The National Cyber Security Centre has identified the key threats that cyber criminals pose to small charities. Here is a summary of its findings
Cyber criminals are constantly on the lookout for new potential victims to target, and UK charities – particularly smaller charities – are extremely attractive to them, according to the National Cyber Security Centre (NCSC) Cyber Threat Assessment.
That’s because charities hold funds, but also because they usually store financial and commercial data and personal information about the people donors and beneficiaries. All of this is highly valued by cyber criminals and other malicious actors – a fact which is not widely understood by many smaller charities, who do not see themselves as potential victims of cyber crime – and therefore do not take action to offset or mitigate these risks.
For that reason, many smaller charities do not carry out threat assessments, as they do not feel that spending money on cyber security measures to counter these cyber threats is a priority.
But the impacts of underinvestment in cyber security measures and a subsequent security breach can be high. These can include losing the ability to deliver charity services – either overa short period or a more extended length of time – and a fall in the perceived integrity and reputation of the charity in question, and in the charity sector more generally.
The need for a cyber threat assessment and appropriate security measures has never been higher. The General Data Protection Regulation (GDPR) imposes a number of security requirements on organisations including charities; the levels of cyber crime are increasing every year; and charities are increasingly involved in online activities including service delivery, fundraising, and communications which involve the collection and storing of financial and other confidential data.
For all these reasons, it is very important that charities of all sizes are aware of the NCSC threat assessment and understand the cyber threats that they face.
The NCSC’s threat assessment concludes that charities face cyber attacks from a wide range of malicious actors: from highly professional cyber criminal gangs and organisations to small scale fraudsters and opportunists working alone.
Unfortunately, the barrier to entry to cyber crime is very low, because relatively unsophisticated would-be cyber criminals can rent or buy cyber crime tools such as exploit packs or ransomware kits which contain everything a criminal needs to launch their own cyber attacks and start collecting money.
The most common motivation for cyber criminals is financial gain. Cyber crime itself is attractive because of a very low perceived risk of getting caught or punished. Many cyber criminals operate from certain foreign countries where the authorities turn a blind eye to cyber crime attacks against organisations based in countries such as the UK.
The simplest form of financial gain is simply to steal funds from charities’ bank accounts, often by accessing the charity’s logon credentials such as user name and password.
But cyber criminals can also cash in by using various fraud techniques, such as extortion (for example by holding data to ransom using ransomware) or data theft.
This latter method can be effective because when cyber criminals steal personal data about charities’ donors and other constituents. This is often be sold online to other cyber criminals who use it for their own fraudulent activities. Payment details such as credit card numbers can be particularly valuable to cyber criminals.
Extortion and ransomware
Charities are outward facing and trusting organisations by their very nature. But the uncomfortable truth is that this does leave them particularly vulnerable to many types of cyber crime.
The simplest form of extortion is a ransomware attack. Ransomware is a type of malware which silently encrypts a charity’s data so that it is unreadable, and then demands a ransom – usually payable in a cryptocurrency such as Bitcoin – for a key which can be used to decrypt the data.
Last year St John Ambulance was hit by a ransomware attack. The attack happened at 9:00 am on Tuesday 2 July and the issue was resolved within half an hour. The charity says that the ransomware attack did not affect its operational systems and is confident that data has not been shared outside of St John’s Ambulance. No customer passwords were stored in the affected database. However, the attack did mean that the charity was temporarily blocked from accessing the affected system.
There are a number of ways that ransomware can get onto a charity’s network. Cybercriminals often use phishing emails which purport to be from somewhere known to the charity such as a bank or utility company, and these emails encourage the reader to click on a link – perhaps by claiming that some record needs to be updated. Clicking on the link results on the ransomware being downloaded.
Cyber criminals may also find a way to steal data, and then threaten to release it publicly unless some form of payment is made. Since charities often hold sensitive information about the people that they help, particularly medical records, this makes them particularly susceptible to this type of extortion.
Business email attacks
Business email attack is the name given to a particular type of cyber crime which involves the criminals impersonating someone within the charity, and then telling another staff member to make a payment to a supplier.
Usually this is done by gaining access to the email account of one of the charity leaders such as the CEO, and then sending an email from this email address to someone in the organisation who has the authority to make payments.
In fact, it may not even be necessary to gain access to the email system, as it is relatively easy for a cyber criminal to send an email which appears to come from someone like the CEO.
An alternative approach is to gain access to the email system and then search for the names of existing legitimate suppliers or recipients of grant payments from the charity. The cyber criminal then sends an email to the charity saying that the recipient’s bank details have changed to a new account number (belong to the cyber criminal). Future payments are thus made to the cyber criminal’s account.
This is sometimes known as ’Mandate Fraud’ or ’Invoice Fraud’. In these cases, an employee is deceived into changing a regular payment mandate, such as a direct debit, standing order or bank transfer. Disguised as an existing supplier, the scammer makes contact by email, letter or phone, asking for the direct debit, standing order or bank transfer instructions to be amended to their ’new’ bank account. Last year a charity in Manchester reportedly sent a payment of almost £100,000 to an incorrect bank account following one of these attacks.
In cases where access to the charity email system is required, cyber criminals may use malware such as a keylogger, which records the keystrokes made on a keyboard, to discover usernames and passwords. The keylogger itself may have been downloaded after an employee clicked on a link in a phishing email.
Fake organisations and websites
Another way that cyber criminals can make money is by setting up fake websites that purport to belong to charities that does not in reality exist. This is sometimes known as ‘typo-squatting’ or ‘domain squatting’.
Often the cyber criminals will do this in response to a particular disaster or emergency, so that people who want to make a donation to a disaster appeal mistakenly make a payment on the fake website.
Perhaps more sinisterly, cyber criminals also seek to cash in on some charities’ brand names by setting up fake websites which purport to belong to well-known charities, so that donors mistakenly make their donations on the fake site.
There have been a wide number of reports of this crime being perpetrated by fraudsters taking advantage of COVID-19 related charity appeals.
This type of cyber crime may not affect the charities directly, but it is likely that it harms their fundraising activities because some people who intended to make donations to their chosen charity will end up making a "donation" to the cyber criminals instead.
The biggest threat comes from cyber criminals who are motivated by financial gain, as described above. But there are other types of people who commit cyber crimes for their own reasons, and these include:
Nation state agents
Agents of nation states such as North Korea and Iran are believed to carry out cyber crimes for a number of reasons including to further their country’s political agenda and prosperity.
It is certainly the case that some UK-based charities have a role in helping to formulate and deliver UK domestic and foreign policies both here and overseas, so these agents may well believe that such charities are legitimate targets.
A hacktivist is a malicious (or blackhat) hacker who is motivated by a specific cause, personal or political agenda, or someone who reacts to events or actions that they perceive as unjust.
In the past some hacktivists have defaced charity websites or launched distributed denial of service (DDoS) attacks against them, forcing them offline for a period of time.
In 2012, a hacktivist gained access to the website of a UK charity, defacing it and stealing personal details. The charity received a substantial fine from the Information Commissioner for the breach.
An insider is someone who works (or recently worked) at your charity or a partner organisation closely linked to your charity.
Insiders can pass information such as log on credentials or email passwords to cyber criminals so that they can steal data, they can steal data themselves, or they can use their access to IT systems to commit fraud. (Half of all charity frauds are committed by people known to the charity, according to the Charity Commission’s head of fraud and cyber crime.)
Malicious insiders tend to be motivated by grievances (such as being passed up for promotion), personal convictions, or by inducements or threats applied by cyber criminals.
But not all insiders are malicious. Careless employees who use weak passwords, click on any link in an email they encounter or who download and install unauthorised software from the internet onto their work computers also pose a cyber security threat.
Although this is not considered to be a big threat, terrorists have been known to take over and deface websites. They also occasionally carry out "doxing" attacks, which involve publishing personal details such as the address and phone number of organisations’ leaders.
This type of threat is only likely to be encountered by charities which deliver services which may be considered politically sensitive.
Indirect attacks from third parties and suppliers
Although your charity may take strenuous cyber security precautions, it may still be vulnerable to attacks launched on third party organisations which may be responsible for your charity’s IT setup, or other companies such as marketing partners which have access to some or all of your data. For example, earlier this year more than 100 charities have reported that their confidential data had been accessed by hackers as a result of a cyber attack on their cloud software company.
Don’t forget that you could also be vulnerable to attacks launched on projects linked to your charity, or to overseas branch offices of your charity which have less effective cyber security measures in place.