We share some important tips for charities to avoid falling victim to potentially devastating and convincing email fraud.
One in five charities were targeted by online criminals in the last year, according to government figures. Fraudsters specifically target charities, according to Professor Mark Button, a counter-fraud expert at the University of Plymouth, because staff and volunteers often receive less online security training than employees in for-profit organisations. In the overwhelming majority of cases, criminals attempt to defraud charities using a technique known as phishing. What is phishing? It involves scammers sending out fraudulent emails, often purporting to be from reputable companies or individuals, or setting up fake web which are designed to look like genuine ones.
A typical phishing email - which could be sent out to millions of email addresses - may appear to come from a bank, warning the recipient that their account has been "suspended" for security reasons, and that the account has to be "verified". To do this they are encouraged to click on a link, which goes to a fake version of the bank’s web site. If the recipient enters their account username and password, the criminals will then be able to use those credentials at the genuine bank site to steal the victim’s money. Clicking on the link may also trigger a virus or other malware to be installed on the victim’s computer, enabling the criminals to steal credit card information, passwords to more accounts, or other valuable information.
Spearphishing is a more sinister variant of phishing. In a spearphishing attack the criminals target a specific individual, and the fraudulent email will be tailored to that person. For example, a spearphishing email may be sent to the finance director of an organization, and purport to come from the chief executive using his or her name. The email may say that an urgent payment needs to be made to a specific account within the hour, and may be timed to coincide with the chief executive’s holiday to make it hard for the finance director to check that the email is genuine. The Charity Commission recently warned of scammers sending ‘requests to your finance department or staff with authority to transfer funds’ which claim to be from a charity’s CEO but are actually from a spoofed email address.
The results of a phishing attack can be catastrophic, but here are some tips to help spot fraudulent emails and websites and avoid becoming a victim: