Nonprofit Accounting Basics

Preventing Nonprofit Banking Fraud!

Technology has dramatically changed how we all work, play, and use our mobile phones, computers, and i-Pads.  So, it should come as no surprise that fraudsters are using this same technology to commit all types of financial fraud against nonprofit organizations.

When it comes to banking, there are many types of fraud schemes out there, and new types being engineered every single day. Fraudsters typically test their schemes with small amounts to see if the transactions go through unnoticed, and then gradually increase to the big paydays. Fraud is happening both externally via hackers and vendors, and internally by employees who are improperly scanning checks for payment.

Some specific examples of the types of fraud occurring from a banker’s perspective, as well as some real solutions you can implement to protect your organization follow. Finally, there are best practices and preventive measures your organization can implement to reduce financial fraud to your organization. Here are a few examples and recommendations:

Problem: Check fraud.

Check fraud meets remote deposit capture (check scanners or mobile phone deposit technology); this new fraud is double debiting. For example, an organization issues a check to an individual.  The individual deposits the check through a scanner or smartphone, then quickly takes it to a check-cashing store or another bank that cashes it. Both transactions flow through the check-clearing process which could result in the account being debited twice. This could go undiscovered until the account is reconciled.

When check fraud meets online banking technology, the result is paperless check fraud.  The old model for creating counterfeit checks is to steal check stock or obtain a legitimate check and copy it.  In the technology world, images of paid checks typically are archived online.  If phishers and hackers can access those archives, they will print a check image and create counterfeits from the image.

Solution: Check Positive Pay.

An anti-fraud service offered by banks to help protect businesses against altered checks and counterfeit check fraud. The system matches the account number, check number, and dollar amount of each check presented for payment against an Issued File(s) submitted by the business. Any mismatches with the three components will create an “exception item” that will enable the business owner and clients to make a decision to pay or return the check.

Problem: ACH fraud.

The newest ACH fraud model in search of big bucks targets nonprofit organization accounts.  Cyber thieves steal online banking credentials by hacking computer networks and installing key logging software or "malware."  With those credentials, they access the organization's accounts and clear them out by sending ACH credits to their own accounts, often outside U.S. jurisdiction.

Solution: ACH Positive Pay.

Designed to protect business-client accounts from unauthorized electronic charges. Two methods of protecting your organization are detailed below.

Solution: ACH Blocking.

All ACH debit transactions are blocked and clients make daily pay or no-pay decisions for each item.

Solution: ACH Filtering.

Automatic payment of ACH transactions is based on pre-established organization ID’s, Standard Entry Class, or dollar amounts. The client makes a decision to return or pay any exception items.

These are just several examples of the types of financial fraud that can negatively impact your organization. Here are some other administrative controls you can implement into your organization:

1. Educate your employees. A strong security program paired with employee education about the warning signs and safe practices you can implement to lessen the risk of fraud.

2. Protect your online environment. It is important to protect your cyber environment just as you would your cash and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them periodically.

3. Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes, and batch limits to help protect you from fraud.

4. Pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity, and remove any systems that may have been compromised. Keep records of what happened.

5. Understand your responsibilities and liabilities. The account agreement with your bank will detail what commercially reasonable security measures are required in your organization. It is critical you understand and implement the security safeguards in the agreement. If you don’t, you could be liable for losses resulting from a takeover. Talk to your banker if you have any questions about your responsibilities.

You can also visit the following websites to learn more about how to protect your nonprofit organization:

• Nonprofit Accounting Basics: http://www.nonprofitaccountingbasics.org/topic/internal-controls

.  U.S. Chamber of Commerce:  Internet Security Essentials for Business:  https://www.uschamber.com/CybersecurityEssentials

• Federal Communications Commission: Small Biz Cyber Planner: http://www.fcc.gov/cyberplanner

• Federal Communications Commission: 10 Cybersecurity Strategies for Small Business: http://www.fcc.gov/general/cybersecurity-small-business

• Better Business Bureau: Data Security Made Simpler: http://www.bbb.org/data-security