, especially those which have an online presence, is a potential target for fraudsters. Unfortunately, charities are no exception as most fraudsters make no distinction between organisations that operate for profit and those with altruistic aims.

In general, fraud has increased with the advent and growth of the internet, which has provided criminals with the means to carry on their activities anonymously. Therefore, as more of your business is conducted online, the greater the possibility that you will fall victim to fraud.

To illustrate, fraud cost the UK £73 billion in 2012 and of this, £1.1 billion was the estimated loss to the charity sector (source: National Fraud Authority Annual Fraud Indicator). The estimated percentage of charity turnover lost to fraud was 1.7% of a £64.6 billion combined annual turnover – broadly comparable with the private and public sectors.

If defrauded, your charity will not only face financial losses but could also suffer damage to its reputation, and a loss of confidence by benefactors and donors.

This information is designed to help you prevent and detect online fraud and gives you information on what you should do if you discover that a fraud has taken place. Having a clear plan of what to do if there is a suspected or actual fraud will equip you to deal with the situation more easily. You will see that taking a few straightforward steps can significantly reduce your charity’s chances of becoming a victim.

Report a serious incident to the Charity Commission

Email: rsi@charitycommission.gsi.gov.uk

24 hour voicemail service: 0300 065 2199

Use this service if you are a trustee of a registered charity and you want to report a serious incident in your charity. We will only contact you if we need more information.

Get Safe Online’s Top Tips
  • Implement robust financial and banking controls.
  • Do not hesitate to report and take action in the event of actual or attempted fraud.
  • Always remember that fraudsters do not share the altruistic aims of your organisation.
The Top Line Responsibilities of Trustees
  • Ensuring there are appropriate internal financial controls in place to make sure all funds are accounted for and spent in line with your charity’s aims.
  • Keeping proper and adequate financial records for both the receipt and use of all funds together with a record of any decisions made.
  • Acting responsibly and in the interests of your charity if fraud occurs. This includes promptly reporting the fraud (suspected or actual) to the relevant authorities such as Action – Fraud and taking steps to ensure that the charity’s funds are protected.
The Risks

The risks to charities of online fraud can be from both external and internal sources. These include:

External

Identity fraud – for example, where a genuine charity’s details are used without authorisation, to deceive unsuspecting donors.
Scam or ‘phishing’ emails requesting confidential details from your charity, which is then used by fraudsters to obtain funds illegally.

Internal

Misuse of your charity’s credit cards.

Get the Basics Right

You should ensure that you have structures in place to minimise the risk of financial wrongdoing.

This should include the following:

  • Implement robust financial controls and reinforce the importance of these.
  • Understand your risks. Take regular assessments of the risks your charity might be exposed to.
  • Instil a culture of ethical behaviour throughout your charity. Encourage awareness by communicating anti-fraud measures and training staff.
  • Develop an anti-fraud policy. This is a formal written document to plan out actions and responsibilities.
  • Develop a whistleblowing policy. It is important that people know how to report concerns about fraud and to whom – and that this is encouraged.
  • Ensure there are robust recruitment procedures. Draw up a self-declaration form and check references for new starters.
  • Keep records of suspected and confirmed fraud.

Use the Charity Commission’s ‘CC8 – Internal Financial Controls for Charities’ guidance and checklist for reference

Implement Banking Controls

A key element in ensuring online safety is the implementation and maintenance of banking controls. Make sure you have these in place:

  • Checking statements carefully, including checking that all amounts you expect to see banked, have been banked.
  • Storing statements and other financial documents safely and securely. Shredding documents that you no longer need.
  • Signing credit or debit cards as soon as they arrive.
  • Ensuring that you know exactly who has access to charity accounts and that there are mechanisms in place for independent verification of transactions.

The Charity Commission recommends that all charities banking online use a dual authorisation system. This is where one user submits a transaction and another user then authorises it. Charities should ask their own banking services provider whether they offer this service.

Protect Your Website

An increasing number of incidences of online fraud are committed by criminals accessing your website. If your charity is hosting its own website, you have a responsibility to ensure that that your website is protected from such attacks. You should take the following precautions:

  • Ensure that the hardware and software is secure.
  • Use the latest version of any e-commerce software. Old versions may have flaws that hackers can exploit.
  • Use strong, protected passwords throughout the system. Do not leave any password set to its default value.
  • Make sure the server is protected by an effective firewall and antivirus/antispyware software.
  • Monitor log files carefully to spot any attempts at intrusion.
  • Never store donors’ private information and credit card details or beneficiaries’ information on a public commerce server.
  • Protect your SSL details and keep them confidential.

Consider using a professional penetration testing firm to test the defences on your e-commerce server. Penetration testing is a method of evaluating the computer security of a computer system or network
If you choose to use a third-party hosting company:

  • Review its security and availability policy and arrangements.
  • Consider using a professional penetration testing firm to test the defences on your hosting company’s server.
Avoid Identity Fraud

Charities are just as vulnerable to having their identity stolen as individuals. It is not uncommon for fraudsters to obtain money by setting up a hoax charity or fundraising appeal in the name of an authentic charity. Take the following simple steps to reduce the possibility of this occurring to your charity:

  • Ensure donor data such as names, addresses and bank details are stored securely and in accordance with data protection requirements – this information is valuable to fraudsters.
  • Check your bank accounts regularly. If they have frequent withdrawals and deposits by different people, a fraudster who has access to your bank account could operate undetected for some time.
  • Look out for any unauthorised use of your charity’s name or logo.
  • Encourage donor awareness. Ask regular supporters to look out for and report any fundraisers, fundraising literature or emails that appear suspicious.
  • If someone sets up a hoax charity in your name, it may be possible for you to seek an injunction toprevent them from fundraising.
  • Advise existing and would-be donors to read the information and advice on Get Safe Online’s page on Charitable Donations.

When filing accounts with the Charity Commission, the Commission recommends charities send accounts to it online rather than in hard copy. The accounts you submit online must have been signed off by trustees, but they do not need to show trustees’ signatures. This is to help prevent identity fraud against charities.

Increase Internal Awareness
  • Promoting greater awareness within your charity of what steps should be taken to prevent fraud, will help the charity meet its responsibilities.
  • Ensure that all staff, volunteers and fellow trustees are fully aware of fraud policies when they join the organisation, and on an ongoing basis.
  • Give one or more staff responsibility for fraud prevention policies, including keeping them updated and conducting regular risk assessments.
  • Train employees and volunteers to ensure they are familiar with your charity’s financial controls, and know what to do if they suspect fraud has taken place.
  • Ensure fellow trustees, employees and volunteers are also aware of any best practice guidelines and legal obligations relevant to their role.
  • Ensure that fraud and risk assessment are regular agenda items for trustee board meetings.
What to do if your charity has been a victim of fraud?
Report the fraud

Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk
Depending on the nature of the fraud, you may also have to report it to an agency such as HM Revenue & Customs or the police.
Any actual or suspected serious incidents of fraud should also be reported to the Charity Commission. (See above).

Keep others informed

Keep the other members of the trustee board informed about the fraud and any subsequent investigations.
Notify staff and, if relevant, volunteers with the appropriate level of information.Keep others informed

Review security

As soon as you have identified the cause of the fraud, take steps to ensure that you have fixed this and make your systems more secure so that it does not happen again.

Recovering lost funds

If the fraud relates to the use of bank accounts, you may be able to recover the funds through your bank. Your bank will be able to provide more information on the likelihood of this and the steps to follow.
Make a claim to your insurance provider if your charity has policy that covers fraud.
In other cases, taking civil or other action is something for you and the other trustees to consider. However, you should be aware that pursuing an action through the civil courts can be expensive and may not be cost effective. Additionally, you may need to obtain the Charity Commission’s consent before pursuing litigation.

The Fraud Advisory Panel has produced a fact sheet, An Introduction to Civil Asset Recovery, for those wanting to know more about bringing formal proceedings against a fraudster. You can view and download the document by clicking the link which is available on the get safe online web page.

Other Advice on preventing loss
Report the fraud

Report it to Action Fraud, the UK’s national fraud reporting centre by calling 0300 123 20 40 or by visiting www.actionfraud.police.uk
Depending on the nature of the fraud, you may also have to report it to an agency such as HM Revenue & Customs or the police.
Any actual or suspected serious incidents of fraud should also be reported to the Charity Commission. (See above).

Keep others informed

Keep the other members of the trustee board informed about the fraud and any subsequent investigations.
Notify staff and, if relevant, volunteers with the appropriate level of information.Keep others informed

Review security

As soon as you have identified the cause of the fraud, take steps to ensure that you have fixed this and make your systems more secure so that it does not happen again.

Recovering lost funds

If the fraud relates to the use of bank accounts, you may be able to recover the funds through your bank. Your bank will be able to provide more information on the likelihood of this and the steps to follow.
Make a claim to your insurance provider if your charity has policy that covers fraud.
In other cases, taking civil or other action is something for you and the other trustees to consider. However, you should be aware that pursuing an action through the civil courts can be expensive and may not be cost effective. Additionally, you may need to obtain the Charity Commission’s consent before pursuing litigation.

The Fraud Advisory Panel has produced a fact sheet, An Introduction to Civil Asset Recovery, for those wanting to know more about bringing formal proceedings against a fraudster. You can view and download the document by clicking the link which is available on the get safe onl