4. Washington Post
Inside the hidden world of thefts, scams and phantom purchases at the
nation’s nonprofits
∙ For 14 years, the American Legacy Foundation has managed
hundreds of millions of dollars drawn from a government settlement
with big tobacco companies, priding itself on funding vital health
research and telling the unadorned truth about the deadly effects of
smoking.
∙ Yet the foundation, located just blocks from the White House, was
restrained when asked on a federal disclosure form whether it had
experienced an embezzlement or other “diversion” of its assets.
By Joe Stephens and Mary Pat Flaherty October 26, 2013
5. Washington Post
Inside the hidden world of thefts, scams and phantom purchases at the
nation’s nonprofits
∙ Legacy officials typed “yes” on Page 6 of their 2011 form and provided a six-
line explanation 32 pages later, disclosing that they “became aware” of a
diversion “in excess of $250,000 committed by a former employee.” They
wrote that the diversion was due to fraud and now say they believe they
fulfilled their disclosure requirement.
6. Washington Post
Inside the hidden world of thefts, scams and phantom purchases at the
nation’s nonprofits
∙ Records and interviews reveal the full story: an estimated $3.4
million loss, linked to purchases from a business described
sometimes as a computer supply firm and at others as a barbershop,
and to an assistant vice president who now runs a video game
emporium in Nigeria.
∙ Also not included in the disclosure report: details about how Legacy
officials waited nearly three years after an initial warning before they
called in investigators.
8. What is Fraud?
Fraud is a deception deliberately practiced in order to
secure unfair or unlawful gain (adjectival form fraudulent;
to defraud is the verb).
The two main types of fraud
• Misappropriation of assets – theft of company's assets
• Fraudulent financial reporting – misrepresentations in
financial reports
9. How Prevalent is Fraud?
• 10% of fraud occur in
not-for-profit
organizations
• It typically lasts 18 months
• Approximately 55% were
committed by single
individuals
• Median loss of $100,000
∙ Statistics ∙ Primary Areas of Weaknesses*
• Lack of Controls
• Override of Existing Controls
• Lack of Management review
• Poor Tone at the top
*One of these factors was present in over
80% of the cases studied
* According to the Association of Certified Fraud Examiners
11. Behavioral Red Flags
• Living beyond means
• Refusal to take vacation
• Unwillingness to share duties
12. Unique Challenges to Non-Profits
More trusting culture
Lack of financial expertise in management positions
Lack of resources
Red Flags!
• Living beyond means
• Refusal to take vacation
• Unwillingness to share duties
13. What Can You Do – Internal
Controls!!
Two types of internal controls
• Deterrence
• Detection
17. Social Engineering: Phishing
Phishing, relates to acquiring that confidential
information by masquerading as a trustworthy
entity in an electronic communication.
Watch to watch for:
• Links to email
• Spelling and grammar
• Popular Company
• Urgency
18.
19. Spoofing, is when a spammer sends out emails
using your email address in the From: field. The
idea is to make it seem like the message is from
you.
What to watch for:
You see mailer daemon error messages (returned
emails) in your inbox that do not match any
messages you sent
You get messages from people who received
email from you that you did not send.
Social Engineering: Spoofing
20. What is a Keylogger?
Whether it is called a keylogger, spyware or
monitoring software, it can be the equivalent
of digital surveillance, revealing every click and
touch, every download and conversation.
Malicious intent:
• Account information
• Credit card numbers
• User names
• Passwords
Keystroke Logging
22. Protect your online environment
∙ Be sure your bank uses a Two-factor authentication process. The best
way to utilize a two factor authentication communication is:
• Email
• Cell Phone
• Phone
23. Further Controls
∙ Educate your employees
∙ A strong security program should be paired with
employee education about the warning signs and safe
practices that you can implement.
∙ The best secure password is:
• Password
• 1234
• May2009marie
• S97@fde
25. Check Fraud
Another way is for the fraudsters to get access to your
money is to create counterfeit checks through
stealing your check stock or obtaining a legitimate
check and copying it.
Solution:
Check Positive Pay - This is an antifraud service
offered by banks to help protect businesses against
fraud from altered and counterfeit checks. Positive
pay assists in the creation, transmission, and research
of check records sent to the bank for payment.
27. Problem:
Through remote deposit capture or mobile phone
deposit technology, check fraud involves individuals
double debiting. For example, an organization issues a
check to an individual and the individual deposits the
check through a scanner or smartphone.
The individual then quickly takes it to another bank to
cash it. Both transactions flow through the check
clearing process, which could result in the account
being debited twice. This could go undiscovered until
the account is reconciled.
Check Deposit Fraud
28. ACH Fraud
Problem:
The fraudster targets nonprofit organization accounts in search of
bigger payouts. Fraudsters will steal online banking credentials by
hacking computer networks and installing key logging software or
malware.
Once the thief has the right credentials, they can access the
organization's accounts and send out wires or ACH’s to another
country and into their own bank accounts.
Solution:
ACH Positive Pay - This allows clients to assign filtering or blocking
services to various accounts based on company IDs, standard entry
class codes, and dollar amounts.
29. Credit Card Fraud
∙ DVM Chip
• Change in laws
∙ Fraudulent transactions
∙ Inventory and review of cards
• Count
• Physical location
• Limited use
30. Question #4
Has anyone has a corporate or personal credit
card compromise? What about a bank
account?
32. Pay attention and react quickly
∙ Look out for unexplained account or network activity, pop ups, and
suspicious emails. If detected, immediately contact your financial
institution, stop all online activity and remove any systems that may
have been compromised.
∙ Also consider ACH and Positive Pay
∙ Do you perform bank reconciliation on your operating account?
• Monthly
• Weekly
• Daily
• Quarterly
33. Understand your responsibilities and
liabilities
The Electronic Funds Transfer Act (EFT),
also known as Regulation E, was implemented in the U.S. in 1978 to establish the
rights and liabilities of consumers as well as the responsibilities of the financial
institution in EFT activities.
Regulation E covers a consumer under certain conditions, limiting loss to $50 if the
institution is notified within two business days.
There currently are no similar loss protections for commercial customers
The account agreement with your bank will detail what commercially
reasonable security measures are required by your organization.
34. What can you do tomorrow?
Talk to your IT department
• How are you protected from phishing, keystroke logging,
etc.?
• What training can you regularly give your employees?
• What is your password policy?
Talk to your bank
• Is Positive Pay available?
• Do they offer credit card protection?
35. What can you do tomorrow?
Review your internal controls (now and at least annually)
• Bank reconciliations
• Vacation policy
• Segregation of duties
• Credit card use
What is your culture for sharing fraud concerns? What is the
tone at the top?
37. Resources
You can also visit the following websites to learn more about how to protect your
nonprofit organization:
• Johnson Lambert LLP website: www.johnsonlambert.com
• Access National Bank website: www.accessnationalbank.com
• ACFE Fraud Prevention:
http://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/Fraud_Pre
v_Checkup_DL.pdf
• Greater Washington Society of CPAs: Nonprofit Accounting Basics:
http://www.nonprofitaccountingbasics.org/topic/internal-controls
• Federal Communications Commission: 10 Cybersecurity Strategies for
Small Business
https://www.uschamber.com/sites/default/files/legacy/issues/defense/files/10_
CYBER_Strategies_for_Small_Biz.pdf
38. Thank you for your participation!
Sarah McConnell
Principal
Johnson Lambert LLP
smcconnell@johnsonlambert.com
James Foster
CFO
Northern Virginia Association of Realtors
jfoster@nvar.com
Tom Ciolkosz
Vice President
Commercial Banker
Access National Bank
tomciolkosz@accessnationalbank.com