Charity Fraud: Lessons from a recent case

In the recent case of Pebbles Media Group v Patricia Reilly, a Court of Sessions judge rejected a claim from Peebles Media to recover over £107,000 from a former employee, Patricia Reilly, after she made a series of online payments as the firm’s credit controller following fraudulent emails.

In 2015, Reilly received a fraudulent email claiming to be from the Pebbles Media managing director that requested £24,800 be transferred to another company. Reilly contacted her line manager who processed the payment whilst on annual leave, as she did not have authorisation to do so. Further emails were sent requesting larger amounts and Reilly processed these payments herself, only contacting her manager once for a PIN to access online banking. When doing so, Reilly received a fraud warning from the bank which she did not read. A total payment of £193,250 was made.

Reilly was subsequently fired for gross misconduct and brought a claim for unfair dismissal, but did not continue this. Pebbles Media recovered £85,265.98 from their bank and brought a claim against Reilly for the remaining £107,984.02, arguing that she breached her obligation to exercise reasonable skill and care as the emails were ‘obviously fraudulent’. Reilly argued contributory negligence on the part of her employer.

Employees have an implied obligation to exercise reasonable skill and care in the performance of their duties. The Scotland Court of Session ruled that Reilly did not breach this obligation. They held that even if she had read the fraud warning, they were not persuaded the outcome would be different.

The Court noted that Reilly’s manager was responsible for the first payment and allowed Reilly to use her bank security details; they were therefore unable to see how she can be said to have breached her obligation, as she sent the relevant details to a superior. The court also stated that although Reilly was not authorised to use online banking, her manager did not give clear direction that she should not do so and that she was at a significant disadvantage, by holding the fort for more senior colleagues.

The Court concluded that Reilly had not breached her contract. The Court did accept that she breached her obligation of reasonable skill and care when transferring funds from the invoice financing account to the current account as she did this on her own initiative. Unlike the other payments, she was not prompted to make this payment and had no authority to do so. The Court did not however consider that the money lost was a natural consequence of this breach and was instead ‘exceptional and unnatural’ as Reilly was ignorant of the fraud being perpetrated.

The nature of this type of fraud is known as whaling, which targets specific people in an organisation. In this case, an email was sent to a senior person within the organisation.  If the fraudsters receive an out of office email, they will then create an email address containing the name of this senior person. A payment instruction is then issued to a junior member of staff who, like Reilly, is unsuspecting as it appears to be from the absent senior colleague, and the payment is made. The judge noted that in 2015, this type of fraud was relatively new.

Being aware of scams such as this is especially important for those managing charitable funds and due to the size of the charity sector in England and Wales, it is unsurprising that charities are at risk of being targeted by fraud and financial crime.

Trustees and financial controllers have a duty to manage their charity’s resources responsibly and must ensure that its funds are properly protected, applied and accounted for. It is important therefore to be aware of the fraud related risks that could face their charity.

Trustees and senior managers should ensure that there are robust processes and procedures in place dealing with the transfer of charitable funds, including who has authority to do so, and whether there are any financial limits in place. They should ensure that staff dealing with financial transactions have suitable training to help identify scams. It is important that this training is kept up to date given that new ways of perpetrating fraud are being developed all the time and that staff are reminded of the policies and procedures periodically.

If a charity is the victim of fraud a serious incident report to the Charity Commission will likely be necessary; the charity will be in a stronger position if they can demonstrate they put in place appropriate steps to mitigate the risk of fraud.