How cyber criminals are targeting charities

Almost one in five (17%) charities felt they were either unlikely or very unlikely to experience a cyber attack in 2021, according to a report conducted by Charity Digital and the National Cyber Security Centre (NCSC).

The report found that the smaller the charity, the less likely they were to have a plan in place in the event of a cyber breach. Just a quarter of micro charities (organisations with a turnover of less than £10,000) said they had someone dedicated to looking after their cyber security, while 6% of the sector overall said no one was responsible for the cyber security.

Cyber criminals know this. In 2019, more than 136,000 small and micro charities were registered in the UK, accounting for 82% of the sector. In 2022, there are likely to be more, plus the many smaller organisations not registered due to their size. These charities, whether they recognise it or not, deal with a lot of data, their resources are more limited, and they have less time to dedicate to overseeing cyber security.

But a cyber attack can happen to any charity, big or small. Cyber criminals don’t care about who they are targeting, but rather what they can gain. With all the data organisations have on hand, and with inconsistent cyber security approaches across the sector, charities have become an inviting prospect.

Below, we explore common tactics that cyber criminals use and highlight the impact that this can have on charities, from damaging their reputation to incurring large fines.

Gaining access

The first stage of any cyber attack is a cyber criminal gaining access to your systems and networks. There are many potential gateways that cyber criminals could make use of. Three common methods of access for cyber criminals include phishing, password hacking, and unpatched vulnerabilities.

Phishing

The NCSC defines phishing as “when criminals use scam emails, text messages or phone calls to trick their victims” into visiting a website, downloading a virus onto their computer, or giving your bank details or other personal information.

It’s important that charity staff are aware of what a phishing email might look like, so that they can identify and report it. They usually rely on five tactics - urgency, authority, emotion, scarcity, and current events.

So you might receive an email ostensibly from your CEO asking you to perform a task for them quickly – appealing to your sense of authority and urgency. Thinking you must act swiftly or face reprimand, you might click the link or reply to the email without noticing its legitimacy or origins.

Password hacking

Passwords are often a root cause of cyber security attacks. Many passwords take as little as 30 seconds to crack – the most common still being 123456 – while many people tend to use the same one across multiple accounts, putting them all at risk.

There has also been a rise in ‘conversation hijacking’ cyber threats, where criminals pose as friends or colleagues to get someone to divulge their login credentials. 

Once a cyber criminal has your password details, they can wreak havoc on your network, access your data, steal money, and even log you out of your own system.

Unpatched vulnerabilities

Unpatched vulnerabilities occur when a charity fails to keep its software and hardware regularly updated. Apps regularly launch updates to fix bugs and vulnerabilities in their operating system. It is recommended that everyone carries out the updates on time to prevent cyber attackers from using the vulnerabilities to breach their network.

Carrying out these updates is referred to as ‘patching’ - think of it as like fixing holes in a well-worn fence. It keeps cyber criminals out.

Password hacking and exploiting unpatched vulnerabilities are not usually targeted approaches by cyber criminals, which makes them all the more dangerous for charities.

Cyber criminals will exploit any weakness they encounter in any organisation, trying their luck on a huge volume of systems, regardless of size or type of organisation, until they gain access.

Taking action

Once a cyber criminal has gained access, there are lots of different actions they can take with your data, money, and technology. All of them can be very damaging to your charity and how it operates. Here, we explore three of the most common actions that cyber criminals can undertake on your network.

Fraud via spoofing

Fake emails from your charity address could be responsible for spreading malware or conducting fraud and could damage your reputation. Donors need to be able to trust the communications from the organisations they support. But email spoofing makes it harder for them to do so, when cyber criminals make phony versions of your charity’s email address in order to target others.

It follows the usual phishing tactics of creating a sense of urgency and an emotional response, but it uses your email address – or something very near to it – to support their request. There were lots of high-profile accounts of fraud via spoofing websites and email addresses during the pandemic, with cyber criminals using the NHS to target people, knowing that it held the authority and urgency to spur recipients into clicking on their links.

Fake websites

Cyber criminals can extend the above tactics to spoofing your website or social media accounts. Your supporters may not notice subtle differences in what the real and the spoof sites look like and may unknowingly click a link to take them to a fraudulent site.

Criminals engaging in website spoofing, or design spoofing as it’s also known, will usually adopt the website design and put forward a similar URL. The goal for cyber criminals is to lure supporters, partners, volunteers, and anyone else who engages with your site into sharing sensitive information, such as login credentials, security numbers, payment details, and so on.

Building regular checks into your cyber risk management plan can help to identify cases of spoofing. If you so find that your website is spoofed, you can report it to the NCSC and they will investigate. It’s free to report a suspicious website and will only take a minute. You could also think about asking regular users of your website to report any spoofed sites they find via this route as well.

If you detect a spoofed site you will want to have it removed from the Internet, this is known as a ‘takedown’. To initiate this you would need to locate and contact the website hosting provider and follow its own takedown request process.

This can be a difficult and time consuming task, especially if the provider is outside the UK’s jurisdiction, but most reputable hosting providers have a process. The NCSC has a helpful guide to prepare you for this activity, and also how to engage with third-party companies that can carry out takedown related services on your behalf

The NCSC has plenty of tools to help protect your website in other ways too. You can use the Web Check, which was developed to check for vulnerabilities on your website. Organisations simply put URLs into the tool, and it will check for myriad issues relating to cyber security on your site. The tool enables increased confidence in using web-facing services, reduces the risk of spoofing and plenty of other costly cyber attacks.

Instigating ransomware

Malware is the umbrella term for any malicious software that affects the way that computers and the programs they operate work. A common type of malware is ransomware, which allows cyber criminals to hack into your technology, encrypt your data, and ask for money to release it.

The way that a ransomware attack begins is attackers gaining access to your network, establishing control, and planting malicious encryption software. Once this is activated, attackers can lock your devices and cause data across your network to be encrypted, stopping you from being able to access it. The attacker will then send a notification explaining the ransom and how to send the payment to fix it. Payments are usually requested in cryptocurrency.

It is unadvisable to pay the ransom for many reasons, not least that your devices will still be infected with the malicious software that caused the problems in the first place. There is no guarantee you’ll regain access to your devices or data and you could also become a target again in the future if cyber criminals believe you’ll pay.

Be aware that ransomware attackers may publish your data if they don’t receive payment. Back up your data and take steps, such as anonymising it, to mitigate the fallout if your data is released.

Resulting impact

The impact of a cyber breach can be deep and wide-ranging. It can cause short-term issues that need fixing quickly, like breakdown of technology, and long-term issues like loss of trust, financial damage, and much more.

Data breaches, depending on the severity, can even end up in the news, which adds an extra level of stress for all those involved. Staff may feel pressure to fix things quickly, beneficiaries may feel unsupported, and donors may lose faith in your mission.

Below are three ways a cyber attack can affect your charity and how.

Financial

Cyber attacks can be costly. They can target steal credit card details and target your bank account directly or hold your data and technology to ransom, extorting organisations for funds to return it. Charities could find themselves facing financial ruin, losing their reserves, or being unable to pay their staff without access to their payroll.

But that’s only the first stage of financial loss from a cyber breach. Organisations have been fined thousands of pounds in the past for failing to protect their data adequately after a cyber breach. In 2018, one charity was fined £100,000 by the Information Commissioner’s Office after cyber attackers gained access to the data of more than 400,000 supporters.

Then there’s the impact of a breach on a charity’s relationship with its supporters, both existing and potential. Large fines make the news which can discourage new supporters from trusting you with their money, while existing ones may be disappointed that their data was not adequately protected in the first place. As a result, fundraising could become a lot more difficult.

Reputational damage

A high-profile cyber breach can threaten a charity’s brand, which takes years to build but only one mistake to damage. It makes fundraising difficult, leading potential donors to question a charity’s efficiency and trustworthiness. Yet trust is what a charity thrives on – without it, it can be difficult to motivate significant support.

If cyber criminals use spoofing tactics to defraud your audiences, there’s also a knock-on effect for the charity itself. Cyber criminals are relying on your audiences to trust your charity and its brand. If they click a link, trusting that it’s come from you, and then find themselves defrauded, they will be more careful with interactions with you in the future, perhaps avoiding them altogether. Emails go unread, appeals are ignored, and trust is undermined, perhaps even without a charity’s knowledge.

Services halted

Financial loss and reputational damage can also have major repercussions on a charity’s ability to deliver services. Without funds to resource them, and a diminished ability to raise more due to a loss of supporters, charities can find themselves unable to support their beneficiaries, particularly as demand for them rises.

But cyber attacks can also stop services on their own if data is held to ransom or their IT system is compromised.  What happens if your organisation can no longer access beneficiary databases? And can your services remain operational without access to technology?

A cyber attack can affect any organisation but the impact on charities and, crucially, the communities they serve can be immense. It is vital that charities don’t simply think of cyber security as an afterthought, but rather embed it into the heart of their operations. Rest assured, that’s where the consequences of a cyber attack can reach.