top of page

Charity websites and cyber criminals

Websites are essential in todays digital led world and for charities.

They have become a portal for supporters to keep up to date with what is going on, obtain donations but also communicate with those that need help. And all of the data that websites generate is precisely what cyber criminals want, and the website is an obvious starting point.

Volunteer signing to laptop screen

What could a cyber criminal do if they attack a website?

  • Steal data entered by users of the website. This could be login details, sensitive details from enquiry forms or payment details.

  • Change the content. This could be changing telephone numbers to redirect legitimate donors or cause distress by putting inappropriate content on there.

  • Upload a virus. If you have a portal which allows uploads, then you could be allowing files with malicious content to be sent to your server which then could infect your system. A ransomware attack on your server could stop your charity from being able to function and then you have the question of whether to pay or not.

Common issues with websites

  1. Weak passwords so criminals just log in to your systems. If you want to know more about what a weak or strong password is, take a look at our short video.

  2. Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.

  3. Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!

  4. Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.

  5. Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access someone else’s data.

Drawing of someone puzzled

What can you do?

  • Speak to your website developer and ensure that security is at the heart of what they build for you.

  • Get a vulnerability assessment. The ECRC offers affordable web application vulnerability assessments. We work with university students who are trained and mentored to carry out the testing and provided you with a detailed report, but explained in plain English, so you understand what the risks are and what you need to do to fix them. Find out more here.

  • Make sure everyone involved in your website is using strong passwords and MFA when available.

  • Update your website, including all those little plugins, as soon as possible when a new release comes out. Most sites will have auto-update functionality so unless advised otherwise, use it so you don’t have to worry about.

Further Guidance and Support

The ECRC is a police-led, not for profit organisation which companies can join for free.

Our free membership provides:

  • Threat alerts both regionally and nationally

  • Signposting to free tools and resources from both Policing and the NCSC

  • Little steps programme – series of weekly emails which aligns to cyber essentials looking at bite-sized practical information to build cyber resilience

  • Discussion area to meet and discuss other companies

We're here to help - join us today.

The Eastern Cyber Resilience Centre logo


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page