A guide to safe electronic payments for non-governmental organisations (NGOs)
BE AWARE OF THE RISKS
WHAT IS PAYMENT FRAUD?
Payment fraud involves the use of false information to misappropriate funds through a payment process. This guide specifically deals with payment fraud in relation to electronic funds transfer (EFT).
WHO COMMITS PAYMENT FRAUD?
It can be committed by external parties (“external fraud”) and/or employees (“internal fraud”).
External parties are often based outside of South Africa making the recovery of funds very difficult.
External parties can also make use of internal parties to facilitate fraud.
WHAT MOTIVATES PEOPLE TO COMMIT FRAUD?
Greed is not the only factor that motivates people to commit fraud. It is important to be conscious of other factors, such as:
Financial distress;
Opportunistic behaviour, especially where financial controls are weak; and
Disgruntled employees.
WHY SHOULD I BE CONCERNED?
EFT or payment fraud is growing exponentially in South Africa yet prosecution rates for commercial crimes are low. For NGOs, a single fraud incident can lead to the demise of an organisation as they risk losing the confidence of funders.
The NGO sector is being specifically targeted by fraudsters due to the following factors:
A perception that NGOs have less sophisticated and weaker financial controls than the corporate sector;
A perception that NGO staff have weak accounting and financial skills;
Finance and administration staff tend to manage procurement and payments;
There is strong reliance on trusted individuals with poor, or non-existent, segregation of duties; and
Small organisations tend to have limited capacity for segregating tasks.
TIP
The segregation of duties is the separation of tasks so that one person is not in control of an entire process. Segregating duties reduces the risk of errors and fraud.
FRAUDULENT PRACTICES
TYPES OF EXTERNAL EFT FRAUD
There are three principal types of external fraud:
Business Email Compromise (“BEC”) Fraud
Payment Diversion
Invoice Fraud
BUSINESS EMAIL
COMPROMISE (“BEC”) FRAUD
This scam targets entities that use email exchanges to facilitate payments. The fraudster would typically use a fictitious email to send a payment request or they would hack into a staff member’s email account.
There are two variations of this type of fraud:
EMAIL SPOOFING – subtle modifications to a genuine email address to make it appear as if it came from a valid sender. For example: financemanager@dmgt.co.za instead of financemanager@dgmt.co.za. In this case the organisation’s email is not compromised.1 COMPROMISED EMAIL ACCOUNT – this involves hacking into an email account of a staff member responsible for requesting payments and sending payment requests from that address.2
HOW ARE EMAIL ACCOUNTS COMPROMISED?
Email accounts are typically compromised through social engineering tactics or the use of malware. Social engineering and malware can also be used to obtain direct access to an organisation’s bank account.
It is important to note that payment diversion and invoice fraud can still take place without any email or systems compromise.
SOCIAL ENGINEERING
This involves gaining a person’s trust and using it to get them to disclose confidentia information. For example, email or online banking login details. This can be done via the phone (“Vishing”), email (“Phishing”) or sms (“Smishing”).
VISHING
Vishing is where a fraudster contacts an organisation via telephone pretending to be a donor, regular supplier or employee. They will often say that the matter is urgent to put pressure on someone to reveal the information they are looking for.3
PHISHING
Phishing involves a fraudster sending emails to employees with links to certain websites. Once a person clicks on the link, they are asked to enter confidential information such as account login details. The fraudster is then able to use this information to access their victim’s legitimate account(s). Fraudsters deliberately use threats, time pressure and perceived incentives (e.g. a fake competition) to motivate employees to follow the links and enter their details.4
SMISHING
Smishing involves mobile phone messages sent by fraudsters that appear to have come from a bank or mobile network operator, aimed at getting someone to disclose confidential information. Messages purporting to be from the Post Office or a courier company are also commonly used. As in the case of phishing, this is ordinarily done by asking someone to click on a link. There can also be a request to call a particular number. Text messages may claim that your bank suspects that there has been fraudulent activity on your account or that you have not met your tax obligations. Once again, creating a sense of urgency is a common tactic used by fraudsters.
MALWARE
Malware is malicious software created to damage or destroy an organisation’s systems and/ or data. Malware can be used to track website visits, delete data or expose passwords. Malware is usually sent via fraudulent links embedded in emails or texts.5
PAYMENT DIVERSION
A fraudster contacts an organisation and convinces them to change the bank account details for a particular beneficiary. This commonly involves a fraudster pretending to be from a genuine supplier and saying that their banking details have recently changed.6
INVOICE FRAUD
Fictitious invoices are created and submitted for payment. In the case of external perpetrators, this would typically be used in conjunction with Business Email Compromise Fraud. In the case of internal perpetrators, the fraud could be as simple as amending the banking details reflected on a genuine invoice. For this reason, the banking information reflected on an invoice should not be considered proof of banking details. 3
GUARDING AGAINST INTERNAL FRAUD
Internal fraud is typically perpetrated through invoice fraud, but can also be perpetrated through systems compromise and, if controls are weak, without any fake supporting documentation.
WHAT CONTROLS CAN I IMPLEMENT TO AVOID EFT FRAUD?
There is no “one size fits all” approach to designing internal controls. The size of an organisation and its budgets are important considerations. As such, the controls listed in this section may not be appropriate for all organisations.
IT GENERAL CONTROLS
IT General Controls (ITGC) are important to secure an organisation’s IT environment and to reduce the risk of BEC and/or systems compromise. Key ITGCs in the context of EFT fraud are as follows:
Use an email security solution such as Mimecast;7
Promote cyber-crime awareness among all IT users through training and regular updates; Make use of free training modules provided by companies, such as ESET;8
Require complex passwords and regular changes;
Use two-factor authentication wherever possible; and Ensure regular and secure back-up of data.
PREVENTATIVE VERSUS DETECTIVE CONTROLS
Controls can be divided into preventative and detective controls. Preventative controls are aimed at preventing fraud from occurring in the first place whereas detective controls are aimed at detecting fraud and limiting its extent.
PREVENTATIVE CONTROLS
In this section, we list key preventative controls available to organisations.
AUTHORISATION OF PAYMENTS
When discussing EFT controls, it is important to distinguish between the authorisation of payments (before loading them on your organisation’s banking system) and the release of payments (after loading them on the banking system) as these should be treated as two separate and distinct processes.
Authorisation refers to the approval of a payment by a delegated official, whereas the release relates to the actual release of the EFT on an online banking system.
Staff should be assigned rights (delegated authority) to authorise or approve payments. All payment submissions must be accompanied by evidence of authorisation or approval by the delegated staff member. Such permission should be delegated to staff members with sufficient knowledge of the programme and/or expenditure to know whether it is valid.
VETTING OF STAFF INVOLVED IN THE PAYMENTS PROCESS
Consideration should be given to detailed vetting of staff by conducting criminal and credit checks, particularly for those involved in the payment process and with access to an online banking system. This should be done prior to employment and on an annual basis in case an employee’s circumstances change.
Finance staff should also be required to take at least two weeks uninterrupted leave per annum so that it is harder for them to conceal active and ongoing fraud.
ONCE-OFF PAYMENTS VERSUS BENEFICIARY PAYMENTS
Once-off payments require adding a banking beneficiary each time a payment is made. The details are not saved in the system, which increases the risk of bypassing the standard documentation required for loading beneficiaries.
In contrast, beneficiary payments involve saving a supplier's banking details in the online banking system to facilitate repeat payments. A formal process, including standard documentation, must be followed to set up a beneficiary.
Because of their lower risk, beneficiary payments are preferred. However, it is acknowledged that some once-off payments may be necessary.
PROOF OF SUPPLIER AND BANKING DETAILS
Before a beneficiary is loaded (or a once-off payment made) it is important to verify both the existence of the beneficiary and the validity of their banking details.
BENEFICIARY EXISTENCE
This depends on the nature of an organisation:
ORGANISATION TYPE PROOF OF EXISTENCE
Trust Master’s Certificate
Non-profit Company (NPC) CIPC Proof of Registration
Profit Company [(Pty) Ltd] CIPC Proof of Registration
Voluntary Association Minutes of meeting reflecting incorporation
Individual/Sole Proprietor Identification Document
BANKING DETAILS
Suppliers should be requested to provide a bank confirmation letter which is less than three months old. For an additional fee, some banks’ online platforms (such as FNB) allow for a supplier’s details to be verified. Consideration should be given to making use of such services.
Consideration should also be given to contacting suppliers telephonically to verify their banking details, particularly for larger suppliers or payments. Contact details should be obtained directly rather than from email signatures as these could also be manipulated as part of a fraudulent scheme.
SEGREGATION OF DUTIES
A minimum of two employees (but ideally three) should be involved in all transactions on an entity’s online banking system. This includes, but is not limited to:
Loading and releasing beneficiaries;
Loading and releasing payments; and
Changing online banking profiles and user rights.
RELEASING OF PAYMENTS
All payments should be released by two employees. Before releasing payments, they should check the details of a payment loaded on the entity’s online banking system against the supplier’s supporting documentation to ensure the following:
The payment is authorised by the delegated party;
Banking details are verified against documented proof; There is a valid supporting document in place (such as an invoice); and
There is a contractual commitment in certain cases to make the payment (e.g. signed contract, signed delivery note etc.).
DETECTIVE CONTROLS
Detective controls involve independent reviews of accounts and reconciliations, random reviews and spot checks. There should be segregation of duties between the preparation and review of financial information. In all cases, there should be documentary evidence that the control was applied. Once a fraud has been perpetrated it is very difficult to recover the lost funds. Even if there is a successful prosecution, the funds have usually already been spent. As such, preventative controls are far more important than detective controls.
Important detective controls include:
Reconciliation and review of accounts;
The ageing of supplier balances (i.e. monitoring how long accounts have been outstanding);
Regularly reviewing bank accounts for unusual transactions;
Conducting independent reviews of journals passed in the accounting system;
Segregating duties between staff responsible for preparing and staff responsible for posting journal entries (journal entries refer to the systematic recording of financial transactions in a chronological order, and are typically made in a company's general ledger.); and
Monitoring of budgeted versus actual expenditure and investigating unusual variances.
OTHER THINGS TO CONSIDER
TIP
Spotting unusual transactions can be done by sorting bank accounts in the following ways:
VALUE – this will highlight duplicate transactions or multiple transactions of the same amount.
ALPHABETICALLY – this will highlight multiple payments to the same supplier as well as potentially fictitious suppliers.
Audits are not designed to detect fraud and should not be considered a reliable method for preventing fraud. Transactions that involve transferring economic benefits from an organisation are particularly susceptible to fraud.
While electronic funds transfers (EFTs) are the most common payment method, other types of payments also require careful oversight:
Payroll – requires very specific controls.
Staff claims – should be limited to reimbursements for travel expenses. Staff should not pay for organisation-related costs out of their own accounts, except under very specific and limited circumstances.
Petty cash – should be used only for small expenditures, such as office supplies and parking.
Credit cards – should be issued only when absolutely necessary and must be reconciled monthly by an independent staff member. This reconciliation should include verification of supporting supplier invoices.
OTHER RESOURCES
Matthiessen, O., et al. May 2022. A corporate’s guide to payment fraud prevention. Deutsche Bank
Accessed here: https://corporates.db.com/files/documents/publications/052022_A_corporates_guide_to_fraud_prevention.pdf
Law Society of South Africa. 2019. EFT Fraud Prevention Toolkit for Attorneys. Drafted by Edward Nathan Sonnenbergs.
Accessed here: https://www.lssa.org.za/wp-content/uploads/2019/12/EFT-Fraud-Prevention-Toolkit-lr.pdf
7 A guide to safe electronic payments for NGOs
The DGMT Board TRUSTEES Mvuyo Tom (Chairperson) - John Volmink - Ameen Amod - Shirley Mabusela Murphy Morobe - Hugo Nelson - Maria Mabetoa - Diane Radley
CHIEF EXECUTIVE OFFICER David Harrison