Responding to COVID-19: insight, support and guidance

Reducing the risk of fraud and theft in museums and galleries


Like all public sector organisations, museums and galleries face real and significant risks of theft, fakes and forgeries, and security breaches. 

Rightfully, with the high-value of collections, there is a focus on Heritage and Cultural Property Crime. However, with losses (combined detected and undetected) due to other types of fraud and bribery, estimated at between 3% and 8% of budget/turnover, it is vital not to overlook the additional threat of fraud and theft being committed by staff, suppliers and contractors. 

The variety and varying scale of the risks makes detection and investigation difficult. Therefore, the old adage 'prevention is better than cure' applies here more than ever. It is estimated that £1 spent on prevention can save you seven in the long run in terms of losses and costs of investigation. 

It is essential to create and embed a strong anti-fraud, bribery and corruption response, as well a pro-security culture to deter, prevent and detect fraud and theft.

Why fraud happens

The main components (pressure, opportunity and rationalisation) of the traditional ‘fraud triangle’ as designed by Donald Cressey still stand. Pressures – personal or organisational – drive fraud, as can job dissatisfaction, a poor tone from the top and because the reward often outweighs the risk. 

The landscape is further complicated by other factors such as challenge, malice and capability as the world of cyber evolves. 

Increasingly, attacks are being made to disrupt and gain hacking ‘bragging rights’. Therefore, the focus has to be on not just financial data, but all angles, including heritage, monies and reputations.

General fraud risks

The variety of risks is a challenge. Frauds range from leavers not being removed from the payroll, to advertising scams, grant funding and the usual suspects of retail crime such as cash theft, point-of-sale voids, refunds, etc.

Another common threat is bank mandate fraud, a scam whereby a fraudster calls into an organisation pretending to be a supplier and changes the bank account details.

Recently, Paul Kelly (also known as Paul Ward) was jailed for ten years at Southwark Crown Court (following deportation from Cyprus) after being convicted of stealing £600,000 from the Museum of London. 

He was investigated over two separate cases of fraud. The first involved the theft of more than £600,000 through a payment diversion fraud where the museum thought they were transferring money to a contractor when in fact they were being defrauded into paying the funds into a bank account controlled by Kelly. At the same time, he was running a separate ‘long firm fraud’ –creating companies and establishing good lines of credit with the suppliers of goods before running off.   

It is believed that while abroad he also became a key player in several major investment frauds that took millions of pounds from UK citizens.

Criminals are constantly adapting and evolving. Just because the security measures were adequate three years ago, it does not necessarily mean they stand as secure today. 

Staff risks

It is often a surprise to find that trusted staff have committed fraud against their own organisation. However, the following are just a few examples of the types of activity by staff that we have seen:

  • using false identity documents to secure employment
  • lying on or inflating a CV/credentials/application form
  • over-claiming of hours worked and/or expenses
  • staff 'turning a blind eye' or abusing their position for some kind of advantage
  • theft/misuse of assets, including cash, data, stock and vehicles
  • manipulation or misreporting of financial information
  • staff working for another employer while claiming to be sick
  • failing to report a conflict of interest.

As an example of staff fraud, Joseph McGuire used a franking machine at the National Museum of Scotland to order stamps, which he then sold online. 

The fraud was discovered when the Royal Mail Criminal Intelligence unit discovered large numbers of books of stamps were being sold cut-price on the internet. Money and stamps recovered at McGuire's home and in his work locker totalled £13,276. 

Contractor and supplier risks

There are numerous instances where suppliers and contractors have:

  • over-charged/under-provided for services
  • inflated their credentials and capacity in order to win work
  • failed to report a conflict of interest
  • misused or stolen assets 
  • operated in a cartel to fix prices.  

The whole purchase-to-pay process is complex, and each stage has its own risks. It is essential to have a clear understanding of the risks and the controls that can be applied to mitigate them.

Risk reduction

Each of the above examples had proportionate controls in place to prevent or reduce the likelihood of losses, but it is likely they were not applied to the depth and frequency necessary.  

Controls should be both preventative and detective, and staff must know how to apply them properly. Educating teams about what fraud looks like, how it can occur and who to report suspicions to is vital to boosting your fraud defences, as is embedding a robust anti-fraud and pro-security culture that extends to suppliers and contractors through policies, procedures and communications.

Related resources

Related resources include: