Fraud Risks in Nonprofit Organizations: Learning From Real-Life Case Studies

By Sly Atayee, BDO USA, and Cynthia Rowland, Farella Braun + Martel

The Washington Post (2013) found that one-sixth of all embezzlement cases in the U.S. involve nonprofit and religious organizations, ranking just behind the financial sector. This statistic is jarring but not entirely surprising to those in the exempt industry who know nonprofit organizations can be especially vulnerable to fraud risks. Unlike for-profit businesses that usually operate under more rigid financial oversight, nonprofits are often laser-focused on their missions and that can lead to less attention on building internal controls. This can create an environment where financial irregularities may go unnoticed for extended periods, increasing the amount of potential losses.

A tried and true strategy for preventing disasters is learning from mistakes made by others. In this article, we explore three real-world cases, which are unfortunately quite common scenarios, to highlight some of the strategies organizations can use to protect themselves from fraud.

There are three key steps in reviewing these fraud case studies.

1. Understanding the fact pattern and the fraudulent scheme or technique involved is the first step to building a strategy to prevent losses from each type of fraud. 

2. Understanding, at a high level, some of the control risks or the weaknesses that probably led to the organization experiencing the issue. 

3. Understanding best practices for fixing organizational policies and practices to minimize the likelihood of problems in the future.

Case Study 1: Exorbitant Travel and Personal Expenses

This case study involves a nonprofit where a high-level executive was found to be submitting altered receipts and invoices to mask personal expenses as business expenses, in addition to charging exorbitant travel expenses to the organization. Despite having clear policies around reasonable travel expenses in place, the organization did not enforce them. The organization also did not have regular detailed expense reviews in place. Due to these circumstances, the fraudulent activity went undetected for almost a year. The organization lost hundreds of thousands of dollars due to the scheme.

This case emphasizes a critical point: Policies are just pieces of (electronic) paper. Those policies must be actively enforced. Also, thorough reviews of financial activities must be part of the organization’s regular routine. In this case, in personnel led to the discovery of the fraud. A new finance team member conducted a more thorough review, and the discrepancies were uncovered. This highlights the importance of regular, independent reviews and audits, including rotating roles/responsibilities of key positions.

Case Study 2: Payroll Fraud in International Nonprofit

Another case involved a nonprofit operating internationally, where a finance employee in a foreign office had been siphoning over a million dollars through payroll for several years, paying themselves and family members illicitly. This individual was booking entries, making payments, and reconciling bank accounts (i.e., checking their own work). The organization’s U.S.-based staff members were unaware of the fraud due to poor oversight and a lack of resources for proper financial management across its many international offices.

With limited resources and many offices scattered across different countries, maintaining consistent financial oversight can be a challenge for international nonprofits. However, this case underscores the importance of having a clear separation of duties. No single individual should have unfettered control over financial processes. Additionally, it is important that regular monitoring take place in order to ensure internal controls are being properly executed, especially with scattered operations.

Case Study 3: Cybercrime Email Spoofing

In a more modern and tech-savvy case, a nonprofit fell victim to email spoofing. An outsider fraudster “spoofed” or impersonated a C-level executive by hacking or creating a near-identical email account. The email account was used to request the transfer of large sums of money to an account outside the country. The finance team, unfamiliar with the digital threats involved, complied with the fraudulent request, resulting in millions of dollars of losses.

Remote work, which has become more common due to the pandemic, amplified existing control gaps. Specifically, the organization’s approval processes had not been adapted to account for employees working from different locations, and the usual checks that might have occurred in a physical office—such as verbally confirming large transactions—were bypassed.

Fortunately, this story has a positive ending. Authorities got involved, and the organization was able to recover a portion of the lost funds. However, the incident serves as a reminder of the increasing importance of cybersecurity measures, especially in a world where remote work is the new norm. Nonprofits must ensure that their staff are trained to understand cybercrime risks and tactics and that they have robust defenses in place. Also, never forget the golden rule of bank/wire transactions—verify by phone!

Best Practices for Preventing Fraud in Nonprofits

Although fraud risks are always imminent, there are several strategies nonprofits can implement to mitigate them. Here are a few recommendations drawn from these case studies:

1. Enforce Existing Policies: Organizations must ensure that all financial policies are actively enforced, and employees are held accountable for following them. Spot checks are ok for organizations that don’t have a full-blown internal audit team.
2. Perform Reviews: Conduct regular reviews of particularly high-risk transactions, such as travel, procurement, payroll, and wire transfers.
3. Ensure Segregation of Duties: No single employee should have control over all aspects of financial transactions. Separating responsibilities—such as one person handling payroll and another approving it—can help mitigate risks of a bad actor taking advantage of vulnerable processes to inflict serious losses.
4. Conduct Regular Audits: Bringing in external auditors or forensic accountants to review financial practices regularly can help uncover fraud (or fraud risks) before they become a major problem.
5. Hold Fraud Awareness Training: As the landscape evolves, nonprofits must also adapt their defenses. Training on different types of fraud, like email spoofing, help staff recognize phishing attempts and other scams and stop them before they happen.

Sly Atayee is a director at the national accounting firm BDO USA and a certified fraud examiner. He can be reached at [email protected]. Cynthia Rowland is a partner at Farella Braun + Martel and chair of its Exempt Organization Group. She can be reached at [email protected]. Learn more about financial fraud at nonprofit organizations by listening to the EO Radio Show nonprofit fraud prevention podcast series.

Fraud Risks in Nonprofit Organizations: Learning from Real-Life Case Studies, Sly Atayee and Cynthia Rowland, Board and Administrator for Administrators Only, Volume 41/No. 9, Copyright © 2025, copyright owner as specified in the Newsmagazine, Wiley Periodicals Inc.