News story

Alert for charities – be aware of insider fraud threats

This alert provides information and advice to charity trustees, employees and volunteers to help prevent falling victim to insider fraud.

Insider fraud and cyber-attacks

Insider fraud is committed by someone involved within your charity, whether a trustee, an employee or volunteer. The National Fraud Intelligence Bureau (NFIB) has released a national alert highlighting the insider threat from fraudsters and cyber criminals.

Their alert identifies that over 50% of organisations have suffered an insider threat attack in the previous year and that 90% of businesses feel vulnerable to a cyber-attack from within their own organisation. Charities are as vulnerable to insider threats as the private or public sector.

NFIB highlight that insider fraud poses a greater threat than external fraud due to differing access levels to proprietary data and knowledge of an organisation’s inner workings.

NFIB warn that insiders with access to confidential data can utilise basic operating system functions to steal data from organisational systems. Incidents sometimes go undetected due to lack of proper auditing or data control measures.

Charity Commission research about insider fraud found these crimes were enabled because of:

  • poor challenge and oversight
  • no internal controls or, where controls did exist, not applying them consistently
  • too much trust and responsibility placed in one person

You can read our guidance to help you protect your charity from fraud. This includes insider fraud prevention advice and information about cyber-crime.

Protection and prevention advice

  • when stored electronically, access to sensitive files should be restricted to relevant staff only. You should also consider encrypting the documents

  • monitor your employees for abuse of IT systems. Minor misdemeanours have the potential to escalate to serious frauds if they go undetected

  • have clear policies and procedures in place for dealing with fraud and ensure that that all of your staff are familiar with them. Make it clear that any criminal breaches of your policies will be reported to the police and other relevant authorities

Reporting fraud

If your charity has fallen victim to insider fraud, or any other type of fraud, you should report it to Action Fraud by calling 0300 123 2040, or visiting the Action Fraud website.

Charities affected by fraud should also report it to the Charity Commission as a serious incident, using the dedicated email address rsi@charitycommission.gsi.gov.uk

Serious incident reporting helps the Commission to assess the volume and impact of incidents within charities, and to understand the risks facing the sector as a whole. Where appropriate, the Charity Commission can also provide timely advice and guidance.

Notes

The Charity Commission, the independent regulator of charities in England and Wales, is issuing this alert to charities as regulatory advice under section 15(2) of the Charities Act 2011.

Published 16 August 2018