Preventing Fraud

It’s been over six months since I last blogged about fraud risk in small businesses and nonprofits. Tax season and the new tax law must have distracted me. But fraud has not stopped lurking, robbing organizations of their hard-earned funds.

In case you forgot, fraud is an illegal act involving deceit, concealment, or a violation of trust. Fraud doesn’t involve physical threats of violence or force. Fraud is committed to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.

Fraud is not unique to any one type of organization. The opportunity to commit fraud exists everywhere, including public and private businesses and nonprofits. Small businesses and nonprofits are even more susceptible to fraud because of typically lower levels of staffing and technology. Plus, the environment at nonprofits and small businesses espouses trust that could be exploited by people who are unscrupulous or experiencing extreme financial pressures.

First — recognize that fraud can happen. Second — implement an action plan to help prevent fraud from happening. How? Minimize the chances that fraud will happen at your organization with these three tips:

  • Separate Tasks – The most powerful weapon against fraud is separating tasks or duties that should not be performed by the same person, like separating expense approval and payment from the person who reconciles the bank account. Separating duties prevents one person from having too much control over financial activities so that she or he could take funds without detection.
  • Investigate Anomalies – Identify anomalies, or exceptions, from expected conditions or results. Is your cash flow within a normal expected range? Are your sales returns higher than usual? Investigate performance and results that fall outside the expected range and take action. Looking into unusual activity could draw attention to and end fraudulent activities. Even if no fraud has occurred, you can take corrective action as needed.
  • Independent Monitoring – Periodic independent monitoring by a knowledgeable party is another way to safeguard financial assets. Methods include supervisor reviews, periodic audits and effective governance. Exception reports or anomalies should ideally be investigated by someone who is independent of the original activity. Nonprofits with limited staff can involve the Board Treasurer in the monitoring process.

Important steps for preventing fraud are to recognize that fraud can happen and to implement an action plan to mitigate the risk of loss. Powerful weapons like separating tasks, investigating anomalies and independent monitoring all reduce the risk of losing money, property, services or reputation. Trust is great; implementing fraud prevention tips is priceless.

Award or Cyber Threat?

I don’t generally believe in coincidences, but one sure happened to me last week. On the very same day that I was talking to a colleague about how obvious phishing e-mails can be, I received a cleverly-disguised phishing message that was very tempting…at first.

Many scam e-mails come from someone you know who has been hacked. A message is sent to everyone in that person’s contacts. It contains a link and urges recipients to click on it to see something amazing. Clicking on that link infects your computer with malware or ransomware.

Another version is phishing for your banking and other financial information by masquerading as a bank that has an incoming wire transfer for your account. All you need to do is approve the transfer by clicking on a link that similarly infects or compromises your computer and your data.

My tempting phishing message was cleverly planned just for me (aren’t I special?). It did not come through my regular e-mail; it was sent as a Request for Service on my business website. The title was “Nominated for Best Business Award” and said I had been nominated for Best Consulting Business in Arlington, Virginia, where my business is located. All I needed to do was to click on the link. The message even contained a password I was to use to access the link.

How cool is it to be nominated for an award? Who could resist learning more? I knew of the Arlington Best Business Awards, sponsored by the Arlington Chamber of Commerce, and Arlington’s Best Business Awards, sponsored by Arlington Magazine. I was super excited to be nominated!

But not too excited to stop and make a few observations. For example, the message came from a third party that I did not recognize. The award category was not familiar, based on my attendance at award recognition events in the last few years. Then, I vaguely remembered that the 2018 Chamber and Arlington Magazine awards were already celebrated earlier in the year.

It was a scam! After a little detective work on the internet, I was sure that I was not nominated for an award and that I was targeted for a cyber threat. I searched the name on the e-mail extension and found that it led to a website that my computer’s security wouldn’t let me access because the site was infected. I looked at Arlington Magazine’s and Arlington Chamber’s websites and found that not only had the 2018 awards been bestowed, there was no category for Best Consulting Business.

I felt very lucky that I resisted temptation to click on that link, even if it meant that I was not nominated for an award. At work or at home, your confidential information is at risk. Spending money and time on computer security protection won’t do any good if you or someone who works with you clicks on a cyber threat disguised as an award, a funds transfer, or something amazing to see.