By Gill Thomas
In addition to holding funds, charities store personal, financial, and commercial data. They are often perceived as “soft targets” by cybercriminals and as a result face many online risks. Surveys conducted within the sector typically note a lack of specialist-skilled technical staff, as well as problems with both recruitment and retention which would suggest they are less prepared for and more vulnerable to cyberattacks than their for-profit counterparts. But they do owe a duty of care to safeguard the personal information of their donors and the vulnerable people and causes they support.
With charities often reliant on donations, grants, and good will, the focus is on maximising the impact the charities have on the causes for which they stand. By minimising administration, staff, and IT costs more money can go towards their charity mission, and through transparent reporting donors are able to see how much of their donation goes directly to front line services and how much is spent on back office administration. It is therefore in the charity’s interest to keep these indirect costs to a minimum to appease their donor community.
There are many reasons why specific charities may be targeted for cyber-attacks; depending on the causes they support this could include attacks by nation states, hacktivists, insiders, and terrorists. Attacks may be direct or indirect via suppliers and third parties or come in via branches and projects overseas where the security culture may be less stringent. Attacks often take the form of:
- Ransomware and Extortion – initiated via phishing emails and links to compromised websites.
- Business Email Compromise (BEC) Attacks – initiated via email domain spoofing, requesting money transfers to illegitimate bank accounts.
- Fake Organisations and Websites – initiated via the creation of fake organisations and websites often in the immediate aftermath of a disaster or global event.
These attacks can negatively impact the charity by diverting funds, stealing data for onward sale, and attracting bad publicity.
As part of an international effort, the Fraud Advisory Panel and the Charity Commission for England and Wales held their annual Charity Fraud Awareness Week this week, highlighting different risks faced by charities each day. Advice and information is available via the Charity Fraud Awareness Hub and has been trending all week under #CharityFraudOut.
Earlier this year, the Charity Commission conducted the largest survey ever undertaken into fraud and cybercrime among the UK charity sector. The report published this week, Preventing Charity Cybercrime: Insights and Action, October 2019, found that:
- 58% of charities think cybercrime is a major risk to the charity sector.
- 22% believe cybercrime is a greater risk to the charity sector than other sectors.
- Phishing and malicious emails are the most common attack vector.
The full report, alongside Preventing Charity Fraud: Insights and Action, is available to download here.
Charities are a force for good, but unfortunately they remain a target for cybercriminals. The Global Cyber Alliance applauds the great work of the Fraud Advisory Panel and the Charity Commission during Charity Fraud Awareness Week, which brings an annual focus to the many risks faced by charities throughout the year.