“I want to be a volunteer, download my resume to see what I can do.”

And what I can do is infect you with malware if you click that link.

Charities are key targets for cyber criminals, not only because they receive money, which is generally the motive behind cybercrime, but because they can lack the technical expertise to protect their systems. This means that when cyber criminals are looking for vulnerabilities, Charities are likely to be found within the cross hairs.

The most common form of cyber attack is the phishing email.


According to the Cyber Breaches Survey 2021, 79% of cyber-attacks are identified as phishing by Charities and some are reporting attacks every week.


What is phishing?

Phishing is a catch all term for any attack where the criminal pretends to be someone else. So, this could be a telephone call from “your bank”, a text message about “your delivery” or an email about “your unpaid invoice”.

Various text messages which are all phishing examples
Examples of text phishing also known as smishing

What has changed with phishing attacks?

Previously many phishing attacks were easy to spot, with bad spelling and grammar and coming from an email address that was clearly not the supposed senders. But this has changed, with criminals becoming very aware of how we are using technology and what makes us act before thinking. The emails are becoming more believable with templates mimicking almost exactly legitimate organisations in content and design.


Spear phishing, where emails are personalised to the recipient, are becoming the norm, with data breaches giving criminals access to personal information we thought was safe, and that can be used at scale.


Have you checked to see if you and your charity has been involved in a data breach and what criminals might know about you? Visit haveibeenpwed.com and check your email and telephone number. You might be surprised at what information there is about you.

Screenshot of the haveibeenpwned.com website

And although phishing emails are by far the most common for businesses, criminals are always looking for new ways to exploit their victims. One of the latest threats has been highlighted by Avanan with attackers using Teams as a way of tricking file downloads

"The attacker operates by dropping executable (.exe) files named “UserCentric.exe” into different Teams conversations, the executable being a malicious file, generally a trojan. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer and take control over the computers."


What should I look for in a phishing email?

If a message contains any of the following, really think before you click:

  • Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you

  • Authority – messages appearing to come from a boss, colleague or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example)

  • Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”

  • Curiosity – enticing you with something like “breaking news”

Top tips

- Don’t click on links within emails – go to that system independently instead. Then you will go to Microsoft instead of micrs0fft.

- Don’t allow macros to run – these are frequently used to hide malware

- Don’t open attachments that you weren’t expecting or can’t confirm where they have come from

- Always confirm financial transactions independently. So, if you get a change of banking request, call the company up using trusted method (not the ones within the email). And if the finance director really needs money transferring, they won’t mind you double checking to ensure your charity doesn’t lose its donations.


What can I do to protect my charity from phishing attacks?

Your staff can be the best defence against phishing attacks. Being confident in recognising and reporting phishing attacks is key. Make staff awareness a priority. The NCSC has a free online awareness package which could be a great way to introduce the subject to new starters or volunteers.


Make sure staff know how to report a phishing attack.

Have a plan to deal with a successful attack. Sophisticated phishing campaigns can be incredibly difficult to spot, and no one can be perfect 100% of the time, so making sure your staff are able to report falling victim of a phishing campaign is essential. You want them to report as soon as they realise, rather than waiting until a forensic investigation identifies it.


The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community.


And you can report more than emails.


Further guidance & support

The Eastern Cyber Resilience Centre provides both individual and corporate internet discovery so you can see what information could be used to craft that phishing attack. We also provide Staff Awareness Training, but did you know your local police protect officer might be able to do this too? We train and mentor local university students, so when we say affordable, it really is. Find out more here.


The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Policing led – business focussed.





The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.