Fraud in the church is a growing epidemic. Every week, it’s astounding to see five to ten Google Alerts generated by the keywords “church” and “embezzlement.”
Sadly, that sounds low. As many church administrators know, these alerts represent the ones that make the news, so the actual numbers may be higher. But it’s not unusual for cases—suspected or real—at churches to go unreported, either because they’re undetected or because the church decides to address the situation internally and not involve authorities.
The Association of Certified Fraud Examiners (ACFE) says the median loss for nonprofits was $90,000, and for religious organizations it was $75,000. For a church budget, that’s a huge loss—it means something else in the ministry won’t be possible.
Yet the threat continues to fly under the radar of most churches. It’s similar to what we saw 15 years ago with child abuse prevention. Many churches don’t want to touch the subject because leaders don’t believe it’s something that could happen within their congregation. Not only do we continue to see it happen, but the tools and tactics used to make it happen continue to expand.
Church fraud examiners commonly diagram a “three-legged stool” or “pyramid” to illustrate the three most common vulnerabilities churches face regarding fraud. With the rapid growth and development of technological tools, we’re seeing a shift in the diagram from a pyramid to a rectangle.
The three ingredients of fraud, as many already know, are pressure (unforeseen expenses or high debt), rationalization (a person labels the money they take as a loan to be repaid later or they justify the theft because of pay level), and opportunity (they perceive an ability to commit fraud and not get caught). Church leaders can’t do much to control the personal financial circumstances and thinking of potential embezzlers, so there’s only so much control possible with pressure and rationalization. Opportunity, though, often is the place where churches can do the most to build the walls of protection and prevent fraud.
With the three-legged stool, the threats are low-tech in nature. But in the shift from a pyramid diagram to a rectangle, cyber threats are now the fourth point of concern. One fundamental difference with this new threat is that it mostly involves outsiders, not insiders, who are committed to taking money wherever they can and not get caught. Like the internal threats, church leaders must take cybercrime seriously and intentionally develop protections.
Four common types of high-tech fraud are happening in the church world:
- Electronic Funds Transfer (EFT) fraud
- Identity theft
- Computer forgery
- Data input manipulation
Let’s explore each tactic so that churches can best address their vulnerabilities.
Electronic Funds Transfer
Criminals surreptitiously obtain banking credentials by hacking into a church computer and stealing money from the church bank accounts.
This can happen several ways, including:
- Breaking into a website and tapping into sensitive information stored in a database.
- Intercepting critical information transferred through online loan payments and online bill pay, as well as wire transfers made overseas to missionaries.
There are ways to limit your vulnerabilities, and the good news is that many are familiar to church leaders (and relatively simple to implement):
- Keep the church’s number of bank accounts to a minimum. People often write one check to be spread among several purposes. And it’s our job to get it into the right account. EFT may be the easiest way to do this, but it can become problematic if there are multiple accounts to choose from.
- Keep duties segregated. You’ve got to split the chores up so that more than one person is involved with financial transactions.
- Maintain dual controls. Make certain at least two people are involved in every account, cash payment system, and cash collection. With EFT, separate the three processes (who approves the bill, who readies the bill, and who transfers the bill). One person can do all three, and 98 percent of the time, it’s a respected and trusted person. The other 2 percent can do damage. Build this into the church’s IT policy. Transfer how you did checks and balances for paper into place for online activity.
- Reconcile accounts every day. It’s easier now more than ever, thanks?to the accessibility of records online and via phone. You’ve got to be on your accounts and have a pretty good idea of what’s happening with each one on a daily basis.
- Use a dedicated stand-alone computer that is completely locked down. It should not be a staff member’s computer, nor should it be a work station. It should not have email capabilities, and the only online activity should be for the secure connections needed with financial institutions. General Internet browsing shouldn’t be permitted. There shouldn’t be any access to other financial modules databases. And it should be locked down with firewalls and antivirus/malware protection. If you use an online data backup service, make certain it’s conducted through a direct web connection. Make sure you get background checks and references completed before you select a backup service, too.
- Limit the administrative rights on users’ workstations to prevent the inadvertent downloading of malware.
- Regularly change passwords. IT professionals suggest these be 20 characters, which is quite long. At the very least, require staff to regularly change passwords using mixed caps and a combination of letters and numbers. Also ask your IT department to deny access to the system after three failed password attempts.
- Never email sensitive files. Use secure connections for all file transfers.
Identity theft usually involves the exploitation of a member database (names, addresses, Social Security Numbers, bank account information—things worth millions to others).
Most often, the exploitation occurs when a virus is activated by someone who inadvertently opens an infected file or hyperlink in an email or visits a malicious website.
This can happen a variety of ways:
- Carelessly handling email. Antivirus programs, as well as email scanners (such as Postini), can combat this by quarantining questionable files.
- Browsing the wrong websites.
- Letting people use personal USB (external storage) drives.
- Letting antivirus protection lapse. Make certain your antivirus and firewall protections are updated. Well-respected antivirus providers include Norton, McAfee, Trend, and VIPRE. Well-respected firewall providers include Cisco, CheckPoint, Sonic Wall, Fortinet, and Watchguard. Every six months, periodically perform a penetration test by hiring a respected group to see how easily it can hack into your system. This reveals gaps that can be fixed.
- Developing a clear IT policy with processes that are easily repeated and documented. Educate the church staff about the danger of unfamiliar emails, pop-ups, downloads, and the browsing of questionable websites.
- Establishing clear and organized systems, which make nefarious activity harder to hide.
Lastly, with identity theft, remember that the threat extends beyond the virtual and into the physical. Maintain property security by keeping things locked up. This includes the server, which should be locked in a secured area with access limited only to those who need to know.
Computer forgery is a hybrid of high- and low-tech tactics. One prime example is the dummying and forging of checks. A copy of a check can allow the creation of a forged check. The concept isn’t new, just the methods.
The fraud usually happens in the outflow of funds, not the inflow. Fraudsters like big numbers to hide in the weeds, so a primary target often is payroll.
A copy of a real check is all that is needed. Once that is in hand, all it takes is a laser printer to create a check. In one actual case, a counterfeit check ring affected a church because one of the church’s checks was taken and given to the ring. Counterfeit checks were subsequently cashed at financial institutions and businesses. The church would have caught this if it had done the following:
- Segregated duties (as noted above).
- Reconciled accounts daily (as noted above) and again monthly. With the latter, it involves knowing and reviewing daily transactions, then going back once a month to look at cancelled checks (both fronts and backs) to review the vendors to make sure you do business with them and to study the endorsements to make sure they look normal.
- Kept its check stock secure. This includes keeping blank checks under lock and key (not in the supply room with tablets, pencils, and printer ink) and using checks with embedded safety measures, such as watermarks, embedded words on signature lines (viewable only by magnifying glass), and so on. Talk with your financial institution about adding these.
- Established “positive pay.” This involves providing your bank with a list of checks, disbursements, and transfers scheduled for the week ahead. The bank won’t clear anything not on the list, so someone attempting to pass a forged church check won’t succeed. This requires more planning ahead, and your bank may charge service fees, but this is probably where we need to go on all of our transactions.
Data Input Manipulation
This is the most common computer crime in the church world. It takes the least amount of expertise and technology information—it’s using high-tech tools to commit low-tech fraud.
For instance, a church financial secretary was charged with embezzling more than $250,000. She had access to all modules of her church’s information system and covered her tracks by doctoring vendor information, payroll records, and charitable contribution substantiation reports.
The common trait to this crime is someone’s ability to go into modules and alter data after a transaction takes place. In the secretary’s case, she would write a check to a vendor, intercept the check, and change the vendor in the cash disbursements journal to pay personal bills and credit card purchases. No one could tell what was happening.
The church could have prevented this if it had done the following:
- Segregated duties (as noted above).
- Maintained close oversight of bill payments and overall oversight of the church’s financial activity using a team of staff and volunteers, accountants, lawyers and bankers.
- Limited access to financial modules (revenue and expenses).
- Adopted a well-defined bill approval process (“positive pay,” by the way, forces this to happen).
Six Vital Steps
Policies and procedures are so vital to prevention. Beyond the recommendations above, keep the following six steps in mind to help prevent fraud from occurring at your church:
- Conduct independent, extensive reviews of bank account reconciliations. This is the best way to prevent fraudulent activity.
- Use a formal vendor application process to clear conflicts of interest and avoid disreputable businesses for ongoing business activity. For one-time deals (such as short-term missions trips), set up processes with good records keeping and documentation requirements.
- Maintain regular communication with vendors. This helps verify whether abnormal activity is legitimate.
- Perform periodic payroll audits.
- Conduct occasional confirmations of charitable contributions. This can be sensitive, since it involves approaching donors to verify a gift and its amount. If you need a reason that helps manage such sensitivities, use your auditing firm, since it will reinforce the ongoing efforts to track and monitor activity.
- Make exhaustive reviews of budget reports. Look at the budget and do the following:
- A budget-to-actual analysis
- On a test basis, a comparison of general ledger detail to budget line items
- An independent review of journal entries
- A periodic review of cash disbursement activity
The bottom line: Make sure expenses in each account are legitimate.
A Final Word
One of the best things any church can do is to cultivate a culture of openness and transparency. All of the tools, strategies, and policies require the efforts of committed individuals who are willing to watch for suspicious activity—and willing to be watched. One way to reinforce this even further is to create a way for people to anonymously submit tips about possible fraudulent activity. In the corporate world, this is the number one prevention tool in use. When people know others are watching, and processes are in place to catch unusual activity—or tip off someone about it—the likelihood of it ever happening diminishes.
And finally, it must be pointed out that churches must come to the realization that fraud prevention does not come easily. It requires work. Each and every church must understand that faceless thieves are working hard to steal their money. As a result, churches must work just as hard to keep them from it. The key ingredient is to stay abreast of the constantly evolving fraud techniques used in our technology-driven culture.