How Nonprofits Can Prevent Fraud With Card Controls

Introduction

Card fraud ranks among the most common and preventable sources of financial loss for nonprofit organizations. Whether from external criminals testing stolen credentials on donation pages or internal staff misusing organization cards, the exposure is real — and costly. Nonprofits face a median fraud loss of $76,000, with some cases exceeding hundreds of thousands of dollars.

Many nonprofits operate with lean finance teams and trust-based cultures that leave them exposed. When one person handles both card issuance and reconciliation, or when leadership card statements go unreviewed, the organization is running without basic internal controls.

Card controls are the practical first line of defense. This article covers the types of card fraud nonprofits face, the warning signs to catch early, and the specific controls that close those gaps.

TLDR

  • Nonprofits face both external fraud and internal misuse — often through the same card accounts
  • Card controls like spending limits, merchant restrictions, and real-time alerts stop fraud before it escalates
  • Strong governance — written policies, regular reviews, and separated duties — supports every control you put in place
  • Debit cards carry higher risk than credit cards and should be used cautiously or avoided for staff expenses
  • Fraud prevention requires ongoing discipline and active board involvement

Why Nonprofits Are Particularly Vulnerable to Card Fraud

Structural gaps in oversight are the first problem. In many nonprofits, a single person handles card issuance, reconciliation, and approval — eliminating the separation of duties that prevents fraud. Only 44% of nonprofits have management review controls in place, compared to 68% of for-profit organizations. When the person issuing cards also reviews the statements, there's no checkpoint to catch errors or abuse.

That structural problem is reinforced by cultural resistance to formal controls. Mission-driven organizations run on trust and goodwill, so oversight policies can feel uncomfortable — even offensive — to staff. Leaders hesitate to implement controls because it signals distrust. The result: nonprofits are half as likely as for-profits to conduct surprise audits, and only 24% conduct formal fraud risk assessments.

Budget constraints make all of this worse. Lean teams have fewer fraud-prevention tools and limited bandwidth to investigate suspicious activity. Organizations with fewer than 100 employees — typical of most nonprofits — experienced a median fraud loss of $141,000. When you don't have the resources to recover from fraud, proactive controls aren't optional — they're essential.

Common Types of Card Fraud That Target Nonprofits

Card fraud at nonprofits falls into two categories: external fraud (criminals targeting donation systems or exploiting card data) and internal misuse (staff or leadership spending outside policy). Both carry real financial and reputational consequences — and each requires a distinct response.

Internal Card Misuse

Internal card misuse typically occurs through personal purchases on organization cards, inflated expense claims, splitting transactions to stay under approval thresholds, or using cards at unapproved vendors. It's often opportunistic rather than premeditated. Weak controls are the primary invitation.

Expense reimbursement fraud appears in 23% of nonprofit fraud cases, covering mischaracterized, overstated, and fictitious expenses. The dollar figures in documented cases are striking.

The Executive Director of Adelante, Inc. embezzled nearly $400,000 in federal grant funds by withdrawing cash at a casino over two years. In a separate case, a nonprofit CEO systematically embezzled over $2 million over 17 years using organization funds to pay personal credit card bills and purchase luxury goods.

The unique risk emerges when the Executive Director or senior leader is the cardholder. Without board-level oversight, there is no check on their spending. Owner/executive-level perpetrators are involved in 23% of nonprofit fraud cases with a median loss of $250,000 — far exceeding losses from lower-level employees.

Nonprofit fraud perpetrator levels showing median losses by employee tier

Card Testing and Online Donation Fraud

Criminals use nonprofit donation pages to test stolen card numbers via small transactions in rapid succession, often using bots. One nationwide health organization experienced upward of 500,000 fraudulent card-testing attempts in some months, with hundreds of small donations executed in minutes using thousands of stolen card numbers.

Donation forms don't require shipping addresses, making them ideal low-friction testing grounds for stolen cards. The damage extends beyond the initial fraud: nonprofits typically pay $20 to $50 per transaction in chargeback fees, adding up quickly alongside the administrative burden of resolving disputes.

Warning signs include:

  • Small transactions typically under $10
  • Unusual spikes in small donations
  • High decline rates
  • Nonsensical donor names or emails
  • Transactions during unusual hours
  • Donations from atypical geographies

Debit Card Risks

Debit cards present higher risk than credit cards for nonprofits. Funds are debited immediately, recovery is slower, and chargebacks are harder to dispute.

The Electronic Fund Transfer Act establishes a $50 liability limit for consumer debit cards, but EFTA does not extend similar protections to business or organizational debit cards. A debit card linked to a nonprofit's business checking account provides no federal legal safeguards against unauthorized purchases.

When fraudulent transactions occur, they directly impact cash flow. Recovery depends on the bank's voluntary policies, not legal protections. Credit cards governed by Regulation Z provide more robust protections and zero-liability programs. Nonprofits should avoid general-purpose debit cards for staff use and instead opt for prepaid or controlled-spend cards when cash access is needed.

Suspicious or Laundered Donations

Unusual large donations with conditions attached — particularly requests to forward a portion to another account — can unknowingly draw nonprofits into money laundering. FinCEN documented a case where tax-exempt nonprofits operated as illegal wire remitting businesses, co-mingling drug proceeds with donations totaling approximately $3 million over three months.

Warning signs:

  • Donation conditions requiring transfer of funds to third parties
  • Unusually large third-party deposits not matching typical donor profiles
  • Rapid outbound transfers via wire or cashier's check
  • Donors requesting refunds or rerouting of funds
  • Donors insisting on non-standard processes

Warning Signs of Card Misuse You Shouldn't Ignore

Transactional red flags provide the first layer of detection. Watch for:

  • Multiple small charges at the same vendor over a short period
  • Charges that land just under an approval threshold
  • Purchases from restaurants, retail, or entertainment merchants with no business justification
  • Missing receipts that are requested once and never followed up on

Behavioral red flags from staff often precede detection. These include resistance to submitting receipts or documentation, requests to delay statement review, handling their own reconciliation without a second reviewer, or pushback when card policies are introduced or enforced. Living beyond means appears in 39% of fraud cases, and financial difficulties are present in 27%. Multiple behavioral red flags appeared in over 50% of fraud cases.

The systemic warning sign is this: if no one reviews card statements monthly — or if the same person issuing cards also reconciles them — the organization has no basic internal controls and may already have exposure it hasn't detected. The median duration of occupational fraud is 12 months before detection, with fraud losses averaging $9,900 per month.

Card Controls Every Nonprofit Should Implement

Card controls work best when implemented together, not in isolation. Each control addresses a different point of vulnerability, creating a layered defense.

Spending Limits and Transaction Controls

Setting per-transaction and monthly spending limits on individual cards directly limits dollar exposure from any single misuse event. Limits should be set based on role and expected legitimate use — not as a blanket restriction but as a right-sized boundary.

For example:

  • Program staff attending conferences: $500 per transaction, $2,000 monthly limit
  • Finance staff purchasing office supplies: $250 per transaction, $1,000 monthly limit
  • Executive Director for strategic purchases: $2,000 per transaction, $5,000 monthly limit

Requiring manager or CFO approval for purchases above a defined threshold adds a human checkpoint that deters opportunistic misuse and creates a paper trail. This is where a fractional CFO, like those at One Abacus Advisory, can help nonprofits design approval workflows that are both rigorous and practical for lean teams.

Merchant Category Code (MCC) Restrictions

Many card issuers allow nonprofits to block entire merchant categories using four-digit Merchant Category Codes assigned under ISO 18245. These codes classify merchants by the type of goods or services they provide.

Enabling MCC restrictions means the card won't process at restricted merchants — eliminating risk before it occurs rather than detecting it after. Common categories nonprofits block:

  • Liquor stores (MCC 5921)
  • Casinos and gambling (MCC 7995)
  • Entertainment venues (MCC 7832, 7929)
  • Cash advances (MCC 6010, 6011)
  • Personal services (MCC 7230, 7297, 7298)

Merchant category code MCC blocking list for nonprofit card fraud prevention

Virtual card platforms allow organizations to set merchant category controls that restrict purchases to specific authorized merchants — for example, restricting a facilities manager's card to hardware and material vendors only.

Real-Time Transaction Alerts

Enabling instant SMS or email alerts for every card transaction gives finance staff immediate visibility into spending as it happens. This serves two functions: it deters misuse (staff know transactions are visible immediately) and allows rapid response if an unauthorized charge is detected.

Configure alerts to include:

  • Transaction amount
  • Merchant name
  • Date and time
  • Cardholder name

For organizations with multiple cardholders, route alerts to both the cardholder and a finance reviewer. The dual notification creates accountability.

Virtual and Single-Use Card Numbers

Virtual cards — digital card numbers generated for a single vendor or transaction — significantly reduce fraud risk for recurring vendor payments and online purchases. If a virtual card number is compromised, it cannot be used elsewhere, limiting exposure to a single transaction.

Virtual cards use tokens instead of primary account numbers, preventing merchants from accessing the funding account number. Additional controls include spending limits customized per transaction scenario and time-bound validity that prevents use outside a specified window.

Single-use cards become invalid immediately after one transaction, eliminating future unauthorized use — particularly valuable for one-time vendor payments or online subscriptions.

Receipt and Documentation Requirements

Technical controls like virtual cards and MCC restrictions stop many fraud attempts before they start — but documentation requirements close the loop on what does go through. Every card transaction should be matched to a receipt and a stated business purpose before the statement closes. Meals should include the itemized bill, not just the signature slip. This is both a fraud deterrent and a compliance safeguard for grants and audits.

Documentation policy should specify:

  • Receipt submission deadline (e.g., within 5 business days of transaction)
  • Required information (vendor, date, amount, business purpose, attendees for meals)
  • Consequence for non-compliance (card suspension after two missed receipts)
  • Review and approval workflow (who reviews, who approves, how documentation is stored)

For lean teams, the key is building submission workflows into existing tools — whether that's a shared drive, accounting software, or a dedicated expense platform — so compliance doesn't require extra effort.

Board-Level Review for Executive Cards

When the Executive Director or CEO is a cardholder, a board member (typically the treasurer or finance committee chair) must review and sign off on their statements. This is not optional governance — it is a fundamental control that prevents unchecked spending at the top level, where the largest individual misuse cases typically occur.

The IRS Form 990 requires nonprofits to report their governance practices, including whether the organization has a written conflict of interest policy and procedures for determining executive compensation. Excess benefit transactions can trigger a 25% excise tax, increasing to 200% if not corrected. Board-level review ensures transparency and accountability.

Board review should include:

  • Monthly review of all executive card statements
  • Documentation of business purpose for each transaction
  • Dated signature or written approval from reviewing board member
  • Documentation retained with official board records

Board-level executive card review process four-step checklist for nonprofits

Building a Long-Term Card Fraud Prevention Culture

Sustained fraud prevention goes beyond individual card controls. Three foundational practices give nonprofits the structure to catch problems early and build lasting accountability.

  1. **Maintain a written card use policy** that defines who can hold cards, approved use cases, documentation requirements, and consequences for misuse. Have all cardholders sign it annually.

  2. **Conduct quarterly fraud risk assessments and statement audits**, with a more thorough annual review. Bringing in an independent reviewer or fractional CFO helps surface patterns internal staff might overlook. The top four internal controls — surprise audits, financial statement audits, proactive data analysis, and reporting hotlines — were each associated with a 50% or greater reduction in both median fraud losses and median fraud duration.

  3. Build fraud awareness into onboarding and ongoing training. Every employee should know what card fraud looks like, their role in prevention, and how to report concerns without fear of retaliation. Organizations that provide fraud awareness training lose nearly half as much as those that don't, and tips are 2x more likely to come from trained staff.

Three nonprofit fraud prevention pillars showing loss reduction statistics per control

That reporting culture directly affects outcomes. Tips detect 43% of fraud cases, three times more than the next most common detection method. Organizations with reporting hotlines experienced a median fraud loss of $100,000, compared to $198,000 at organizations without one — a gap that makes a strong case for investing in the infrastructure that encourages staff to speak up.

Frequently Asked Questions

What are some ways to prevent debit card fraud?

Nonprofits should minimize debit card use for staff expenses and set up a dedicated low-balance account if debit access is needed. Enable real-time alerts and require documentation for every transaction. Since debit card funds leave the account immediately, recovery is harder than with credit cards, which offer better dispute protections.

What is a nonprofit card control policy?

A card control policy is a written document that defines who may hold an organizational card, approved purchase categories, spending limits, documentation requirements, and the review process. It sets the rules for all card-related spending and establishes clear accountability across the organization.

Should nonprofits use credit cards or debit cards for staff purchases?

Credit cards are generally safer because disputed charges can be reversed before funds leave the account. Debit cards carry higher immediate risk since funds are withdrawn instantly, recovery takes longer, and federal protections that apply to consumer debit cards don't extend to organizational accounts.

What card controls can nonprofits use to limit unauthorized spending?

Several controls work together to limit unauthorized spending:

  • Per-transaction and monthly spending limits
  • Merchant category code (MCC) blocking to restrict certain vendor types
  • Real-time transaction alerts for immediate visibility
  • Virtual card numbers for online purchases
  • Mandatory receipts with a documented business purpose for every transaction

How should a nonprofit respond if it discovers internal card misuse?

Freeze the card immediately, document the transaction history, and notify the board's finance or audit committee. Consult legal counsel for large losses or when grant funds are involved. Then review existing controls to identify and close the gap that enabled the misuse.

How often should a nonprofit review its card statements?

Card statements should be reviewed monthly, always by someone other than the cardholder. Executive director statements require review by a board member. All reviews should be documented with a signature or dated approval record to maintain a clear audit trail.