Paul Mackman: Top tips for charities when handling fraudulent cybercrime

26 Mar 2019 Voices

Earlier this year, Sudbury-based charity The Bridge Project was cheated out of thousands of pounds though an online payment scam. Chair Paul Mackman urges other charities to reevaluate how they handle online payments to avoid potential risk of fraudulent behaviour.

The Bridge Project's lunch delivery service

During lunchtime hours, The Bridge Project operates a ‘meals on wheels’ service, providing fresh food to the elderly and to those who are unable to prepare a meal.

Those with learning disabilities and mental health issues will then help prepare the meals which are then sold to those in need. The money that is made from the lunch service is then put back into the charity.

When I took over as chair, we were only delivering about 20 lunches a day, but now we are providing 1,000 lunches a month which has created a big social impact on the local area, as a large amount of welfare checks are also carried out at the same time.

It’s fantastic to be a part of not only providing those in need with fresh food, but also going into their homes to make sure that they are okay. 

But since The Bridge Project was affected by an online scam by which we thought £10,000 was paid to an external supplier last month, it has slowed down the expansion of our lunch delivery provision for the disabled, elderly and housebound.

It also has put a disadvantage on the social impact we have already created in the community. Unfortunately, the supplier’s email was hacked, and we quickly realised that the true recipient of the payment did not receive it.

The scam had happened over a period of six weeks from the end of November 2018 until mid-January 2019, but it wasn’t until the supplier had alerted us that the payment was not made which came to light at the start of the year.

Since it was brought to our attention, we immediately reported the fraud to our bank, Barclays, as well as Action Fraud, the Cybercrime Reporting Centre and the Charity Commission.

Investigation is currently underway into the cause of the scam and identifying the perpetrator by all independent authorities and the police. At the charity we’ve all got our fingers crossed that the money will be recovered. 

Since the scam, we have carried out a few fundraising activities such as our rock choir concert, which successfully raised £3,600.

Additionally, several members of The Bridge Project had also volunteered to shave their heads to raise further money, and we have also set up a Just Giving page for anyone who would like to support us as our recovery process of the missing funds is underway.

The awful, gut wrenching feeling of losing money is never a good experience, especially when it affects a charity. In order to put a stop to this crime, charities need to revaluate and look at their own processes to put things in place ensuring any fraudulent activity from an unknown third party doesn’t occur.

My top tips to safeguard charities when handling cybercrime

  • New suppliers: When you appoint a new supplier confirm account details with a small trial amount first. Once this small amount of money has been transferred, you will need to confirm by phone whether they have received this before large amounts of money are transferred. This phone number needs to come from the official source of that new supplier;
  • Check, check and check again: It is vitally important to make sure that you have the correct bank details. When it comes to online payments, banks don’t typically check or use the account name as part of the checking process. It’s easy to assume that a level of security exists;
  • Don’t be afraid to reach out to your customer base: Cybercrime has become common amongst charities, therefore if seamless conversations are created from public awareness, it’s more likely action will be taken from authorities, e.g. putting a more robust, transactional system in place when carrying out online payments;
  • Be aware of suspicious looking links: It’s easy to think that all cyber-attacks are because of hackers breaching security systems, but very often, they are a result of an employee clicking on a malicious link. Training your staff on the dangers of opening any attachments in emails from unknown third parties that can lead to cybercrime is a crucial preventative measure that your charity can undertake;
  • Make sure you download the latest anti-virus software: Charities quite often function on tight budgets, however it’s important to make sure that you have the latest anti-virus software which can detect any external threats and block unauthorised individuals from gaining access to your data and system;
  • Create strong passwords: By having unique passwords in place, the chances of being hacked online are limited. A strong password that consists of 8-15 characters with a combination of uppercase and lowercase letters, as well as numbers and symbols can make it a lot harder for a potential hacker to uncover and gain access into your system;
  • Data protection: Have a differentiated structure in place which separates sensitive and non-sensitive data that your charity can follow. This can limit access to sensitive data and allow only staff to access this valuable information; 
  • Receiving suspicious PDF attachments: If you receive a PDF of an invoice through an email, don’t assume that the bank details included are genuine because the PDF can be intercepted and changed by an unauthorised user along the way to you. It’s always best not to open suspicious attachments and contact the supplier who you know is expecting the money.
For more news, interviews, opinion and analysis about charities and the voluntary sector sign up to receive the Civil Society News daily bulletin here



More on