11th January 2018
Spoofing Vishing and Phishing may not be words common in the language of most not for profit organisations but they should be.
Worrying times in the charity sector as the 2017 Annual Fraud Indicator report suggests fraud in the sector rising to £2.3billion, with a huge £900million in payroll fraud.
The November 2017 report, backed by the Portsmouth Centre for Counter Fraud studies and Experian, suggests three key areas of fraud within the not for profit sector, with procurement fraud accounting for £1,163 Million, payroll fraud £990 million, and grant fraud £161million.
With lots of media attention around payroll and data theft, with some stories making national headlines, charities need to be especially on guard against externals threats and internal misconduct, detecting and ultimately preventing payroll fraud. With GDPR coming in May 2018 Charities will need to tighten up procedures and processes to stay in control.
In the UK there are three basic types of internal payroll fraud:
• Ghost employees
• False wage claims
• Over inflated expenses claims
Mark Button, in his book Countering Fraud for Competitive Advantage has suggested that most people would commit fraud if they thought they could get away with it, and certainly false wage claims and overinflated expense claims are often quite common to an organisation. The creation of ghost employees, however, often involves someone at the heart of the organisation’s payroll department, and can include external help.
According to insurer Hiscox 40% of fraud occurs from a finance or accounting professional, with the rest predominantly made up by employees in senior roles, right up to CEO.
Externally charities are increasingly becoming targets for sophisticated Spoofing, Vishing and Phishing/ Whaling attacks.
Spoofing, Vishing and Phishing – The facts
Spoofing – A type of scam where an intruder attempts to gain unauthorized access to a user’s system or information by pretending to be the user. Read what happened at Bolton Hospice
Vishing – Vishing is where a fraudster makes a telephone call posing as a bank representative to persuade the victim to hand over financial information. Read what happened to The Highland Hospice
Phishing – fraudsters seeking to obtain sensitive information such as passwords, usernames, bank details or other financial information by electronic means (including emails, pop ups or fake websites) from seemingly trustworthy sources.
What can be done to combat payroll fraud?
1) Let everyone know what’s expected
Have clear guidelines, coaching and training on the impact of fraud in your organisation.
Bring fraud into the open and discuss it openly from the top down. Ask your employees to be vigilant, and let you know of any weaknesses in your systems – you may not have thought of all possible failures in your systems.
3) Take away the risk
Use an outsourced provider for your payroll and build your internal audit procedures and practices around that, ensuring anything handled internally carries dual signatories or ongoing audit checks. If you can grab extra time to spot fraud through outsourcing then you should take it.
4) Thoroughly check who you’re employing – both internally and externally
Comprehensive employee screening should be the norm internally. Ensure any outsourced payroll provider has ISO 27001 and Payroll Assurance Scheme accreditation so that you can be sure security is at the top of the agenda.
5) Know your team
Always be on the lookout for anomalies – e.g. employees with the same address, and thoroughly check employee expenses.
6) Never leave just one person in charge
It’s hard, especially in smaller charities, to have more than one person in charge of payroll, but it’s risky. If you cannot do that in your organisation then consider rotating roles on a regular basis or get someone independent to sign off payments.
7) Stay on top of leavers
Make sure your procedures when someone leaves are watertight. The Government and NCVO provide useful advice on fraud prevention, and a reputable payroll provider will give you the secure service you need to maintain your hard fought reputation.