Giving Tuesday 2024: Access our free resource hub today!

9 Nonprofit Fraud Prevention Tips to Protect Your Organization and Donors

Person sitting at desk working on a laptop
Published August 8, 2024 Reading Time: 5 minutes

This blog was written in collaboration with Alex Wardle, Risk Manager at GoFundMe.

The average data breach costs $4.45 million, including lost business, detection and containment efforts, and responses. For nonprofit organizations, a data breach can damage their reputation, reduce donor trust, or expose vulnerable beneficiaries’ personal information. In an ever-changing fundraising landscape, having an internal fraud prevention strategy is paramount to future success. 

First, your nonprofit donor management software needs to be secure. Investing in a platform like Classy proactively and automatically addresses multiple fraud concerns through baked-in prevention tools that keep your data safe. With this in place, you can take additional measures with your team to prevent fraud

Below, we highlight nine essential internal controls, practical fraud prevention tips, and strategic measures you can take to set up a robust fraud prevention strategy.

Create a culture around nonprofit fraud prevention

To prevent fraud, your staff, board members, and other stakeholders must be committed to the cause. These steps will weave fraud prevention into your organizational culture.

1. Educate staff

The most common initial fraud scheme involves stolen or compromised credentials. This often occurs through phishing, where bad actors pretend to be an organization or a different person to gain personal information, such as usernames, passwords, or financial information. To prevent this, train staff members and volunteers regularly to recognize and report potential fraudulent activity and phishing scams.

Include examples of what phishing behavior can look like, such as:

  • Emails or text messages prompting urgent action to an unfamiliar link
  • Emails or text messages redirecting users to a spoofed Classy website
  • Bad actors posing as beneficiaries, donors, or organizations
  • Angel donors proposing offers that sound too good to be true

Also, highlight the specific steps employees can take to help prevent fraud, such as:

  • Check the domains of incoming emails. Be mindful of communications from bad actors that will likely come from an unfamiliar, suspicious sender.
  • Sign in to accounts via official websites only. Look for the lock icon on an internet browser’s URL bar, which shows if the site is securely encrypted.
  • Refrain from sharing sensitive information online and via email. Be mindful of posting data publicly or on social media and always use approved file-sharing methods.

Fraud prevention training is best repeated annually. Courses combining video-based learning with interactive steps are effective modalities.

2. Implement anti-phishing measures

To reduce this type of fraud, employ anti-phishing measures among staff in addition to education. First, use email-filtering tools to block phishing attempts outright. Some email service providers (ESP) have filtering tools that automatically send suspicious messages to a spam folder. You can check current protocols in your email settings and add rules to filter specific domains or repeat spam messengers.

Share any suspicious messages you receive with your security team and fundraising platform. If your organization uses Classy, you can contact our team directly via phone or email. 

However, if you happen to click a suspicious link or engage with an unfamiliar request, change your password on all accounts immediately, including that with your ESP.

3. See something, say something

Preventing fraud cases and minimizing the damage of potential leaks relies on a culture where staff feel encouraged to speak up. Alert staff that if they suspect something fraudulent has occurred, your organization will protect them as a whistleblower.

Segregation of duties also helps ensure multiple eyes are on different processes within your operation to identify suspected fraud. If you suspect fraud when reviewing financial statements or other data systems within your organization, contact the appropriate law enforcement personnel and report any unusual activity to your fundraising platform for immediate review.

Establish internal controls for preventing nonprofit fraud

Internal controls help prevent fraud by blocking bad actors’ attempts from the start and identifying suspicious activity quickly. These steps can safeguard your fraud prevention hygiene.

1. Conduct monitoring and audits 

Nonprofit teams are often busy with multiple tasks. Scheduling internal audits ensures you dedicate time to reviewing bank statements, potential conflicts of interest, and other financial reporting to detect fraud early.

Conduct internal and external audits at a regular cadence—whether monthly, quarterly, or annually—to review financial records and transaction activity. Look for gaps and abnormal patterns indicative of fraudulent activities, such as unusual donation amounts or unrecognized donors.

2. Review access controls 

To keep financial and sensitive information secure, limit access to authorized personnel only. Fundraising platforms like Classy allow nonprofits to establish role-based access controls. For example, an organization administrator can access financial information for donors, but a front desk staff member can only edit campaign designs.

Additionally, have protocols in place to never share or reuse passwords, even within your organization. Create secure passwords that contain a combination of letters, symbols, and numbers. To make this process easier for staff, leverage single sign-on (SSO), which allows users to access multiple approved applications with one set of credentials. 

Classy’s federated SSO allows admins to sign in to Classy and manage their passwords through their existing identity provider for added ease and security.

3. Leverage a secure fundraising platform

Fraud detection is easier when you have a secure fundraising platform doing some of the work. Classy’s dedicated Security team focuses on protecting your organization, supporters, and donor data. Independent auditors have evaluated our systems, and we’ve passed the highest security protocols.

Enterprise-level protection secures our supporter experiences, promoting trust and safety among donors. Using tokenization, encryption, and key management, Classy never stores credit card information and always protects other sensitive data. Additionally, our Intelligent Fraud Protection service uses behavior-based models and machine learning to reduce fraudulent transactions before they happen, lowering chargeback fees.

Classy also encourages organizations to enable multifactor authentication (MFA). In the coming year, all customers must sign in via the Okta Verify authenticator app or text message for an extra layer of identity verification. 

MFA requires multiple forms of verification before granting access to information, making it much harder for cyberattackers to breach accounts and gain access to sensitive data. Even if one factor (like a password) gets compromised, additional factors—such as a text message or an authenticator app—provide extra security. The factors in MFA typically include attributes associated with your identity, such as:

  • Something you know (like a password or PIN)
  • Something you have (a device, like a smartphone)
  • Something you are (biometrics, like fingerprints or facial recognition)

Implement a nonprofit fraud prevention strategy

Once you’ve established your nonprofit’s fraud prevention culture, use internal controls to guide an ongoing fraud prevention strategy. These steps ensure fraud prevention remains a priority and that your strategies evolve.  

1. Complete a risk assessment

Your nonprofit’s mission, size, types of donations, internal infrastructure, and other characteristics will impact your fraud assessment and prevention strategies. 

For example, a large nonprofit that serves a national or international audience may not be surprised by receiving a $500,000 donation, whereas this should be a red flag for a more grassroots organization. Additionally, bad actors may pretend to be beneficiaries of your cause to gain access to information or take advantage of your charitable gifts. 

Know your target audience and typical donor profile and establish a means for verifying and vetting those who engage with your nonprofit and services.

2. Commit to continuous improvement

Avenues for fraud are constantly evolving. Nonprofit board members, staff, and volunteers must maintain fraud awareness as situations and environments change. Review and update your strategies and controls regularly to adapt to new threats. Implementing yearly training and refresher courses for your teams also keeps fraud prevention top of mind.

3. Have an incident response plan

Even when organizations prepare the best they can for fraud prevention, incidents can still happen. If they do, you’ll want to have a clear plan in place to respond. Work with your board of directors to establish steps to:

  • Contain the incident
  • Notify affected parties
  • Report the incident to relevant authorities

Detail any specific steps to take based on the type of fraud incident, such as financial transactions or data breaches involving donors’ personal information. Your recovery is critical to salvaging donor trust and rebuilding your preexisting networks.

Protect your nonprofit’s reputation and finances through proactive fraud prevention 

Supporters and donors are key stakeholders in your nonprofit’s data security strategy. Safeguarding your organization against fraud risks protects financial assets and preserves its integrity and reputation. 

A technology stack to protect your nonprofit and its loyal donors is nonnegotiable. That’s why Classy includes best-in-class solutions to ensure your organization’s protection on all fronts—without extra effort on your end. 

Our Intelligent Fraud Protection solution monitors for suspicious behavior continuously, streamlining the donation experience without requiring donor prompts. Additionally, MFA serves as the first line of defense against unauthorized access, safeguarding sensitive customer and supporter data.

For more on Classy’s fraud prevention measures, explore our security and scalability principles.

Copy Editor: Ayanna Julien

Woman in denim jacket and glasses sitting down holding a laptop

Explore Classy's secure fundraising platform

Subscribe to the Classy Blog

Get the latest fundraising tips, trends, and ideas in your inbox.

Thank you for subscribing

You signed up for emails from Classy

Request a demo

Learn how top nonprofits use Classy to power their fundraising.

Schedule a demo