Nonprofit Resources
Three External Fraud Threats Churches Should Address
Three common external fraud risks threatening churches today involve the use of email, check washing (using chemicals to “wash” away ink and change the name of the payee or the amount of the check, or both), and investment scams. Below, we explain how these fraud schemes work, share warning signs to watch for, and provide steps you can take to help protect your church.
Business Email Compromise Schemes
According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes. These social engineering attacks typically start with a phishing email, often sent to a business administrator or someone on the financial operations team at an organization, that fraudsters use to gain unauthorized access to victims’ email accounts or systems.
From there, the fraudsters can monitor activity without detection for weeks or even months, observing financial patterns and routines. At an opportune moment before an anticipated transfer of funds, the fraudsters send a message that looks like it is from the victim to a church leader, coworker, bank, payroll processer, or another vendor, instructing them to send the payment to a different bank account — one that the fraudster controls. The message may come from the victim’s email account, if the fraudster gained access, or spoof the victim’s email address by changing it slightly (for example, [email protected] instead of [email protected]).
Here are some examples of BEC fraud scenarios:
- A church’s accounts payable specialist receives an email that appears to come from the construction company renovating the church’s office space. The email instructs the church to send the final payment to a different bank account.
- A church controller receives an email that looks like it is from the lead pastor, asking the controller to change the bank account for the pastor’s payroll deposits.
- A church controller’s email is compromised and used to contact the church’s bank to have a wire transfer sent out.
- A church controller’s email is compromised and used to contact the bank to have additional administrators (who are fraudulent) added to the church’s online banking platform.
When the employee complies with the request, the funds are sent to a bank account controlled by the fraudsters or a money mule (a witting or unwitting co-conspirator who agrees to receive and send funds at the fraudsters’ direction for a small fee, often a residual amount left in the account). Once the money hits the first fraudster-controlled account, it is rapidly transferred to multiple subsequent accounts, bouncing through a tangled web of accounts controlled by fraudsters and co-conspirators to launder the funds and obfuscate the true source.
The stolen money eventually lands in one or more domestic or international accounts owned by the fraudsters and is used for their benefit. It is very difficult to recover any money from the final beneficiary accounts.
Possible red flags signaling an active BEC fraud include:
- Sudden changes to payment instructions
- A sense of urgency from the individual requesting payment
- A requester who becomes easily angered or makes threats
Check-washing Schemes
Check fraud is not new, and check-washing schemes are on the rise. Fraudsters obtain legitimate checks and use chemicals to erase the ink on the checks. Once a check is “washed,” they change the payee and amount. This enables the fraudsters to deposit or, more likely, cash the check.
Investment Scams
Churches should also be alert to the risk of investment scams. This includes Ponzi schemes, which are investment scams that promise high returns with little risk.
Investment fraudsters target churches because members often regard each other with unconditional trust. Once the fraudsters gain the trust of one church member, often by providing high returns on an initial investment, the church member unwittingly recruits other victims. The fraudsters mislead investors into believing the funds are used for legitimate investments. In actuality, the victims’ funds are supporting the fraudsters’ lavish lifestyles and may be paying nominal returns to earlier investors.
Ponzi schemes eventually unravel when new investments dry up and existing investors demand their money back. While individuals are more susceptible to Ponzi schemes, church staff should remain vigilant about investment opportunities presented to the church as well.
Possible red flags of a Ponzi scheme include:
- A promise of guaranteed high returns
- Investments with little to no risk
- Investment returns that do not mirror market returns
- Unlicensed sellers
- Vague replies to inquiries about how the underlying business operates or is able to generate such high returns (e.g., “It’s proprietary and we can’t share that information”)
Some investment scams are perpetrated to launder funds from other scams, such as the BEC fraud discussed above. Never allow someone to use a church-owned or personal bank account to receive and send funds. If you do, it may make you complicit in a money laundering scheme.
Be aware, too, that the scenario may not be obvious. For example, suppose a potential donor offers to contribute $20,000 to your church and explains that it is the proceeds of a lucrative investment. To receive the donation, your church’s bank account will receive the full investment amount of $100,000 and then immediately transfer $80,000 to an account the donor specifies, keeping the remaining $20,000 donation. In reality, however, the $100,000 could be the proceeds from illegal activity, with the perpetrator planning to launder the money through your bank account to another account controlled by the perpetrator or a co-conspirator.
Steps to Take if Fraud is Suspected
If you believe your church is the victim of fraud, it is essential to act immediately. We recommend that you:
- Notify your financial institution of the fraud and ask them to contact the financial institution where the funds were sent. The faster you act, the more likely it is that a portion of the funds may be frozen and recovered.
- Consult with your attorney.
- Consider engaging a forensic accountant.
- Contact your local police department or FBI field office, or both.
For BEC and other Internet-based fraud, file a complaint online with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.
How to Protect Your Church
Your church can take the following steps to help reduce your risk and protect your assets:
- Carefully examine email addresses and spelling in any correspondence you receive.
- Confirm all account changes in person, when possible, or by calling a previously used telephone number for the person purportedly making the change.
- Be careful about the information you share on social media. Seemingly harmless personal details, such as your pets’ names and the schools you attended, can provide fraudsters with enough information to guess your password or security questions.
- Never click a link in an unsolicited email or text message. Rather, open a known website or call a known number (never the one in the message) to verify whether the message is legitimate.
- Never open an attachment from someone you do not know.
- Set up multi-factor authentication whenever possible. Multi-factor authentication goes beyond usernames and passwords to provide increased security related to identity verification. It includes using an authenticator application or pushing a code to the user’s known phone number or email address.
- Be especially vigilant when pressed with urgency. When the pressure to act intensifies, remain calm and inspect every detail closely. Don’t be afraid to ask a supervisor or your executive pastor for their opinion of a scenario before acting.
- Utilize positive pay for all outgoing Automated Clearing House (ACH) and check payments. Positive pay is a service offered by many financial institutions that verifies ACH payments and checks against a list of anticipated disbursements.
- Use online bill payment options and minimize the use of paper checks. Use a gel pen when you do write a check.
- Be wary of investments that seem too good to be true. Perform due diligence on potential investment companies and other salespeople who seek introductions within your congregation.
- Obtain a second opinion from a trusted advisor or friend before giving your money to investors who are not registered with the Securities and Exchange Commission (SEC).
Because the human heart has an insatiable appetite for more, fraud schemes will always exist. By being aware of the tactics fraudsters use, you will be better able to spot a fraud scheme and protect yourself and your church.
CapinCrouse offers a range of informative resources and services to help churches and other nonprofits reduce the risk of fraud and respond effectively if it occurs. Please contact us with any questions or if you would like to discuss how we can assist your church.
About the Authors
Joan O’Dowd is an accounting manager at CapinCrouse. She specializes in internal audit, fraud prevention, and forensic accounting services and has more than 12 years of professional experience in these areas. She is skilled at unraveling highly sophisticated techniques for moving funds, shielding illegal activity, and disguising entities and provides expertise in the areas of identification, examination, and analysis of financial data. Prior to joining CapinCrouse in 2023, Joan served as a forensic accountant in the FBI, where she led complex financial investigations involving corruption, healthcare fraud, money laundering, and other financial crimes. Joan is passionate about assisting her clients in implementing anti-fraud controls and seeking asset recovery for victims.
Kenneth Q. Tan serves as a partner at CapinCrouse. He has more than 15 years of public accounting and large nonprofit experience, providing both advisory and assurance services to various nonprofit entities, churches, and mission organizations. Prior to joining the firm, he managed the audits of public Fortune 100 and private multi-billion dollar companies for a Big 4 accounting firm, provided advisory and strategic planning for churches, nonprofits, and small to medium-sized businesses, and served as the controller and corporate officer for a large faith-based multi-national mission agency.