The headlines can be shocking––“Nonprofit Embezzled by Trusted Employee”––and the dollar amounts staggering. For instance, $375,000 was allegedly embezzled recently from the nonprofit Sonoma County Farm Bureau by a staff member, according to an ongoing investigation by the Sonoma County Sheriff’s Office. So why are nonprofit organizations sometimes ripe for embezzlement more than other types of businesses?
Fraud can happen in every kind of industry and company, but nonprofits tend to be somewhat more vulnerable to theft. According to a report released in 2024 by the Association of Certified Fraud Examiners (ACFE), 10% of all occupational fraud cases nationally were among nonprofits, and the median loss from those thefts was approximately $76,000. Average losses can go significantly higher, it added.
More than half of occupational thefts happen because of a lack of internal controls, the ACFE points out, or when existing internal controls are shrugged off.“ All nonprofits should have internal controls to ensure the financial security of the organization,” says Daryl Reese, founding attorney with the Daryl Reese Law Group in Santa Rosa, which specializes in representing nonprofit organizations. “With a lack of internal controls, an employee in a nonprofit may end up in a situation where they justify stealing, say, $100. Even though that’s just plain wrong, they may be tempted to get away with a small theft if they’ve figured out the organization is an easy target.”
For-profit businesses generally operate with more robust financial oversight, while nonprofits may be more focused at times on their mission. This can lead to a more relaxed environment regarding finances, causing irregularities in the books to go unnoticed and the losses adding up over time.
The ACFE, which operates several chapters in California, says up to 43% of occupational fraud cases are the result of a tipster coming forward to report their suspicions. In addition, the organization’s “Occupational Fraud 2025” study showed that 84% of all fraudsters had at least one behavioral red flag. One such behavior is being possessive of the financial information of the organization. Other possible signs of embezzlement can be missing cash, missing financial documents, vendors saying they weren’t paid and customers saying they already paid their bills.
Local cases in the headlines
A high-profile embezzlement case currently in the news involves the Sonoma County Farm Bureau and the Farm Bureau Foundation of Sonoma County, which was allegedly defrauded by a member of a trusted family who had guided the organization for decades. The alleged theft of $375,000 by Samantha Piehoff led to charges of “suspicion of forgery, grand theft and obtaining money under false pretenses.” She was arrested in mid-October after being fired from the organization. The case is still under investigation.
In 2023, a longtime employee of the now-defunct Social Advocates for Youth (SAY) was sentenced to three years’ probation and four months in the county jail for defrauding the nonprofit to the tune of $53,000. Lisa Fatu, the former director of youth crisis services for the nonprofit, had worked there for 20 years. Authorities at the time said the losses could reach more than $70,000, embezzled over a span of nearly five years. In addition to her sentence, she was also ordered to pay $50,000 in restitution to the organization. SAY, which served homeless and at-risk youth, declared bankruptcy and closed permanently in 2024.
In Sonoma in 2018, the former executive director of the nonprofit Finnish American Home Association, Daniel Broin, was found guilty of grand theft for stealing more than $100,000 from the organization that provides affordable housing to seniors in two facilities.
These are just three examples of North Bay cases that grabbed headlines in recent years and shined a spotlight on the vulnerabilities of nonprofits to theft by employees.
File charges––or not?
Reporting an embezzlement to authorities can be fraught with complications, says Reese. “Maybe the nonprofit doesn’t want to sue someone because it can cost a lot, but it’s also possible their insurance carrier won’t file a claim without a police report.” In the case of his own clients, he says, it would depend on if they are looking to get their money back or send someone to jail.
“There are two ways to hold a suspected embezzler accountable––by filing criminal charges, because it’s a crime against society, or to sue them in civil court. In that case, the organization is bringing a lawsuit for ‘conversion,’ as in the embezzler converted the organization’s assets into their own. The downside of civil complaints is they tend to take a long time to resolve.”
If the nonprofit has government funding, that adds another layer of complexity, because state and federal law enforcement may need to get involved, says Reese.
Some organizations might want to avoid reporting the theft altogether because they are embarrassed. “Because as soon as word gets out, it could cause a major funder to become cautious and choose to not write that next big check. Suppose you run a $5 million organization and the embezzler stole $200,000, but you have a fundraising campaign coming up. Do you put all the people you serve at risk for publishing that you were embezzled?”
Reese is currently working on an embezzlement case for a nonprofit client outside of the North Bay. “We’ve started walking down the road to move ahead with a case. The organization brought in a forensic accountant to see what they could actually assert, then we went to law enforcement. If a nonprofit comes to me with a serious theft involving a large amount of money, I will want to report it and then the organization can decide if they want to go to the district attorney to press charges. But it’s never as simple as, ‘Hey, this person stole from us’ and then the police show up at that person’s door.”
If you’re a business owner and very cautious, nobody has access to assets such as a checking account besides yourself and perhaps a spouse, says Reese in describing his own situation. “In a nonprofit there can be the person who balances the accounts and has access, but is that the same person who is also writing the checks? In some cases, embezzlement is the result of unfortunate management. But I’ve seen some small nonprofits with internal controls and structures that are very protective.”
Cybersecurity concerns
While isolated incidents of financial fraud do occur, they represent a very small fraction of nonprofit activity nationwide, according to Linda Jacobs, CEO of the North Bay-based Center for Volunteer & Nonprofit Leadership (CVNL). “Nonprofits are among the most regulated types of organizations in the U.S., subject to Internal Revenue Service oversight, annual financial reporting, public disclosure requirements and state-level review. The vast majority operate with high integrity and transparency.”
Still, Jacobs adds, nonprofits can face certain vulnerabilities when it comes to fraud and embezzlement, often due to limited staff capacity, a culture of trust, and the need to prioritize mission-related work over administrative infrastructure. “As an organization that supports and strengthens nonprofits across the North Bay, CVNL emphasizes the importance of strong internal controls, board oversight and clear policies to reduce these risks.”
The Center for Volunteer & Nonprofit Leadership provides training and consulting on financial oversight, nonprofit board governance and risk management. “While we do not currently offer a workshop dedicated solely to fraud and embezzlement prevention, these topics are addressed in our governance sessions and in some of our other programs,” says Jacobs.
What CVNL is seeing far more frequently is an increase in cybersecurity threats and online attacks, says Katelyn Willoughby, its marketing and communications director. “These incidents highlight how vulnerable nonprofits can be when operating with limited IT budgets, small teams and aging or under-resourced systems.”
Because of this, she says, digital security has become a growing focus in CVNL’s internal operations and in the conversations it has with the nonprofits it supports. “Strengthening cybersecurity is no longer just an IT issue––it’s a communications, operational and organizational-resilience issue for the entire sector.”
Educating the boards
For attorney Reese, it’s vitally important for the boards of directors of nonprofits to perform their role as if they were running a corporation. “They must approach it that way, and not only because they are passionate about the cause they are supporting. That’s admirable, of course, but if you have a board that doesn’t recognize it is governing and making decisions for a corporation with assets and responsibilities, that can be a problem.”
When talking to his nonprofit clients, he makes the boards understand that their duty is to support and allow the staff to lead the organization. “But sometimes I believe the board doesn’t have a grasp of what they are actually in charge of. I’ve been in situations where even seasoned executives and business owners on a board don’t fully get their role as the controlling body of the organization. For me, it comes down to getting the board well-equipped and then train them to run the organization like a corporation.”
Embezzlement isn’t a regular issue faced by nonprofits, says Reese, but he frequently sees possible exposure. “My job is to provide legal services but also legal information, and to make certain my nonprofit clients are always thinking about what they should be doing.”