It's not just multimillion pound companies that are targeted by fraudsters - charities are seen as soft targets because many are less secure than banks and businesses. Tony Hodson looks at the risks that they face and presents case studies of five recent voluntary sector scams.
On 11 September 2001, shocked New Yorkers watched as thousands of lives were destroyed in a terrorist attack. On 13 September, a shocked international aid agency realised that ruthless fraudsters were stealing money donated to help the victims.
The scam, known as 'pharming', sounds too easy to be true. Hackers hijacked the genuine site's domain, redirecting its unsuspecting visitors to a fake website with exactly the same design, feel and, crucially, the same ability to accept donations. But these donations were going not into the coffers of a charity contributing to the huge relief effort at Ground Zero, but into the pockets of a few ruthless individuals.
It was every charity's worst nightmare. And what made it worse was that everyone was so focused on raising funds for the emergency that it was not just minutes or hours before anyone noticed something was amiss - it was days.
"Who was checking this and who was asking the right questions, I just don't know," says Dr Stephen Hill, technical and training manager and a specialist in internet fraud awareness at the charity accounting firm Chantrey Vellacott DFK, which is running a seminar on the impact of fraud on charities on 4 May. "No one can even attempt to put a figure on how much was lost."
No one bar the culprits, that is, who remain undetected simply because no one is looking for them - the fraud has never been reported and no one at the charity will even admit that it happened.
The reason the charity didn't report the incident is simple, according to Hill. "If a charity admits to falling victim to a fraud such as this, people are immediately going to think twice before donating to it again," he says. "That's why definitive figures are so hard to come by. Last month we were told that identity fraud is costing the UK £1.7bn a year, but you inevitably wonder how much more is going unreported."
Hill is right that definitive figures are hard to come by. But those figures that are available tell a story. According to the Association for Payment Clearing Services, attempted financial frauds in the UK amounted to £556.4m in 2003, a figure that rose to £665m in 2004. The danger is significant - and charities, it seems, are seen as soft targets.
"Charities can feel that no one's going to target them because they exist for a good purpose," says Hill. "They tend to be more naive and not as careful as, say, a bank or a corporate foundation would be about giving away confidential information."
Tony Quinn is a senior manager in the compliance and support unit at the Charity Commission. He agrees that the voluntary sector is susceptible to the opportunism of fraudsters who believe it suffers from a relative lack of vigilance and security. But he says charities can defend themselves against such attacks by thinking of their assailants as mere businessmen.
"Fraudsters will always be willing to go that one step further, providing it's economically viable to do so," he argues. "In this sense, fraud is like any other sector of the economy - it's based on building big profits from minimum investment. Charities must do whatever they can to obstruct the fraudsters, to force them into making more of an investment for a less likely return."
As the most recent case of charity fraud proves, however, even the heaviest defences can be breached. In December the Catholic charity Aid to the Church in Need discovered that its password-protected and encrypted website had been hacked into and donors' credit card details stolen. It immediately closed down the site and, amid fears for the security of processing online transactions, is yet to reopen an avenue of raising funds which it had been keen to develop.
Aid to the Church in Need's daily monitoring of its online transactions did guarantee that the fraud was detected at an early enough stage to minimise what was still a significant hit on donors' accounts. Attempted frauds are increasing year on year, so charities must embrace this combination of vigilance and effective organisation if they are to remain unaffected, says Quinn.
"The more vigilant the trustees, and the more controls that are put in place and adhered to, the less likely it is that charities will be defrauded," he says.
THE FIVE GREAT FRAUDS OF OUR TIME (AND HOW TO AVOID THEM)
Victim: Aid to the Church in Need
In December last year, hackers broke into an administrative area of the charity's website, which included the names, addresses and credit card details of supporters who had donated money through the organisation's online shop. Hackers got away with thousands of pounds of donors' money, although the charity has hinted that the victims will not be held liable by the credit card companies.
"The information was stored on what we considered to be an entirely secure server," says Terry Murphy, media officer at Aid to the Church in Need.
"They managed to get into an area that was password-protected and encrypted."
The investigation continues into what Neville Kyrke-Smith, UK national director at the charity, called the work of "the most skilled of internet criminals". Meanwhile, the Charity Commission praises the system Aid to the Church in Need had in place, whereby the database storing details of online transactions was checked daily. It was the disappearance of this database that first alerted staff to the possibility of the fraud that was discovered soon afterwards.
"We took the decision to publicise this as much as possible," says Murphy.
"We have been in touch with other charities because we are aware that hackers might see the sector as a soft touch."
THE INTERNAL FRAUD
Victim: Helston Downsland Charity
"You're always more vulnerable from the inside than the outside," says Stephen Hill at Chantrey Vellacott DFK. "People on the inside don't have to break a window or trigger an alarm."
Former solicitor Nicholas Walker was appointed clerk to the trustees of the Cornwall grant-making trust in late 1999. Less than four years later, he was sentenced to five years' imprisonment for defrauding it of more than £300,000.
A Charity Commission investigation found that "as a result of minimal supervision and a lack of accountability, the clerk had been able to alter bank mandates from three signatures to solely his own". The trustees had been persuaded to sign four cheques on which the payee had been left blank.
The commission's conclusion read: "One of the prime financial controls is the separation of those responsibilities or duties which, if combined, would enable one person to record and process a complete transaction. If duties are segregated, this reduces significantly the scope for abuse."
The process of dual signatories on charity accounts has been a simple but effective tool in reducing the possibilities of internal fraud. "We've never come across dual signatories working together to defraud a charity," says Stephanie Lennon, marketing and communications officer at Unity Trust Bank. "The whole point of dual signatures is to add a level of security so that you don't have just one person controlling all the finances."
THE BOGUS DONOR FRAUD
Victim: Brian Byrnes Memorial Fund
In 2004 the fund, a small charity supporting orphans in Bangladesh, received a cheque for £4,500 - an amount that would have quadrupled its average income. Before the cheque was cashed, the donor asked for £2,500 to be returned to a separate bank account, citing an "administrative error" for the overpayment.
Peter Byrnes, chair of the charity's trustees, said that it was all very believable at the time. "The cheque was from a genuine bank and I spoke to the donor on the phone several times. We're used to spotting scams, but because we received a cheque from an individual we took it to be legitimate."
Byrnes held fire, however, and was quick to contact both the police and the Charity Commission when the original cheque bounced. "If someone came up to you in the middle of the street and said 'here, I'm going to give you £5', you might doubt whether it was genuine or not," says Tony Quinn at the Charity Commission. "The problem with charities is that they are used to people approaching them to give them money - this is where they can be vulnerable."
In the wake of the fraud attempted on the Brian Byrnes Memorial Fund, the commission made it clear that charities should never return any donation before the original cheque has cleared.
THE PROFESSIONAL FEE FRAUD
Victim: The Talbot Village Trust
In February 2004, three construction industry professionals were convicted of defrauding the trust of £3.5m through the manipulation of six building contracts worth a total of £15m. The fraud had taken place over a period of ten years and involved invoicing for work not done and disguising inflated professional fees in the contracts.
No one connected to the trust would speak to Third Sector about the case because it is still in the process of trying to reclaim the final portion of the defrauded funds. But Tony Quinn at the Charity Commission has sympathy for the victims of this fraud, against which he considers it is almost impossible for organisations to defend themselves.
"In fairness to the trustees, it was a sophisticated con," he says. "The people who defrauded them were their own professional associates. Because it was such a huge amount of money and it was lost over a period of some time, it's tempting to go around looking for scapegoats. But we concluded that, sadly, this was actually something that would be very difficult to prevent happening in the future. When a number of people are working in collusion in a case such as this, detecting fraud is nigh on impossible."
THE GIFT AID FRAUD
Early last year Sign, the National Society for Mental Health and Deafness, uncovered a new form of fraud when it spotted two new standing orders adding up to hundreds of pounds set up on one of its bank accounts. The charity acted fast and prevented any losses, but the warning had sounded.
"The fraudster had got hold of our bank details from Gift Aid forms," says Steve Powell, chief executive at Sign.
Stephen Hill explains: "Charities are exposing themselves by giving out their own bank details like this. They're not giving everything away, but it doesn't take a genius to work out the steps required to compromise a charity's own bank account."
In its fraud awareness guidelines for charities, Unity Trust Bank offers a simple but effective solution. "Although it is reasonable to expect account information to appear on Gift Aid forms, where possible we recommend you open a deposit-only account for such donations," it says. "If you feel this isn't an option that suits you, you may wish to introduce an alternative method so the donor can email you to request a form. This way you can monitor and track who you are sending your details to."
At Sign, Powell has gone even further. "Every time a new standing order is set up on any of our accounts, we ask the bank to contact us directly so we can authorise the process personally. That is the only way you can truly protect yourself."