The Perfect Storm
By Megan Budd, Senior Manager, Assurance Services
Not-for-profit organizations (“NFP”) are seeing a sharp increase in the incidence of fraud due a “perfect storm” of threats derived from the unique characteristics of a NFP organization, the availability of valuable information commonly used to perpetrate frauds and increased cyber security risks.
The risk of fraud increases when the following exist simultaneously: (1) pressure on the individual; (2) opportunity to commit fraud; and (3) ability to rationalize the inappropriate behavior. American sociologist Donald R. Cressey coined the term “fraud triangle,” which consists of the following three points:
- Pressure – Motivation behind the crime, which could be personal financial pressure or workplace debt problems.
- Opportunity – Ability to execute a plan without being caught.
- Rationalization – Personal justification of dishonest actions.
One or more of the following factors can contribute to the fraud triangle for an NFP:
- Scarce resources, making separation of duties and similar controls difficult to achieve.
- Senior executive control rests with a few select individuals, with no succession plan in place.
- Volunteers who may inadvertently circumvent control processes or expose confidential information.
- Boards of Directors comprised of members with minimal financial oversight experience.
- Fear of negative publicity.
When formulating an anti-fraud strategy, the fraud triangle may be used in conjunction with the 10-80-10 rule of ethics. This rule is based on the assumption that 10 percent of people are ethical all of the time; 80 percent have the potential to behave unethically depending on the situation; and 10 percent are unethical all the time. The fraud triangle represents the motivational factors that, if put together, may influence the 80% group to perpetrate fraud. A 2016 report from the Association of Certified Fraud Examiners showed that approximately 95% of perpetrators had never been convicted of a fraud-related offense before.
NFPs need to be on the lookout for behavioral indicators that may be a red flags for fraudulent activity, such as employees working odd hours without authorization or living beyond their means. In addition to behavioral indicators, there are indicators which may occur at the organizational level such as:
- Bank reconciliations not performed in a timely manner.
- A single individual with control over disbursements.
- Lack of documentation supporting transactions.
- Accounts receivables uncollected for long periods of time.
- Donors not receiving receipts for contributions.
Cyber security risks are increasing each day, NFP’s in the healthcare industry are unique in that they have at their fingertips the most valuable asset to criminals – medical information. Medical information is now much more valuable than credit card numbers on the black market or the dark web. Fraudsters can use this information to create fake ID’s to buy medical equipment or drugs, or combine a patient number with a false provider number and file fraudulent claims with insurers. Unlike credit card data theft, which is often reported quickly, patients may not immediately realize their medical information has been stolen, enabling the fraud to continue. In 2016, it was reported that the price of stolen records dropped from on average $50 per record to between $1.50 and $10 each, due to the fact that the black market is saturated with this data.
Fraudsters have shifted their efforts from stealing data to spreading ransomware. One of the largest scams to hit organizations in recent years is the business email compromise (BEC), most recently referred to by the FBI as the “$5 billion dollar scam.” Between January 2016 and December 2016, there was a 2,370% increase in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. In a public service announcement put out by the FBI in 2016, BEC is defined as a sophisticated scheme targeting businesses, which is carried out by compromising legitimate email accounts through social engineering or computer intrusion techniques, to conduct unauthorized transfers of funds. According to the FBI, it is largely unknown how victims are selected.
Recently, the FBI released a new type of BEC scam called Data Theft, which involves the receipt of fraudulent emails requesting either all wage or tax statement (W-2) forms or a company list of Personally Identifiable Information (PII). The FBI has noted the following characteristics of BEC complaints:
- Businesses and associated personnel using free web-based email accounts are predominantly targeted.
- Individuals responsible for handling wire transfers within a specific business are targeted.
- Fictitious emails very closely mimic a legitimate email request.
- Personal email accounts are at a higher risk to be hacked and should never be used for business purposes.
- Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions about the legitimacy of the request.
- The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent email requests.
- The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise suspicion.
- Fraudulent emails have coincided with business travel dates for executives whose emails were spoofed.
- IP addresses frequently trace back to free domain registrars.
It is imperative that all develop an increased awareness and understanding of scams such as BEC to be able to recognize when they have been targeted. Organizations with a robust internal control system have proven highly successful in recognizing and deflect BEC attempts. In addition to internal controls, proper education for employees at all levels is necessary to ensure recognition of fraud. Some of the most effective self-prevention strategies include: avoiding free web-based email accounts, being careful of what is posted to social media and company websites, and being suspicious of requests for secrecy or pressure to take action quickly.
The FBI suggests additional IT and financial security procedures, including using a 2-step verification process. For example, organizations should always require a telephone call to verify significant transactions. One way to identify fraudulent emails is to use the “forward” option, rather than the “reply” option. If a fraudulent email address is being used this will remove that email address from the correspondence and allow the parties involved to identify the false request.
As organizations become more sensitized to the importance of recognizing risk and more effective at implementing control systems, criminals will be forced to shift their efforts and devise new strategies. Internal controls and education of employees is an ongoing process and not a one-time event. Understanding the who, what, when, and where is essential in safeguarding your organization’s assets.