Why Nonprofits Are More Vulnerable to Fraud Than For-Profit Businesses

If somebody builds it, somebody else will find a way to break it. That seems to be the pattern, anyway. It’s something we expect and have even learned to apologize away when it comes to organizations with a profit motive. But what about nonprofit organizations? Just how fraudulent — or vulnerable to fraud — could they be?

The answer, unfortunately, is “more than you’d probably expect.”

Why Are Nonprofits More Vulnerable to Fraud?

There are several reasons why nonprofits are especially vulnerable to fraud compared with the for-profit sector. These include a lack of resources, poor internal controls, inadequate training, high turnover with low employee investment, poor technological resources and other factors.

The logic here is similar to what you may have heard about data breaches in the business community. While large companies may have greater wealth and more assets “worth stealing,” small businesses are more tempting targets for hackers and fraudsters because they have fewer resources with which to protect themselves.

Likewise, nonprofits tend to operate with skeleton crews and shoestring budgets. They’re less likely to have the means and know-how to protect themselves than larger, profit-driven enterprises. Their limited operating budgets are much more likely to be earmarked for core personnel and publicity than for cybersecurity.

This isn’t a hypothetical problem. In 2016, the Association of Certified Fraud Examiners published research indicating that, of the organizations they studied which fell victim to fraud, more than 10% of them were nonprofit organizations and 18.7% were governmental agencies. They posted average losses of $100,000 and $109,000 per incident, respectively.

If you helm or are involved with a nonprofit, you probably appreciate how much you’re expected to accomplish and how few resources you’re expected to do it with. Employees within organizations like these tend to wear many hats at once. But anti-fraud and cybersecurity experts and procedures don’t just materialize. You have to choose to make this a priority.

Which Types of Fraud Are Nonprofits Vulnerable to?

Cybersecurity is just one aspect of the fraud problem among nonprofits. Vendor fraud is another. So are internal malfeasance by in-house employees — including fraudulent financial statements, embezzlement and misappropriation of assets. “Cash skimming” is one of the likeliest forms of fraud in the nonprofit sector, since “misplacing” it is all too easy to do.

Employee turnover is a big part of the problem. According to the “2015 Nonprofit Employment Practices Survey,” turnover among nonprofit entities rose from 16% to 19%.

It’s unfortunate but understandable — the pay is lower and the workload is frequently more grueling than in the for-profit sector. The difficulty of retaining talent, and especially talent related to cybersecurity and combating fraud, is very real. It’s hard to build a vigilant, invested and committed team when employees see these organizations as temporary posts on the way to something “better.”

Nonprofits often don’t have the resources to invest in personal and professional development programs. That means employees may not be as vigilant as they should be. This lack of personal investment can result directly in malfeasance, including diverted contributions, “phantom” vendors, compensation fraud and more.

In one case of vendor-related fraud, an “electrician” was able to gather just enough details on a recent contract that they were able to convincingly extort an “overdue” payment from a nonprofit — even before the legitimate electrician had requested payment.

What Can Nonprofits Do to Protect Themselves?

Like it or not, the first (but hardly the last) line of defense here is to practice skepticism. We all want to expect the best from people, but if we’ve learned anything today, it’s that nonprofits cannot afford to be too trusting.

In fact, nobody should take trust for granted — including low-level volunteers, and even donors themselves. In what is now a world-famous case, an organization called the Key Worldwide Foundation demonstrated that it had become rotten with corruption from the top down.

The group’s president, William Singer, pled guilty to racketeering, obstruction of justice and laundering money for rich donors. Almost everything about the organization had been twisted to meet personal ends. Its mission — to help the underprivileged pursue educational opportunities — had been all but abandoned.

This is where culture comes back into the equation. Even temporary and low-level employees must be on the lookout for malfeasance, whether or not their training mentions fraud and corruption specifically. This is simply the world we live in now. The axiom, “See something, say something,” applies here.

Here are some other actions your nonprofit can begin taking today, in addition to doubling-down on fraud through nonprofit employee training and engagement:

• Hire dedicated cybersecurity personnel.
• Ensure multiple people are involved in the handling and counting of cash every time.
• Limit the amount of sensitive data the organization retains.
• Choose technology and software partners (especially payment processing technology) carefully, and vet them according to their encryption and prevention standards.
• Find accounting software that can send automated alerts when discrepancies appear. Make sure multiple senior leaders receive these alerts if and when they arise.
• Look for resources that offer cybersecurity resources to under-staffed organizations, such as the Electronic Frontier Foundation, the ACLU and the Federal Trade Commission.

It’s unfortunate that this modern world of ours forces even nonprofits to keep on their toes. These are mission-focused organizations, and the bulk of their time should be spent advancing those missions. Nevertheless, understanding the problem and learning to be more vigilant will go a long way in protecting you and keeping you focused on what you set out to accomplish in the first place.