The National Cyber Security Centre, part of GCHQ, has published advice for charities on how they can protect themselves against cyber attacks such as fraud and extortion. It is based on a threat assessment on the sector.
This is the first threat assessment that the NCSC has carried out for the sector. It reveals how charities’ funds, supporter details and information on beneficiaries “is being targeted” according to the NCSC.
Not surprisingly, financial gain is a leading motivation for online criminals to target charities. A successful attack can have devastating consequences for a small charity in particular to continue delivering its services. For example, one UK charity lost £13,000 after its CEO’s emails were hacked to send a fraudulent message instructing their financial manager to release the funds.
The scale of cyber-attacks against charities is not clear, according to the assessment, due in part to under-reporting.
Why target charities?
Charities have been targeted by online criminals for many years. From the early days of digital payments, credit card thieves would often test out card payments first on a charity donation site, on the assumption that their security or fraud-prevention set-up were less sophisticated than those of commercial retailers.
Charities’ names have been used many times in phishing emails: while the charity won’t lose financially on such occasions it’s reputation can be tarnished by such attempts to impersonate a charity via e.g. a similar sounding email address to that of the charity.
Malware including ransomware is another common cybercrime tool, which can lead to blackmail until a payment is made.
Smaller charities in particular no doubt make a tempting target. Their investment in IT and training might be limited, and a culture of openness could make them vulnerable to fraud or extortion through data theft. Datasets containing personal details and financial information are attractive to criminals.
Alison Whitney, Director for Engagement at the NCSC, said: “Cyber attacks can be devastating both financially and reputationally, but many charities may not realise how vulnerable they are to the threat. That’s why we have created these quick and easy steps that will help charities protect themselves to protect their data, assets, and reputation.”
About the NCSC
The NCSC provides a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. GCHQ is the parent body for the Centre, meaning that it can draw on the organisation’s world-class skills and sensitive capabilities.
Who might target charities?
Cyber criminals with a financial motive are by far the largest cyber threat to charities according to the threat assessment. However, they are not the only people or groups who might target charities online.
An insider, such as a current or recent staff member of volunteer, can exploit their legitimate access to an organisation’s assets for unauthorised purposes. They can pass their credentials to other attackers or act against the charity themselves by, for example, stealing data.
Suppliers and third parties
Charities can face indirect attacks via suppliers and third parties. IT partners who run, maintain or secure a charity’s IT and data might be compromised, leading to fraud or extortion of the charity. Fundraising or marketing companies who handle charities’ donor data might be targeted, again with the same aim of misusing the personal data.
Sometimes UK-based charity systems can be accessed by penetrating a weaker link in the system, such as overseas arms, partners or projects in countries where the security set-up might be less stringent than in the UK.
Some states will target charities or NGOs whom they mistrust or who work with local partner organisations that carry out work that the state’s leaders object to. Others might see UK NGOs as an arm of UK domestic or foreign policy and treat them accordingly.
The NCSC does not consider the charity sector as a priority target for hacktivists – those pursuing personal or political agendas in supporting social or political change. Nevertheless, DDoS attacks can be used to disrupt websites, and some charity websites have been defaced by opponents or critics.
Helen Stephenson, Chief Executive of the Charity Commission for England and Wales, said: “The threat assessment confirms what we often see in our casework – unfortunately charities are not immune to fraud and cyber-crime, and there are factors that can sometimes increase their vulnerability such as a lack of digital expertise, limited resources and culture of trust.
“We fully endorse the National Cyber Security Centre’s guide on cyber security for charities. This will be a valuable resource to help charities protect their work, beneficiaries, funds and reputations from harm and we encourage charities of all sizes to make use of it.”
Five step guide for small charities
In addition to the assessment, the NCSC has published the Small Charity Guide to outline easy and low-cost steps to protect from attacks. It includes advice that is particularly useful for small organisations on five areas.
1. Backing up your data
Five things to consider when backing up your data
2. Protecting your organisation from malware
Free and easy-to-implement tips that can help prevent malware damaging your organisation
3. Keeping your smartphones (and tablets) safe
Quick tips that can help keep your mobile devices (and the information stored on them) secure
4. Using passwords to protect your data
Five things to keep in mind when using passwords
5. Avoiding phishing attacks
Steps to help you identify the most common phishing attacks
Mandy Johnson, CEO of the Small Charities Coalition, said: “The Small Charities Coalition welcomes this initiative by the National Cyber Security Centre. As a Coalition we are proactively encouraging small charities to make more use of digital technology, so the timing of this guidance is especially helpful.”
What should charities do?
If you believe that you or your charity has been the victim of online fraud, scams or extortion, the NCSC recommends you report it to Action Fraud, the UK’s national fraud and cyber crime reporting centre, and as a series incident to the Charity Commission.
It also encourages them to join its free Cyber Information Sharing Platform (CiSP) to exchange threat information in a secure and confidential environment.
You can download the NCSC’s:
- threat assessment report for the charity sector
- Small Charity Guide
- Cyber Aware Perceptions Gap Report
Get free email updates
Keep up to date with fundraising news, ideas and inspiration with a weekly or daily email. [Privacy]