Wagenmaker & Oberly is pleased to share the following guest blog article, courtesy of CapinCrouse.
CapinCrouse offers nationwide full-service accounting and financial advisory services to nonprofits. The firm has served churches, higher education institutions, and other nonprofit organizations by providing support in the key areas of financial integrity and security for over 50 years. The following article provides an excellent description of increasingly present fraud threats to nonprofits. It is crucial for nonprofit leaders, employees, and volunteers to have knowledge of these threats to preemptively guard the organization. The financial impact of fraudulent schemes is often significant, if not catastrophic, so an individual’s pause before accidentally engaging with such efforts can make all the difference.
There are many internal fraud risks for nonprofits to mitigate through strong controls and oversight. However, there are also external threats for nonprofit leaders to be aware of and address.
Three common external fraud risks threatening nonprofits today involve the use of email, check washing (using chemicals to “wash” away ink and change the name of the payee or the amount of the check, or both), and investment scams. Below, we explain how these fraud schemes work, share warning signs to watch for, and provide steps you can take to help protect your organization.
Business Email Compromise Schemes
According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes. These social engineering attacks typically start with a phishing email, often sent to a business administrator or someone on the financial operations team at an organization, that fraudsters use to gain unauthorized access to victims’ email accounts or systems.
From there, the fraudsters can monitor activity without detection for weeks or even months, observing financial patterns and routines. At an opportune moment before an anticipated transfer of funds, the fraudsters send a message that looks like it is from the victim to a nonprofit leader, coworker, bank, payroll processor, or another vendor, instructing them to send the payment to a different bank account — one that the fraudster controls. The message may come from the victim’s email account, if the fraudster gained access, or spoof the victim’s email address by changing it slightly (for example, billing@abconstruction.com instead of billing@abcconstruction.com).
Here are some examples of BEC fraud scenarios:
• A nonprofit’s accounts payable specialist receives an email that appears to come from the construction company renovating the organization’s office space. The email instructs the nonprofit to send the final payment to a different bank account.
• A controller receives an email that looks like it is from the executive director, asking the controller to change the bank account for their payroll deposits.
• A controller’s email is compromised and used to contact the organization’s bank to have a wire transfer sent out.
• A controller’s email is compromised and used to contact the bank to have additional administrators (who are fraudulent) added to the nonprofit’s online banking platform.
When the employee complies with the request, the funds are sent to a bank account controlled by the fraudsters or a money mule (a witting or unwitting co-conspirator who agrees to receive and send funds at the fraudsters’ direction for a small fee, often a residual amount left in the account). Once the money hits the first fraudster-controlled account, it is rapidly transferred to multiple subsequent accounts, bouncing through a tangled web of accounts controlled by fraudsters and co-conspirators to launder the funds and obfuscate the true source.
The stolen money eventually lands in one or more domestic or international accounts owned by the fraudsters and is used for their benefit. It is very difficult to recover any money from the final beneficiary accounts.
Possible red flags signaling an active BEC fraud include:
• Sudden changes to payment instructions
• A sense of urgency from the individual requesting payment
• A requester who becomes easily angered or makes threats
Check-washing Schemes
Check fraud is not new, and check-washing schemes are on the rise. Fraudsters obtain legitimate checks and use chemicals to erase the ink on the checks. Once a check is “washed,” they change the payee and amount. This enables the fraudsters to deposit or, more likely, cash the check.
Investment Scams
Nonprofits, especially churches, should also be alert to the risk of investment scams. This includes Ponzi schemes, which are investment scams that promise high returns with little risk.
Investment fraudsters target churches because members often regard each other with unconditional trust. Once the fraudsters gain the trust of one church member, often by providing high returns on an initial investment, the church member unwittingly recruits other victims. The fraudsters mislead investors into believing the funds are used for legitimate investments. In actuality, the victims’ funds are supporting the fraudsters’ lavish lifestyles and may be paying nominal returns to earlier investors.
Ponzi schemes eventually unravel when new investments dry up and existing investors demand their money back. While individuals are more susceptible to Ponzi schemes, church staff should remain vigilant about investment opportunities presented to the church as well.
Possible red flags of a Ponzi scheme include:
• A promise of guaranteed high returns
• Investments with little to no risk
• Investment returns that do not mirror market returns
• Unlicensed sellers
• Vague replies to inquiries about how the underlying business operates or is able to generate such high returns (e.g., “It’s proprietary and we can’t share that information”)
Some investment scams are perpetrated to launder funds from other scams, such as the BEC fraud discussed above. Never allow someone to use an organization’s or officer’s bank account to receive and send funds. If you do, it may make you complicit in a money laundering scheme.
Be aware, too, that the scenario may not be obvious. For example, suppose a potential donor offers to contribute $20,000 to your church or nonprofit and explains that it is the proceeds of a lucrative investment. To receive the donation, your organization’s bank account will receive the full investment amount of $100,000 and then immediately transfer $80,000 to an account the donor specifies, keeping the remaining $20,000 donation. In reality, however, the $100,000 could be the proceeds from illegal activity, with the perpetrator planning to launder the money through your bank account to another account controlled by the perpetrator or a co-conspirator.
Steps to Take if Fraud is Suspected
If you believe your nonprofit is the victim of fraud, it is essential to act immediately. We recommend that you:
1. Notify your financial institution of the fraud and ask them to contact the financial institution where the funds were sent. The faster you act, the more likely it is that a portion of the funds may be frozen and recovered.
2. Consult with your attorney.
3. Consider engaging a forensic accountant.
4. Contact your local police department or FBI field office, or both.
For BEC and other Internet-based fraud, file a complaint online with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.
How to Protect Your Nonprofit
Your nonprofit can take the following steps to help reduce your risk and protect your assets:
• Carefully examine email addresses and spelling in any correspondence you receive.
• Confirm all account changes in person, when possible, or by calling a previously used telephone number for the person purportedly making the change.
• Be careful about the information you share on social media. Seemingly harmless personal details, such as your pets’ names and the schools you attended, can provide fraudsters with enough information to guess your password or security questions.
• Never click a link in an unsolicited email or text message. Rather, open a known website or call a known number (never the one in the message) to verify whether the message is legitimate.
• Never open an attachment from someone you do not know.
• Set up multi-factor authentication whenever possible. Multi-factor authentication goes beyond usernames and passwords to provide increased security related to identity verification. It includes using an authenticator application or pushing a code to the user’s known phone number or email address.
• Be especially vigilant when pressed with urgency. When the pressure to act intensifies, remain calm and inspect every detail closely. Don’t be afraid to ask a supervisor or other nonprofit leader for their opinion of a scenario before acting.
• Utilize positive pay for all outgoing Automated Clearing House (ACH) and check payments. Positive pay is a service offered by many financial institutions that verifies ACH payments and checks against a list of anticipated disbursements.
• Use online bill payment options and minimize the use of paper checks. Use a gel pen when you do write a check.
• Be wary of investments that seem too good to be true. Perform due diligence on potential investment companies and other salespeople who seek introductions within your congregation.
• Obtain a second opinion from a trusted advisor or friend before giving your money to investors who are not registered with the Securities and Exchange Commission (SEC).
Because the human heart has an insatiable appetite for more, fraud schemes will always exist. By being aware of the tactics fraudsters use, you will be better able to spot a fraud scheme and protect yourself and your organization.
CapinCrouse offers a range of informative resources and services to help churches and other nonprofits reduce the risk of fraud and respond effectively if it occurs.
About the Author
Kenneth Q. Tan, Partner
Church and Denomination Services Director
Ken has more than 16 years of public accounting and large nonprofit experience, providing both advisory and assurance services to various nonprofit entities, churches, and mission organizations. In addition, Ken's expertise also extends to serving nonprofit organizations through fraud prevention and forensic accounting. Prior to joining the firm, he managed the audits of public Fortune 100 and private multi-billion dollar companies for a Big 4 accounting firm, provided advisory and strategic planning for churches, nonprofits, and small to medium-sized businesses, and served as the controller and corporate officer for a large faith-based multi-national mission agency.
About CapinCrouse
As a national full-service CPA and consulting firm devoted to serving nonprofit organizations, CapinCrouse provides professional solutions to organizations whose outcomes are measured in lives changed. For over 50 years, the firm has served domestic and international outreach organizations, universities and seminaries, foundations, media ministries, rescue missions, relief and development organizations, churches and denominations, and many others by providing support in the key areas of financial integrity and security. With a network of offices across the nation, CapinCrouse has the resources of a large firm and the personal touch of a local firm. Learn more at capincrouse.com.
© Copyright 2025 CapinCrouse LLP
Used as modified with permission.
