Phishing and what to do about it

 

One of the most common methods of cyber attacks for charities is phishing. Phishing refers to fraudulent messages used to trick recipients into providing valuable information, such as bank details.

 

While phishing usually refers to email scams, there are variations that use similar tactics but through different channels. Scam messages can be sent via text, messaging apps like WhatsApp, phone or voice message, or any other channel.

 

As the Cyber Threat Report: UK Charity Sector points out: “The outward facing nature of charities, culture of trust in the sector, reliance on volunteers, staff members using personal IT, and reluctance to spend limited funding on cyber security training and measures could make them particularly vulnerable to criminality.”

 

Of the charities who experienced a cyber breach or threat between 2022 and 2023, 85% said they had identified a phishing attack. While more than half of large charities (with an income of £500,000 or more) reported experiencing a cyber breach or attack, organisations of any size can suffer a cyber breach, potentially resulting in financial damage and a halt to services. Phishing, as a common method of attack, is important to watch out for.

 

In this article, we will explore the definitions of phishing, the warning signs you might notice, and how charities can respond if they are targeted via email.

 

 

The meaning of phishing

 

As defined by the National Cyber Security Centre (NCSC), a phishing attack is when cyber criminals send fake emails to people asking them to click on a link to a fake website, which may steal personal information, or install malware.

  

This information can be used by cyber attackers to gain access to bank details, sensitive databases, or devices, allowing them to hijack your operations or your money. In short, phishing attacks, when they work, often result in cyber-facilitated fraud.

 

According to the NCSC, cyber-facilitated fraud is “deception to make a gain, or cause a loss, in relation to money, services, property or goods, which uses data or access obtained through phishing attacks”.

 

For example, if a phishing attack asks you to enter your password (perhaps faking a request from a colleague), cyber criminals can may then use this password to try and access all accounts you use due to already knowing the email address you are likely to use (hence why you should refrain from reusing the same password on multiple accounts).

 

If they gain access to your email account, they can exploit your network and contacts and set up a forwarding address to redirect the responses. The first step, however, is getting those details from you in the first place.

 

Phishing attacks are often not targeted to a specific charity, but the messages are designed to be persuasive and realistic. More targeted information (such as the name of your Chief Executive or a spoofed email address) may be used to add false legitimacy to an email. This more targeted approach is sometimes known as ‘spear phishing’.

 

Below, we share the signs charities can look out for in order to spot phishing messages and explore in more detail the tactics commonly used.

 

 

Signs of phishing

 

It used to be easier to spot scams. They might contain bad spelling or grammar, come from an unusual email address, or feature imagery or design that feels ‘off’. But scams are getting smarter and some even fool the experts.

 

Signs of phishing to look out for include:

• Authority – the message might claim to be from someone official, like your bank, a solicitor, or a government department. Criminals often pretend to be important people or organisations to trick you into doing what they want
• Urgency – you may be told you have a limited time to respond (such as ’within 24 hours’ or ’immediately’). Criminals often threaten you with fines or other negative consequences
• Emotion – the message may aim to make you panic, fearful, hopeful, or curious. Criminals often use threatening language, make false claims of support, or tease you into wanting to find out more
• Scarcity – you may be offered something in short supply, like concert tickets, money or a cure for medical conditions. Fear of missing out on a good deal or opportunity can make you respond quickly
• Current events – criminals often exploit current news stories, big events or specific times of year (like tax reporting) to make their scam seem more relevant to you

While these signs are useful, they are not infallible. People are still likely to click on phishing messages, even in the most vigilant of workplaces. Therefore, it is important that charities foster a positive culture around reporting cyber security issues.

 

Charity IT teams and leadership should encourage employees to ask for help and report if they suspect they may have clicked on or spotted a phishing email.

 

If a breach has occurred via phishing, it is important that charities are able to take steps as soon as possible to scan for malware and change passwords to protect against any negative consequences from the attack.

 

Check out the following guidance from the NCSC, which provides actions to take after a hack: How to recover an infected device and Recovering a hacked account.

 

 

How to protect against phishing

 

Training and reporting

 

As stated above, encouraging a culture of reporting is a significant part of strengthening an organisation’s cyber security.

 

If employees receive an email which they are not sure about, encourage them to forward it to the Suspicious Email Reporting Service (SERs) from the NCSC using report@phishing.gov.uk. If they have doubts about a message, but think it could be legitimate, they should contact the organisation directly. Don’t use the numbers or address in the message – use the details from their official website.

 

Make use of the free cyber security resources available on the NCSC’s website and share them widely across the organisation. You can find charity-specific information on cyber security best practice, such as the Small Charity Guide and the Cyber Threat Report: UK Charity Sector. There are helpful videos, articles, and tools to help charities strengthen their cyber security and protect against common cyber threats, including phishing.

 

Charities can also access a free tailored Action Plan for their cyber security as part of the NCSC’s Cyber Aware programme, and check out the security of their email and web browser with its Check Cyber Security service.

 

 

Free NCSC tools

 

Charities can reinforce their cyber security knowledge with tools and technology that protect against breaches.

 

As well as antivirus software and other resources (many of which are available on the Charity Digital Exchange at a discount for charities), there are lots of free cyber security tools that charities can make use of from the NCSC.

 

Mail Check, for example, helps charities understand their email configuration and make it more secure using ‘anti-spoofing controls’, so criminals can’t send emails purporting to come from their organisation.

 

Exercise in a Box is a free online tool from the NCSC that can help your charity test and practise its response to a cyber attack. The ’Identifying and reporting a phishing email’ micro-exercise takes just 15 minutes to complete and requires no technical knowledge.

 

You can access Exercise in a Box, and many other tools, on the NCSC website.