Is Your Club One Click Away From Bankruptcy?

Our soccer club is a moderate size club – about 1000 kids – which isn’t huge by metropolitan standards, but it certainly keeps us busy. We offer Recreational, Travel, and Special Needs soccer programs to area youth. We do everything we can to keep costs low, but our annual budget is still in excess of $100,000. We don’t pay for facilities (use municipal fields) or coaching/staff (all volunteers). Imagine the amount of money that flows through a bigger league with facilities expenses and coaching salaries.

Soccer clubs (and many other youth sport organizations) process hundreds of thousands of dollars a year, with 5-6 figure balances in their accounts when registration fees are collected. This makes them prime targets for cyber criminals. Think about it – what would happen to your soccer club if your treasurer logged into your account to find that 5-6 figure balance gone? Transferred out to a foreign country, often via unwitting ‘mules’, with little chance of recovering it? Could the club survive? Would you have to declare bankruptcy? Could you maintain possession of facilities and other assets your club (or more often your funding bank) own if you couldn’t pay the loans? Do I have your attention yet?

Part of the reason I haven’t been writing as much lately (besides coaching four teams – insanity!) is I also opened an IT Services business in town recently which takes up a lot of time. Despite 15+ years of IT experience, I’m still amazed at how many computers are infected every day. The bulk of my repair business is cleaning infected machines. While many are familiar with the ‘fake’ anti virus programs and other infections, they often hide more dangerous infections that make PCs part of botnets like Zeus, which are used for criminal purposes. These infections, often undetectable by modern anti virus programs, capture login credentials for bank accounts, credit cards, social networks, and more. Many computer users mistakenly believe you have to actually ‘click’ on something to be infected. However, many infections are ‘drive by‘ in nature. You visit a website that has been compromised and your browser loads infected code that takes advantage of an unfixed (or worse unknown) vulnerability in the browser, or common add-ons like Adobe’s Flash and Acrobat Reader, or Sun’s Java. The latter are more dangerous because they can be utilized regardless of the browser in use and tend to be updated less frequently.

In other words, your club treasurer could visit a Fortune 500 company website that has been quietly compromised and have their computer infected without even realizing it. Their anti-virus software doesn’t catch the infection and the next day they login to your club’s bank account to check the balance, transfer funds, or pay club bills. A week later, the account is cleaned out by a series of sub $10,000 wire transfers. Think this is unlikely? Guess again as many small and medium sized businesses have been hit by this as well as non-profits. Brian Krebs, a well renowned writer and security analyst has been highlighting the issue at his blog Krebs on Security. Reading just a few of those stories is frightening as both a club president and small business owner.

Another common misconception, that many of these businesses and organizations learn the hard way, is that fraud losses to commercial accounts are rarely covered by the bank. If they can’t reverse the transfers (often impossible more than 24 hours after they happen), the money is gone. Criminals are catching on quickly – online bank thefts now exceed ‘real’ bank robberies. You can often steal much more and with much less risk. While the prevalence of fraud is causing many companies to switch banks, it’s unclear if it’s enough of a problem to force banks to help customers with better security practices.

Do you believe the threat is real yet? Have you seriously considered what would happen to your club if the bulk of your money was taken via fraud? Do you have insurance that would cover the loss if your bank doesn’t? Do you check your account daily to monitor for fraud? These are all serious questions that I fear many organizations don’t have good answers to.

So what can you do to protect yourself? Here are a few things that can help:

  • Restrict who has access to your club accounts to a select few.
  • Limit the use of debit cards or disable their use entirely and use a club credit card paid off monthly instead. The fraud coverage is better.
  • Change the access credentials to your online accounts at least once a season.
  • Do not access your accounts online with a Windows PC. I cannot stress this enough. Instead use a Mac, or even better a Linux based ‘Live CD’. Live CDs are extremely secure since they can’t be ‘compromised’, even if the computer itself is, since they run off the pristine read-only CD. Remove the CD and your normal operating system will boot. Brian put together a great tutorial on how to download and use a Live CD to access online accounts. Expect banks to finally wake up and start to offer real fraud coverage if you limit yourself to Live CD access to your accounts, or something similar.
  • See if your bank offers a type of account that you can transfer money into easily, but require a branch visit to transfer money out of. Then keep only a workable balance in the main checking account, with the rest parked in a more secure account (preferably earning some interest).
  • See if your bank can flag your account to either disable wire transfers (have you ever used one?), or require two different sets of credentials from two different people. Wire transfers can wipe an account out in no time. This still leaves debit card fraud, but that is subject to transaction limits and better fraud detection.

This is one of those things that people don’t take seriously until it’s too late. Just like anchoring soccer goals. It’s a hassle to do properly and consistently, and it’s easy to think “we’ve never had a goal tip over” until it’s too late and your club is facing a multi-million dollar liability lawsuit. I’ll admit that my own club isn’t doing all of the above currently, but we are working to implement most, if not all of them. In our short 7 year history, we’ve already had a debit card compromised once, with thousands of dollars in fraudulent charges (which the bank, thankfully, covered). It can happen to any of us without warning – we still have no idea how they got our number.

Criminals don’t care if you’re a for profit business or a non-profit youth organization. They just want your money. So take steps to protect your club – if you aren’t in a position to enact these changes, send this to someone who is and make sure it gets done. Ask for a report at the next general meeting highlighting the steps that have been taken to protect the club’s assets. Our kids are worth it!

Leave a Reply

  1. Hey Mike-

    This is a great post and relates to simply good management of soccer clubs. All of the ideas you present should be applied to offline transactions as well (double accounts, dual signatures, no online bill paying, etc.). In the last little while, there have been a number of organizations grounded by internal theft. I would wonder which is more common between “inside jobs” and external digital theft. This article chronicles some recent cases and has some resources for fraud prevention:

    http://socceruniformpackage.com/suspected-embezzlement-nutmegs-missouri-soccer-league/

    I thought it was interesting that US Soccer has a full presentation on this aspect, which tells me that it is probably more prevalent than we actually hear about and a BIG deal.

    Cheers!

    PS – Good luck with the new business!

  2. I was kind of disappointed in that presentation, called Fraud to Soccer Associations

    47 pages of history on various frauds, most not related to soccer, but very little information on how to prevent them or take steps to prevent them as a soccer association. I think stories from soccer associations and what type of impacts they endured would be much more interesting and hit home. Our insurance company for the NCYSA did a short talk on liability with some actual youth soccer cases they had handled. Most interesting? A lawsuit brought by parents when their child was hurt in a match because he was play ‘up’ and age group and they argued that the league was negligent in allowing that because of the risk of injury. THAT was an eye opener.

  3. Mike-

    I agree. The presentation for USYS wasn’t very compelling, but that there is a committee, to me, is the interesting point. The other link that outlines a fraud check-up is a bit better – especially points 5, 6 and 7. This hits at the nitty-gritty and makes clubs THINK, which is so important. We all think, “This won’t happen here.”

    What happened with the case of playing “up”? Yes, that is a compelling case.

  4. Region IV has an interesting set of risk management briefings — one was the top 10 claims made against soccer clubs. As you might suspect, improperly anchored goals are big; however, check out one like “too many drills in practice”

    http://www.regioniv.com/riskmanagement/presentations.htm

    Interesting we are debating now about coaches who “play” with the kids (instead of using neutral players when an odd number) – see one claim in the briefing. Also, in terms of playing up, see claim #10. We make the parents formally request and sign a waiver for any kid playing “up.”

  5. Mike – I forget about the playing up thing. I don’t *think* it was settled, but can’t recall. If it was, it was a trivial number but can’t imagine they’d settle that claim and set that precedent.

    Bob – Interesting stuff. I love to participate in activities with the kids on my team, partly as exercise, but also to help them face challenges, etc. That said – it certainly IS a risk and you have to be as careful as you can. I’ve tripped/collided with a few of my players and the risk of injury is clearly there. But I’d be curious to know how prevalent that is – would hate to see coaches banned from active participation over a couple of cases (vs a systemic problem)

    I’d certainly venture to say that learning how to safely play with younger players is definitely something you have to focus on and be vigilant about…

  6. I have moved away from participating, except for activities where there is no almost no possibility of contact. I do think it’s useful to demonstrate technical skill and give the kids a challenge to match (say in a non-contact shooting activity).

    Occasionally, we will fill in as goalkeepers, but the (unofficial) rule is avoid contact and participation in scrimmage (match-like) activities. Again, it’s more erring on the side of risk management as I am not aware of how systematic the potential issue is. We are a private club that owns a substantial number of fields, but with only a small positive cash flow margin so it would only take one bad outcome to put us in a tough spot.

  7. Interesting information particularly about coaches scrimmaging with kids and also about kids playing up.

    I scrimmage with my kids (but avoid contact as much as possible — I know it only takes one accident).

    My own daughter plays up. Part of the problem is she’s a young (and small) 4th grader, so most kids in her grade are u10 and she is u9. However, she can hold her own at U11 … so … was wondering, what kinds of rules about playing up do your leagues have?

    Cheers,

    Sean

  8. For our club:

    Rec – Parents must request; Rec director and our overall technical training director recommends, our board must approve

    Comp/travel – Parents must request; player must tryout in both higher and normal age group.. Comp director, comp director of coaching, and tech training director recommends placement. We go back and forth, but generally try to think of groups in the 2 year increments (U-8, U-10, U-12) as opposed to intra-grouping (U-9, U-10) and think more of first-year/second-year within a group…so it’s not really “playing up” for a U-9 eligible to play with a U-10 team.

    The tricky part is the school grade vs. the soccer age – and those kids on the cusp (usually Aug/Sep birthdays) who are 5th grade, but still U-10 eligible (while most of the group are playing 1st year U-12) or 7th grade but still U-12 eligible. My feeling is high school teams go by grade, not age, so kids should generally be placed where their grade school peers are.

    For the most part, we have very few kids “playing up” except in the case above (to match with school grade). We had an experience where a large cohort (8) played up to first year U-14 (when they could have played top tier 2d year U-12). While some argue they are getting more development, I believe they are better off developing the confidence to try creative and innovative play at their peer level than just getting by at the higher age level. Most of these players took a step back as they lost confidence in their play.

    For the really special kids, you can pursue other options like regional teams/ODP, but why rush kids until they reached a certain level of physical and emotional maturity?