The Charity Commission has recently produced revised guidance on how trustees can protect their charity from cybercrime. This is because crimes committed using computers or the internet pose a growing threat to charitable organisations, with risks to sensitive data, funds, and reputation. Last year the Commission opened 603 cases relating to fraud and a further 99 cases relating to cybercrime.
In this article, we will be exploring the risks, how to mitigate them and what to do in the case of an attack.
‘Protecting your charity from fraud and cybercrime can understandably seem daunting, but there are many small, inexpensive steps charities can take to reduce the risk of any potential internal or external fraudster being successful.’ – Mazeda Alam, Head of Guidance & Practice at the Charity Commission
Types of cybercrime
Phishing
This is where victims are tricked into visiting malicious websites, or clicking on links where sensitive data may be stolen or malicious software installed. Phishing could appear like your ‘colleague’ has sent you a link or ‘HMRC’ has asked you to download a file. Whilst phishing often takes place via email, more recently this is also happening on social media (smishing).
Impersonation
Often in combination with phishing, impersonation involves a party posing as another legitimate individual or organisation looking to obtain your money or information. Websites that at first glance appear legitimate might be fake and created to steal donations. Impersonation scams will often try to increase their success by using pressure, playing on the hierarchy of the charity or giving you a limited time frame to react. It’s worth noting that the impersonation tools are developing and changing. AI tools such as deep faking and voice imitation might hold you in a live conversation by generating an AI version of a colleague.
Malware
Malware is any software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system. Some simpler versions may delete data, turn off machines, or corrupt files. More subtle malware can create pathways for another party to access a device/network, or monitor the activity on a device/network to gain information or passwords. Ransomware can allow perpetrators to lock away an organisation’s data, so they can negotiate for its release.
Preventing fraud
Sophisticated cyberattacks can be difficult to withstand, but there are some actions you can take to make it harder for the criminals and safer for your organisation…
Asses the security of your systems, then take steps to address vulnerabilities. Set complex passwords that are different for each account. Use two factor authentication to create another layer of defence.
Have controls to secure devices both physically and digitally. Regular data backups can solve all manner of issues, whether it be fire, flood, or cybercrime. Good practice includes taking regular backups off site to best protect them. You may even backup server information to other physical locations, or into the cloud. Charities can use a range of National Cyber Security Centre Active Cyber Defence tools, which can protect your emails, website and browser.
Promote best practice within your organisation and ensure that everyone is aware of the relevant policies and procedures. Share resources with your staff about fraud prevention. Consider running a session that specifically covers this topic. Train your staff, trustees and volunteers properly. Look at Charity Fraud Awareness Week or National Cyber Security Centre websites; they have free resources and training courses available.
Have a look at PreventCharityFraud.org.uk, a site created by the Fraud Advisory Panel and the Charity Commission with significant sector support, who have a number of links and resources to help trustees, teams and volunteers understand the risks and establish tools to prevent fraud and cybercrime.
How to react to cybercrime…
What should you do if something should happen?
Create a plan of exactly what to do in the event of a cybercrime attack. Planning for the worst can be unpleasant, but will minimise damage. Decide who will be needed to respond if you are a victim of cybercrime, and what actions they should take. It’s important to keep a record of what happened and when.
If you think your charity is either at risk or has been targeted fraudulently, report this as soon as possible to Action Fraud. Time is of the essence in these situations.
You might be required report a cyber-attack as a serious incident to the Charity Commission.
You should also talk to stakeholders; reassure them you have everything in hand. Transparency is important for trusting relationships and people want charities to be entirely honest about their activities.
The new authorised push payment fraud (APP) reimbursement scheme has been established, so small charities (with income of less than £1 million a year) that have experienced APP fraud can reclaim lost funds. APP fraud is a type of bank transfer crime that occurs when a victim is tricked into sending money to a fraudster. Introduced by the Payments Systems Regulator, the scheme mandates banks and other payment service providers to reimburse victims of APP fraud carried out through the faster payments system and Clearing House Automated Payment System up to £85,000.
Need some assistance?
Burton Sweet has a longstanding commitment to charities and civil society organisations, offering practical, professional and passionate support. We want to assist you, so you can deliver effectively for the communities you serve and show the good you do.
With regard to fraud and cybercrime, we offer board training, policy reviews, risk management document reviews and advice on financial controls. Please contact us and we will be happy to help…
