Bookkeeper Steals $1.3M through PayPal: How to Keep your Nonprofit Safe

A Fort Worth woman was sentenced to 15 years in prison after admitting she stole $1.3 million from the Stockyards Rodeo over a three year period.

D’Ann Elizabeth Wagner, who was a bookkeeper for the Fort Worth Stockyards Rodeo, used a PayPal account on the organization’s website that was linked to her personal information to commit this crime.

The account was used for online domestic and international ticket sales and was set up by Wagner. A debit card was issued by PayPal to manage the money received, which Wagner then used for personal use.


Many nonprofit organizations use PayPal to accept donations because it is easy and relatively inexpensive for low-volume organizations. However, you must set up the same safeguards that you would for a bank account.

My thoughts:

1) Do not associate the account with a personal e-mail address.

Associate it with one owned by the organization.  Even if someone doesn’t intend to embezzle, anything could happen to someone’s personal or home e-mail address if they do not practice good security at home.

If you change your PayPal account’s primary e-mail address, be sure to tell your web designer first. Otherwise, your payments will get stuck! Yes, I have been there, and it’s no fun at all.

2) Don’t share logins. Have more than one user for the account, but give minimum permissions.

Does your organization pass around one PayPal login and password? PayPal allows you to have multiple users, so grant your treasurer and other employees and volunteers different levels of access. As with Facebook Page access, give the minimum power needed. Be sure more than one person has access to the account for review and auditing purposes. You can let people have read-only access to the account, and copy people on the transactions’ e-mails, for example. Here is a PayPal help article about how to add users.

Educate all users on basic security measures such as not logging in to random sites (“Click here to log in — don’t do it!). Ask that everyone read this article from PayPal (“How to Spot Fake, Fraudulent, Spoof or Phishing e-mails”) before granting account access. All of this information applies to your bank and credit card accounts as well.

3) Watch out for debit cards.

If you have a debit card on the PayPal account, as the rodeo did, and don’t have the resources to set up an audit trail, don’t use a debit card!

A few years ago, a bank debit card in the hands of a corrupt city administrator was almost the downfall of a small North Texas town.

4) Consider other options.

We often set nonprofits up with PayPal, but we can use another online merchant processor that offers a more seamless experience for the donor and is less likely to be abused. The funds can only be moved into the organizations’ bank account and not be used to pay for things. But, you can safely use PayPal if you take necessary precautions such as not sharing passwords and having other people look at the account history. You must use these precautions no matter which payment processing company you choose.

One more tip I received from a CPA: Go to your bank and disable international wire transfers. Maybe even disable wire transfers altogether. This will also keep your organization safer from external scammers.

Don’t let this scare you out of accepting donations online. After all, you want to make it EASY for people to give you money!  You can make it easy for supporters to give you money, without making it easy for people to steal.  You just need to expect the best and prepare for the worst.