Embed Size (px)
Citation preview
Tom Ciolkosz Sarah McConnell James Foster
Preventing Nonprofit Banking Fraud and the Tools You Can Use!
NFP Banking Fraud & Tools for You!
• In the news
• Fraud The fraud triangle Internal controls
• Protecting your online environment
• Banking financial fraud
• Tools for you!
• Checklist
• Resources
Data Breach Headlines
Washington Post Inside the hidden world of thefts, scams and phantom purchases at the nation’s nonprofits
∙ For 14 years, the American Legacy Foundation has managed hundreds of millions of dollars drawn from a government settlement with big tobacco companies, priding itself on funding vital health research and telling the unadorned truth about the deadly effects of smoking.
∙ Yet the foundation, located just blocks from the White House, was restrained when asked on a federal disclosure form whether it had experienced an embezzlement or other “diversion” of its assets.
By Joe Stephens and Mary Pat Flaherty October 26, 2013
Washington Post Inside the hidden world of thefts, scams and phantom purchases at the nation’s nonprofits
∙ Legacy officials typed “yes” on Page 6 of their 2011 form and provided a six-line explanation 32 pages later, disclosing that they “became aware” of a diversion “in excess of $250,000 committed by a former employee.” They wrote that the diversion was due to fraud and now say they believe they fulfilled their disclosure requirement.
Washington Post Inside the hidden world of thefts, scams and phantom purchases at the nation’s nonprofits ∙ Records and interviews reveal the full story: an estimated $3.4 million loss, linked to purchases from a business described sometimes as a computer supply firm and at others as a barbershop, and to an assistant vice president who now runs a video game emporium in Nigeria.
∙ Also not included in the disclosure report: details about how Legacy officials waited nearly three years after an initial warning before they called in investigators.
Question #1
Have you experienced fraud in your organization or personal life?
What is Fraud?
Fraud is a deception deliberately practiced in order to secure unfair or unlawful gain (adjectival form fraudulent; to defraud is the verb).
The two main types of fraud • Misappropriation of assets – theft of company's assets • Fraudulent financial reporting – misrepresentations in
financial reports
How Prevalent is Fraud?
• 10% of fraud occur in not-for-profit organizations
• It typically lasts 18 months
• Approximately 55% were committed by single individuals
• Median loss of $100,000
∙ Statistics ∙ Primary Areas of Weaknesses*
• Lack of Controls
• Override of Existing Controls
• Lack of Management review
• Poor Tone at the top
*One of these factors was present in over 80% of the cases studied
* According to the Association of Certified Fraud Examiners
What are the Clues?
Behavioral Red Flags
• Living beyond means
• Refusal to take vacation
• Unwillingness to share duties
Unique Challenges to Non-Profits
More trusting culture
Lack of financial expertise in management positions
Lack of resources
Red Flags!
• Living beyond means
• Refusal to take vacation
• Unwillingness to share duties
What Can You Do – Internal Controls!!
Two types of internal controls
• Deterrence
• Detection
Question #2
What are your best practices for fraud detection and deterrence?
Protecting Your Online Environment
Harvesting Information through Social Media
Social Engineering: Phishing
Phishing, relates to acquiring that confidential information by masquerading as a trustworthy entity in an electronic communication. Watch to watch for: • Links to email • Spelling and grammar • Popular Company • Urgency
Spoofing, is when a spammer sends out emails using your email address in the From: field. The idea is to make it seem like the message is from you. What to watch for: You see mailer daemon error messages (returned emails) in your inbox that do not match any messages you sent You get messages from people who received email from you that you did not send.
Social Engineering: Spoofing
What is a Keylogger? Whether it is called a keylogger, spyware or monitoring software, it can be the equivalent of digital surveillance, revealing every click and touch, every download and conversation. Malicious intent: • Account information • Credit card numbers • User names • Passwords
Keystroke Logging
Question #3
Have you ever experienced a social engineering scheme?
Protect your online environment ∙ Be sure your bank uses a Two-factor authentication process. The best way to utilize a two factor authentication communication is:
• Cell Phone
• Phone
Further Controls
∙ Educate your employees
∙ A strong security program should be paired with employee education about the warning signs and safe practices that you can implement.
∙ The best secure password is:
• Password • 1234 • May2009marie • S97@fde
Banking Financial Fraud
Check Fraud
Another way is for the fraudsters to get access to your money is to create counterfeit checks through stealing your check stock or obtaining a legitimate check and copying it. Solution: Check Positive Pay - This is an antifraud service offered by banks to help protect businesses against fraud from altered and counterfeit checks. Positive pay assists in the creation, transmission, and research of check records sent to the bank for payment.
Fraudulent Check
What's Different?
$210.00
Problem: Through remote deposit capture or mobile phone deposit technology, check fraud involves individuals double debiting. For example, an organization issues a check to an individual and the individual deposits the check through a scanner or smartphone. The individual then quickly takes it to another bank to cash it. Both transactions flow through the check clearing process, which could result in the account being debited twice. This could go undiscovered until the account is reconciled.
Check Deposit Fraud
ACH Fraud
Problem: The fraudster targets nonprofit organization accounts in search of bigger payouts. Fraudsters will steal online banking credentials by hacking computer networks and installing key logging software or malware. Once the thief has the right credentials, they can access the organization's accounts and send out wires or ACH’s to another country and into their own bank accounts. Solution: ACH Positive Pay - This allows clients to assign filtering or blocking services to various accounts based on company IDs, standard entry class codes, and dollar amounts.
Credit Card Fraud
∙ DVM Chip
• Change in laws
∙ Fraudulent transactions
∙ Inventory and review of cards
• Count
• Physical location
• Limited use
Question #4
Has anyone has a corporate or personal credit card compromise? What about a bank
account?
Question #5
What controls do you have in place to prevent bank fraud?
Pay attention and react quickly
∙ Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity and remove any systems that may have been compromised.
∙ Also consider ACH and Positive Pay
∙ Do you perform bank reconciliation on your operating account?
• Monthly • Weekly • Daily • Quarterly
Understand your responsibilities and liabilities
The Electronic Funds Transfer Act (EFT),
also known as Regulation E, was implemented in the U.S. in 1978 to establish the rights and liabilities of consumers as well as the responsibilities of the financial institution in EFT activities.
Regulation E covers a consumer under certain conditions, limiting loss to $50 if the institution is notified within two business days.
There currently are no similar loss protections for commercial customers
The account agreement with your bank will detail what commercially reasonable security measures are required by your organization.
What can you do tomorrow?
Talk to your IT department
• How are you protected from phishing, keystroke logging,
etc.?
• What training can you regularly give your employees?
• What is your password policy?
Talk to your bank
• Is Positive Pay available?
• Do they offer credit card protection?
What can you do tomorrow?
Review your internal controls (now and at least annually)
• Bank reconciliations
• Vacation policy
• Segregation of duties
• Credit card use
What is your culture for sharing fraud concerns? What is the tone at the top?
Questions
36
Resources You can also visit the following websites to learn more about how to protect your nonprofit organization:
• Johnson Lambert LLP website: www.johnsonlambert.com
• Access National Bank website: www.accessnationalbank.com
• ACFE Fraud Prevention: http://www.acfe.com/uploadedFiles/ACFE_Website/Content/documents/Fraud_Prev_Checkup_DL.pdf
• Greater Washington Society of CPAs: Nonprofit Accounting Basics: http://www.nonprofitaccountingbasics.org/topic/internal-controls
• Federal Communications Commission: 10 Cybersecurity Strategies for Small Business https://www.uschamber.com/sites/default/files/legacy/issues/defense/files/10_CYBER_Strategies_for_Small_Biz.pdf
Thank you for your participation!
Sarah McConnell Principal Johnson Lambert LLP [email protected]
James Foster CFO Northern Virginia Association of Realtors [email protected]
Tom Ciolkosz Vice President Commercial Banker Access National Bank [email protected]
