Fraud Happens: A Practical Guide for Nonprofits to Reduce Their Risk

Fraud happens. We know it does. Though not inevitable like death and taxes, fraud is something Americans have come to expect. It shows up in the news almost daily; most heartbreaking of all is news of embezzlement or fraud at nonprofit organizations.

Fraud is pervasive.  According to the key findings and highlights of the 2012 Report to the Nations from the Association of Certified Fraud Examiners’ (ACFE), it is estimated that the typical organization loses 5% of its revenues to fraud each year.

Despite their honorable missions and dedication to helping others, nonprofit organizations are not immune to occupational fraud.

In an economic climate that makes every dollar precious, no nonprofit wants to lose 5% of its annual revenue to fraud. But while few organizations can be as secure as Fort Knox, there are some concrete precautions every nonprofit can take to safeguard against fraud.

The Importance of Securing the Perimeter

Fraud is a possibility wherever sensitive information changes hands. This may be at an external gateway along your security fence such as when a donor makes a contribution, when vendors are paid, or when communicating with donors and members or with banks and other financial service providers. Weaknesses may also occur at internal checkpoints such as internal emails or information exchange. Here are four recommended precautions:

  1. Automate all donor or member payments. Not only does payment automation protect employees but it also creates a record of the transaction that can be verified if needed.
  2. Create controls for checks and Automated Clearinghouse (ACH) payments. Organizations with satellite chapters which pay bills and create relationships with vendors independent of the parent organization will want to establish guidelines for how those payments are made. In all chapter organizations, it is important to create check authorization procedures but particularly in organizations that are run by volunteers. These guidelines could include:
    • Limiting the number of chapter members who have authorized access to the chapter’s accounts.
    • Requiring multiple approvals for payments made by check.
    • Blocking ACH payments – this lets the chapter’s bank know that electronic payments made using the bank routing number and the chapter’s account number are unauthorized.
    • Using a prepaid debit card to make vendor payments – this eliminates the need to store physical checks, and pass checkbooks from one volunteer to another. It prevents the account from being inadvertently overdrawn as the funds on the card are preloaded and authorized.
  3. Establish rules for communicating and storing sensitive information. While these rules may seem overly protective to some, put these in the better-safe-than-sorry category and implement them across your organization.
    • Never send passwords via email internally or externally – this includes login and password information for internal databases and accounts as well as external logins to online grant applications, data storage sites or even social media pages.
    • Use https websites only for sensitive information. Hypertext Transfer Protocol Secure (https) combines Hypertext Transfer Protocol (http) with extra layers of encryption and should always be present when making payment transactions via the Internet or when communicating other sensitive information. If a web site includes “https” at the beginning of the address when it appears in your browser, you know it is secure.
    • Periodically, clean house – shred sensitive documents that are no longer needed and close unused accounts.
    • Regularly change passwords – set up a password change or refresh schedule and always change passwords on accounts when key personnel leave the organization.
      • Note: The Payment Card Industry (PCI) Security Standards Council offers a password policy framework in its Data Security Standard v2.0. These guidelines address password refresh frequency, length, complexity and other essential password policy components.
  4. Develop a system for investigating irregularities. How would you respond to a donor who believes his/her credit card information was stolen after making a contribution through your nonprofit’s website?
    • Create a security SWAT team that includes a small group of top management that is cross functional in nature and includes IT and accounting.
    • Make investigating irregularities the team’s top priority – nonprofits are under greater scrutiny than ever to cross every T and dot every I.
    • Let the donor, member or vendor know you will stop at nothing to understand what has occurred and correct it if possible.
    • Talk to credit card companies and banks, and document every conversation.
    • Obtain a copy of the police report if the donor or member has filed one.
    • Even if the fraud has not occurred through your organization, help the donor find out where the fraudulent charges may have come from by tracking any delivery address or email address associated with unauthorized purchases.
    • Follow up with the donor or member to mend any fences once the issue has been resolved.

Checking the Locks

What’s your most precious information asset? Is it your donor or member database, your accounting software, your clients’ records?  Once upon a time, this information might have been safely locked in your desk drawer. While computers and web connections have given us dramatic advances in productivity and communication, they have also made it necessary for organizations to change the way they protect their assets.

Here a few cyber deadbolts for you to consider:

  1. Secure your network – The Data Breach Investigations report (DBIR) recommends that organizations install and maintain a firewall configuration to protect their systems, then use and regularly update anti-virus software.
  2. Monitor access – This includes changing default logins for newly installed systems, ensuring that every computer user has a unique login ID and password, and reviewing user information to ensure all current users are valid employees or volunteers.
  3. Achieve PCI compliance – The DBIR report found that 96 percent of record breaches involved credit card numbers/data. If you are handling donor or member credit card numbers, your organization should be certified as PCI compliant. Learn more at Keep in mind that compliance is an ongoing process, not a one-time event.
  4. Secure personal information – TRUSTe is an independent, nonprofit organization enabling trust-based privacy for personal information on the Internet. TRUSTe or another privacy provider can help you ensure that website privacy and email policies provide protection to donors, members, volunteers and employees. Learn more at
  5. Protect transactions – Secure Sockets Layer (SSL) technology encrypts information sent over the Internet between your organization and anyone who uses your website for online transactions. VeriSign is one of the most commonly used SSL Certificate providers. Learn more at

This article is published as part of NTEN’s Member Appreciation Month.

Vince Thomas
Founder and CEO
Vincent Thomas is founder and CEO of Troy, Michigan-based Billhighway, the foremost provider of cloud-based accounting solutions tailor-made for nonprofit organizations. While still a college student, Thomas developed Billhighway as a means to better manage finances among roommates. Today, more than 3,500 nonprofits have trusted Billhighway to seamlessly manage nearly $6 billion in transactions. Thomas was named 2011 Ernst & Young Entrepreneur Of The Year.