Due to maintenance, some parts of the ACEVO website won’t be available on Wednesday 27 March, from 7–9am.
For urgent requests please email info@acevo.org.uk

#StopCharityFraud

By the BDO team.

No organisation is free from the risk of cyber-crime or cyber-enabled fraud, and the charity sector is unfortunately no exception.  The result of a cyber-attack could see your charity lose access to its data, funds or assets, with the accompanying devastating consequences on its ability to meet the needs of its beneficiaries or service users.

Currently, with the UK emerging from the Covid-19 crisis and now suffering from the cost-of-living crisis, this is a perfect breeding ground for cybercriminals to attempt to defraud a charity out of its increasingly crucial resources.

Is the charity sector vulnerable?

The 2021 Cyber Security Breaches Survey showed that there had been an increase in charities dealing with finances online, whether this was by use of online bank accounts, providing an ability for people to donate online or allowing beneficiaries or service users access to online services. This increasing trend towards digitisation, very likely accelerated by the Covid-19 crisis and a greater reliance on home or hybrid working, forced many charities to evolve and invest in technology. In some cases, due to the quick turnaround required, this was done with less due diligence than there would be in normal circumstances. The result: a greater use and reliance on technology. Music to the ears of the cyber-criminal.

In addition, survey results published by the Charity Commission found that “one in eight charities (12%) had experienced cybercrime in the previous 12 months”, and therefore this is a significant risk that charities need to be aware of.

So what does this mean for charities?

Increasing your digital footprint, whilst arguably a modern-day necessity also increases the risk of being a victim of cyber-enabled fraud.  Fraudsters will exploit any available weaknesses – whether vulnerabilities in remote access systems, weak passwords, lack of multi-factor authentication, vulnerabilities in software and non-standard application of patches, or insecure user devices (i.e. phones and tablets with insufficient security).

The Charity Commission survey results also suggest that the governing processes for a more digital way of working (such as risk assessments, new policies and procedures and training for staff) may not have been given enough attention or kept up with the increasing reliance on technology and digital processes. This leaves charities vulnerable.

The risks associated with newly implemented digitised ways of working will, of course, be different to previous processes. It is not uncommon that digital processes were implemented to enable operations at a time of great pressure and demand.  However, it is still essential that vulnerabilities are assessed and, if necessary, preventative measures implemented.

The recent Charity Commission survey results also highlighted that there was a potential lack of awareness of the cyber-related risks facing charities as a result of increasing their operations online. The survey found that just over 24% of charities have a formal policy in place to manage the risk of cyber-related fraud. The survey also found that only around half of the charities surveyed reported that cyber security was a fairly, or very high, priority in their organisation. This could suggest that many charities are underestimating the risks, which makes them more vulnerable to attack.

How do you protect your charity?

Myths surrounding protecting your charity from cybercrime or cyber-enabled fraud suggest that it is costly, time-consuming and resource-heavy.  Whilst your charity might need to consider investing in its IT systems and solutions to ensure it is safe and secure from an external attack (i.e. ransomware), there is a variety of simple, quick-to-implement solutions that you can take which will enhance its current risk profile.  For example, the most-prolific risks identified in the 2021 Cyber Security Breaches Survey were ‘Phishing’ (79%) and ‘Others impersonating an organisation in emails or online’ (23%). At this point, it is the human factor that is your greatest weapon in combatting the risk of cyber-enabled fraud.

All humans are vulnerable to social engineering techniques deployed by fraudsters in phishing scams. Training and awareness are invaluable tools and will ensure that your trustees, employees and volunteers know fraud risks and red flags. This is key to protecting your organisation’s assets.  Training and awareness should be periodic to ensure that it reflects current cyber-fraud trends – cyber-fraud criminals are constantly evolving their tactics. Therefore, charities need to keep up with these trends too.  Some simple but effective messages to include in training are:

  • Awareness of the latest trends and scams being deployed by fraudsters (i.e. what a phishing email might look like).
  • What to do when accidentally clicking on a link from a phishing email.
  • The importance of good password management (i.e. not sharing passwords, what strong passwords are and using different passwords to other non-work related apps and websites).
  • The associated risks when connecting to public WI-FI hotspots and the preference to tether to known devices or networks.
  • The importance of up-to-date anti-virus and operating systems on any personal devices being used for work.

Beyond training, much more can be done. Our top tips, which we see as vital in supporting your charity’s continuous protection against cyber-related fraud, include:

  • Ensure your policies reflect the current working environment in relation to the digitised and technology-focused processes your charity uses.
  • Ensure you are prepared to act quickly if a cyber-related incident occurs (i.e. have a cyber-response plan).
  • Ensure that your data is backed-up up so it can be recovered in the event of an attack.
  • Review your IT security solutions to make sure they are fit for purpose.
  • Perform a cyber-fraud risk assessment, where cyber fraud risks are identified, risk rated and assigned to a responsible individual for management.

Help #StopCharityFraud

As part of Charity Fraud Awareness Week, help us unveil the fraud landscape of the charity sector and raise awareness of the risks charities face beyond just cyber. By participating in our annual Charity Fraud Survey, in conjunction with Fraud Advisory Panel, you’ll provide insight into this area that will help the sector be more fraud aware and act against fraud.

The questions in the survey relate to your charity’s experiences with fraud and how your organisation manages fraud risk. The information provided will be treated in confidence and only used to inform the results of this study. All answers will be anonymous. No individuals or individual charities will be identified. We’ll share the results of the survey in a report, which we will launch at an exclusive in-person event on 6 December.

Take part in the survey

To ensure you receive an invite to the report launch event, or indeed have any questions regarding cyber fraud and how we can support your charity, please contact Tracey Kenworthy, Forensic Director at BDO.

Narrated by a member of the ACEVO staff

Share this

Not an ACEVO member?

If you have any queries please email info@acevo.org.uk
or call 020 7014 4600.
Apply to join

© 2024 ACEVO
Registered charity (No. 1114591). Company number: 3514635.
Registered address: CIPFA Building, 77 Mansell Street, London, E1 8AN.

Cyber Essentials Certified
We are a Living Wage Employer
Linkedin-in Instagram Podcast

This website uses cookies to improve your experience. Privacy & cookie policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close