Every dollar your nonprofit receives represents someone's trust in your mission. A donor wrote a cheque, a foundation approved a grant, a community member bought a ticket — all because they believe in what you do. That's a powerful responsibility.
It's also one that fraudsters are counting on you to take for granted.
Fraud is more common in the nonprofit sector than many leaders realize. And the numbers are sobering: on average, organizations lose 5% of their annual revenue to fraud every year. For a $1M nonprofit, that's $50,000 diverted away from the people you serve. The median loss per incident sits between $60,000 and $100,000 — and these schemes often go undetected for 12 to 18 months before anyone notices.
Smaller organizations are hit hardest. Nonprofits with fewer than 100 employees suffer median losses nearly twice as high as larger organizations with more formal controls in place. And roughly half of all fraud cases trace back to a single root cause: weak or absent internal controls, which is the most preventable problem of all.
The five fraud schemes you need to know
Understanding how fraud happens is the first step to stopping it. Here are the most common schemes targeting nonprofits:
1. Billing schemes — An employee causes the organization to pay for fictitious goods or services, inflated invoices, or personal purchases disguised as business expenses. This is the most common form of internal fraud in nonprofits. Prevention starts with purchase orders, independent vendor approval, and separating whoever purchases from whoever approves and pays.
2. Payment tampering — Cheques get intercepted and altered. EFT files get manipulated. Bank details get quietly changed to redirect funds to a personal account.
As Omar Visram of Enkel put it during a recent webinar: "A common thread here is cheques — cheques are prone to fraud. To the extent that you can minimize cheque use, do so." Dual approval for electronic transfers and secure cheque stock are essential safeguards.
3. Expense reimbursement fraud — This accounts for 14% of all asset misappropriation in small nonprofits. Employees claim personal meals as business expenses, inflate travel costs, or submit the same receipt twice. Requiring original itemized receipts (not just credit card summaries), setting clear per diem limits, and flagging expenses that consistently land just below your approval threshold can catch this early.
4. Cash skimming — Theft of cash before it ever hits the books. This is especially common at fundraising galas, thrift stores, and events with door fees. Two people should always count cash together, and receipts should be recorded immediately. Better yet: encourage electronic payments wherever possible. The processing fee is almost always less than the risk.
5. False financial reporting — Intentional misstatement of financial records to hide other fraud or meet grant requirements. Independent external audits and active board review of financial statements are your primary defenses here.
Warning signs to look for
Fraud rarely announces itself, but it does leave traces. Some behavioral and financial red flags to watch for:
- An employee who refuses to take vacation and insists on handling tasks personally
- Someone living noticeably beyond their means relative to their salary
- Possessiveness over financial records, resisting oversight or shared access
- Missing documentation — receipts that are frequently "lost" or unavailable
- Unusual journal entries made late at night or on weekends with vague descriptions
- An unusually high number of voided cheques or credits without clear justification
None of these individually confirm fraud, but they should raise your guard. Fraud often surfaces through small anomalies that get dismissed as innocent; they rarely are.
The underlying problem: Too much trust in too few hands
The culture of many nonprofits — rooted in mission, community, and trust — can actually create conditions where fraud goes undetected for years. Long-tenured employees are assumed to be above suspicion. Executives bypass controls to "get things done." Board members approve financial reports without reading them.
These are not signs of a bad organization. They're signs of one that needs stronger structures.
The core principle is simple: no single individual should control two or more phases of a financial transaction. When one person can initiate, approve, and release a payment without anyone else's involvement, fraud becomes remarkably easy to commit and remarkably hard to detect.
One quick action you can take today: review your bank's authorized signers list. Remove any former employees or board members. It takes 10 minutes and closes a significant gap.
Get ahead of fraud in your nonprofit
Understanding the threat is just the beginning. We’ve put together a practical roadmap on how to build the governance structures, internal controls, and payment workflows that actually protect your organization.
Download our full guide Protecting Your Nonprofit: Payments, Workflows & Governance, where we cover how to build a segregation of duties framework, what a real approval matrix looks like, how to modernize your payment processes, and the steps to get started — no matter the size of your organization.
Your mission is too important to leave unprotected.
Put these safeguards in place with Plooto
Knowing what controls you need is one thing. Actually enforcing them — consistently, across every payment — is another. That's where Plooto comes in.
Plooto is a payment automation platform built to make the safeguards described in this post the default, not the exception. Here's how it maps to the controls that matter most:
Segregation of duties, built in. Plooto lets you configure granular user permissions so that the person who creates a payment cannot also be the one who approves and releases it. No workarounds, no exceptions.
Custom approval workflows. Set dollar-amount thresholds that automatically route payments to the right approvers — a Finance Manager for mid-range expenses, the Executive Director and Board Treasurer for anything significant. Funds don't move until the right people sign off.
A complete digital audit trail. Every payment action is logged — who initiated it, who approved it, when, and for how much. When your auditors ask for documentation, it's all there.
Verified vendor data and secure electronic payments. Plooto encrypts and stores vendor banking details, reducing the risk of payment tampering and eliminating the fraud exposure that comes with physical cheques.
Two-way accounting sync. Plooto connects directly with QuickBooks and Xero, so transactions flow automatically between your accounting software and your payment platform — cutting out the manual data entry where errors and fraud often hide.
The result is a payment process that's faster, more transparent, and far harder to exploit — without adding administrative burden to your already-stretched team.
