Phishing: is your charity next?

21 May 2018

All organisations have a tough challenge keeping up to date with cyber security risks, but charities are likely to suffer greater damage to their reputation if they fall victim to fraudulent activity and are less likely to have funds at their disposal to invest in methods of limiting their exposure.

Last November The Charity Commission issued another alert, the second within a few months, focusing on highlighting ways that charities can limit exposure to cybercrime and this time the Commission was worried about the level of ‘phishing’ seen by charities.

Phishing is when fraudsters attempt to hoax users and get hold of sensitive information such as usernames, passwords and credit card details. The scam is normally carried out through electronic communication by email, pop-up message, phone call ortext message.

Measures that can help reduce the risk of phishing include making sure that software has up-to-date virus protection and that upgrades are installed as soon as possible. ‘Anti-spyware’ software can be installed which helps identify keystroke logging.

The most common phishing attack can occur when someone clicks on a link or opens an attachment received in an unsolicited email or SMS message. In this situation fraudsters create a ‘spoof’ email address to make it look as if it is from a trusted source. If a recipient is unsure about the email, then it is always best to check the email header to identify the true source of communication, by hovering the mouse over the email address and the true address will be revealed as a pop up message.

It is important to make regular backups of important files to an external hard drive, memory stick or online storage provider, but once the back up is made, the backup device should be disconnected from the charity’s computers, as a ‘malware’ infection could spread to the backup device too.

Recently the Alliotts fraud prevention team have seen an increase in ‘Spear Phishing’, a more targeted version of phishing where the fraudster targets a specific individual or organisation. It normally occurs after a period of social engineering (more in depth research into the individual or organisation using data gathered from social media, such as Twitter, Facebook, LinkedIn, as well Google searches) where the fraudster has gained enough information about their target to create a convincing email or letter in order to solicit money or information.

Social media is a useful tool for fundraising and increasing publicity for a cause, but charities need to be aware of what information is being posted publicly about individuals connected to the organisation and ask themselves whether it is all necessary, or, whether this information should be restricted to certain users, such as registered supporters.

Unfortunately it is not difficult for charities to fall victim to these types of frauds and some have lost large sums and have had to make serious incident reports to the Charity Commission and explain to key funders what went wrong.

Alliotts have a team of certified fraud examiners who advise charities on how to prevent phishing in the first place, as well as performing fraud health checks for charities.

By Jonathan Graham & Steve Meredith

Back to related content