Know your enemy: The NCSC cyber threat assessment for small charities

Who might target the charity sector?

The NCSC’s threat assessment concludes that charities face cyber attacks from a wide range of malicious actors: from highly professional cyber criminal gangs and organisations to small scale fraudsters and opportunists working alone.

Unfortunately, the barrier to entry to cyber crime is very low, because relatively unsophisticated would-be cyber criminals can rent or buy cyber crime tools such as exploit packs or ransomware kits which contain everything a criminal needs to launch their own cyber attacks and start collecting money.

Motivation

The most common motivation for cyber criminals is financial gain. Cyber crime itself is attractive because of a very low perceived risk of getting caught or punished. Many cyber criminals operate from certain foreign countries where the authorities turn a blind eye to cyber crime attacks against organisations based in countries such as the UK.

The simplest form of financial gain is simply to steal funds from charities’ bank accounts, often by accessing the charity’s logon credentials such as user name and password.

But cyber criminals can also cash in by using various fraud techniques, such as extortion (for example by holding data to ransom using ransomware) or data theft.

This latter method can be effective because when cyber criminals steal personal data about charities’ donors and other constituents. This is often be sold online to other cyber criminals who use it for their own fraudulent activities. Payment details such as credit card numbers can be particularly valuable to cyber criminals.

Modes of attack

Extortion and ransomware

Charities are outward facing and trusting organisations by their very nature. But the uncomfortable truth is that this does leave them particularly vulnerable to many types of cyber crime.

The simplest form of extortion is a ransomware attack. Ransomware is a type of malware which silently encrypts a charity’s data so that it is unreadable, and then demands a ransom – usually payable in a cryptocurrency such as Bitcoin – for a key which can be used to decrypt the data.

Last year St John Ambulance was hit by a ransomware attack. The attack happened at 9:00 am on Tuesday 2 July and the issue was resolved within half an hour. The charity says that the ransomware attack did not affect its operational systems and is confident that data has not been shared outside of St John’s Ambulance. No customer passwords were stored in the affected database. However, the attack did mean that the charity was temporarily blocked from accessing the affected system.

There are a number of ways that ransomware can get onto a charity’s network. Cybercriminals often use phishing emails which purport to be from somewhere known to the charity such as a bank or utility company, and these emails encourage the reader to click on a link – perhaps by claiming that some record needs to be updated. Clicking on the link results on the ransomware being downloaded.

Cyber criminals may also find a way to steal data, and then threaten to release it publicly unless some form of payment is made. Since charities often hold sensitive information about the people that they help, particularly medical records, this makes them particularly susceptible to this type of extortion.


Business email attacks

Business email attack is the name given to a particular type of cyber crime which involves the criminals impersonating someone within the charity, and then telling another staff member to make a payment to a supplier.

Usually this is done by gaining access to the email account of one of the charity leaders such as the CEO, and then sending an email from this email address to someone in the organisation who has the authority to make payments.

In fact, it may not even be necessary to gain access to the email system, as it is relatively easy for a cyber criminal to send an email which appears to come from someone like the CEO.

An alternative approach is to gain access to the email system and then search for the names of existing legitimate suppliers or recipients of grant payments from the charity. The cyber criminal then sends an email to the charity saying that the recipient’s bank details have changed to a new account number (belong to the cyber criminal). Future payments are thus made to the cyber criminal’s account.

This is sometimes known as ’Mandate Fraud’ or ’Invoice Fraud’. In these cases, an employee is deceived into changing a regular payment mandate, such as a direct debit, standing order or bank transfer. Disguised as an existing supplier, the scammer makes contact by email, letter or phone, asking for the direct debit, standing order or bank transfer instructions to be amended to their ’new’ bank account. Last year a charity in Manchester reportedly sent a payment of almost £100,000 to an incorrect bank account following one of these attacks.

In cases where access to the charity email system is required, cyber criminals may use malware such as a keylogger, which records the keystrokes made on a keyboard, to discover usernames and passwords. The keylogger itself may have been downloaded after an employee clicked on a link in a phishing email.

Fake organisations and websites

Another way that cyber criminals can make money is by setting up fake websites that purport to belong to charities that does not in reality exist. This is sometimes known as ‘typo-squatting’ or ‘domain squatting’.

Often the cyber criminals will do this in response to a particular disaster or emergency, so that people who want to make a donation to a disaster appeal mistakenly make a payment on the fake website.

Perhaps more sinisterly, cyber criminals also seek to cash in on some charities’ brand names by setting up fake websites which purport to belong to well-known charities, so that donors mistakenly make their donations on the fake site.

There have been a wide number of reports of this crime being perpetrated by fraudsters taking advantage of COVID-19 related charity appeals.

This type of cyber crime may not affect the charities directly, but it is likely that it harms their fundraising activities because some people who intended to make donations to their chosen charity will end up making a "donation" to the cyber criminals instead.

Who is committing these cyber crimes?

The biggest threat comes from cyber criminals who are motivated by financial gain, as described above. But there are other types of people who commit cyber crimes for their own reasons, and these include:

Nation state agents

Agents of nation states such as North Korea and Iran are believed to carry out cyber crimes for a number of reasons including to further their country’s political agenda and prosperity.

It is certainly the case that some UK-based charities have a role in helping to formulate and deliver UK domestic and foreign policies both here and overseas, so these agents may well believe that such charities are legitimate targets.

Hacktivists

A hacktivist is a malicious (or blackhat) hacker who is motivated by a specific cause, personal or political agenda, or someone who reacts to events or actions that they perceive as unjust.

In the past some hacktivists have defaced charity websites or launched distributed denial of service (DDoS) attacks against them, forcing them offline for a period of time.

In 2012, a hacktivist gained access to the website of a UK charity, defacing it and stealing personal details. The charity received a substantial fine from the Information Commissioner for the breach.

Insiders

An insider is someone who works (or recently worked) at your charity or a partner organisation closely linked to your charity.

Insiders can pass information such as log on credentials or email passwords to cyber criminals so that they can steal data, they can steal data themselves, or they can use their access to IT systems to commit fraud. (Half of all charity frauds are committed by people known to the charity, according to the Charity Commission’s head of fraud and cyber crime.)

Malicious insiders tend to be motivated by grievances (such as being passed up for promotion), personal convictions, or by inducements or threats applied by cyber criminals.

But not all insiders are malicious. Careless employees who use weak passwords, click on any link in an email they encounter or who download and install unauthorised software from the internet onto their work computers also pose a cyber security threat.

Terrorists

Although this is not considered to be a big threat, terrorists have been known to take over and deface websites. They also occasionally carry out "doxing" attacks, which involve publishing personal details such as the address and phone number of organisations’ leaders.

This type of threat is only likely to be encountered by charities which deliver services which may be considered politically sensitive.

Indirect attacks from third parties and suppliers

Although your charity may take strenuous cyber security precautions, it may still be vulnerable to attacks launched on third party organisations which may be responsible for your charity’s IT setup, or other companies such as marketing partners which have access to some or all of your data. For example, earlier this year more than 100 charities have reported that their confidential data had been accessed by hackers as a result of a cyber attack on their cloud software company.

Don’t forget that you could also be vulnerable to attacks launched on projects linked to your charity, or to overseas branch offices of your charity which have less effective cyber security measures in place.