-

Raising the bar in the fight against cybercrime

How St John Ambulance is taking positive action to thwart cyber criminals.

A prevalent threat

Leading health and first aid charity St John Ambulance is taking prudent steps to defeat the ever-evolving threats posed by fraudsters.

Charities across the UK frequently face scams and attacks by cyber criminals that pose a potentially serious financial and reputational threat to them.

The latest Cyber Security Breaches Survey carried out by the Department for Digital Culture, Media and Sport, reveals that more than 25% of charities experienced cyber security breaches or attacks in the previous 12 months.

Recognising the potential threat of cybercrime to its income and brand, St John Ambulance is taking measures to better defend itself against these criminal activities.

Counter-fraud framework

The charity is establishing a new counter-fraud framework, an ongoing, long-term project that forms the basis of its defences against fraudsters.

Like many charities we’ve experienced a range of cyber-attacks in recent years and wanted to take action to prevent a serious loss.

Guy Craig

Head of Financial Reporting

Criminal activity against St John Ambulance has included phishing attacks attempting to gather data and passwords or induce staff to download ransomware via links embedded in emails. It has also received fake invoices and ‘spoof’ emails from criminals posing as suppliers or employees requesting changes to bank payment details in an attempt to divert money into their own pockets.

As an example, Guy explains how an email between the charity and a major supplier was intercepted by cyber criminals, who replied using a very convincing fake email address almost identical to the real one, asking for the supplier’s bank details to be changed to the fraudster’s. “Email interceptions like this are an increasingly common type of fraud. Fortunately, we spotted it before any money was paid, but it was a convincing attempt.”

A few years ago, one employee was caught and sent to prison for fraudulently diverting money into his own account by creating a series of fake invoices from a range of fake suppliers. “The fraudulent invoices were frequent but for relatively small amounts, so they didn’t trigger our authorisation processes at the time.”

Pro-active approach

The counter-fraud framework encourages everyone in the organisation, from the top down, to take a highly pro-active approach to fraud and cybercrime.

Guy says the framework has three core strategic aims: to prevent, detect and deter fraud. “That relies on us having effective internal controls – not only financial but also in terms of recruitment and the procurement of goods and services – and deploying up-to-date cyber security software and technology.

“So, for example, we don’t make any changes to bank details until we’ve obtained independent verification of the change and if a request comes by email we’ll speak to the person or organisation on the phone to authenticate it.”

The organisation is also carrying out higher levels of due diligence on all suppliers before accepting their invoices and making payments.

Work is taking place to update existing anti-fraud policies and procedures, such as an overall anti-bribery and corruption policy and to put in place a fraud response plan.

Increasing awareness

The framework is also helping to drive better prevention and detection, greater risk analysis, and more measurement and reporting of fraudulent activity.

“We realise that increasing staff and volunteer awareness of fraud and cybercrime and the triggers to look out for, is absolutely vital to combat it. So, we’re working hard to provide more training in that area across the organisation,” explains Guy.

The IT team provides regular updates on new types of scam and all aspects of cyber fraud, while informative articles on the subject are regularly posted on the organisation’s intranet.

To encourage staff and volunteers to report any suspicions of fraud, the charity promotes its whistleblowing policy. They have appointed a ‘freedom to speak up’ guardian and advocates, to enable people to voice their concerns in a safe space, if they don’t feel comfortable going through their line manager. These are then raised with to the charity’s counter fraud specialists in the Internal Audit team to investigate.

Lessons learned

St John Ambulance’s experience shows that getting trustee and executive buy-in from the outset is essential if you want to drive anti-fraud activity right across the organisation, as is ensuring that effective internal reporting procedures and anti-fraud software and technology are in place.

And it’s very important to analyse the techniques used in attempted frauds and learn from them to help your staff spot and prevent potential breaches in future.

Guy explains: “We’ve found increased security activity also creates resourcing challenges as it tends to require extra input from people on top of their day jobs. So, we try to encourage cross-team co-operation because we believe it should be a group effort, although we also realise that homeworking makes communication in this area a little harder.”

Guy says: “Ultimately, whatever steps you take, you need a zero-tolerance policy towards fraud across the organisation if you want to beat cybercrime.

Any suspected fraud must be reported and acted on, including contacting the relevant financial institutions, the police or the Information Commissioner’s Office if necessary. There can be no exceptions.

Read related insights

insights

Cyber Fraud Toolkit

What are the key cyber fraud threats your business may face today, and how can you mitigate those risks?

Insights

Fraud Protection

Fraudsters are working as hard as you are. Our content can help you stay ahead of them.

Industry expertise

Charities

Barclays is proud to be the trusted banking partner of not-for-profit and development organisations, government bodies and charities.

Insights

Reshaped by the pandemic: the way forward for charities

Charities are still contending with the economic and social impact of covid-19 amid demanding restrictions – but what does the year ahead look like for the sector?

Contact us

Get in touch

To discuss your business requirements and how Barclays can support you, contact us today.