top of page

Phishing Attacks on Charities: What You Need to Know to Stay Safe

Many charities assume they are safe from cybercrime since they don't have valuable assets.

A locked mobile phone in front of a laptop

While charities may not be cash-rich, they do hold personal and sensitive data, the exposure of which could damage their reputation and affect their ability to raise funds in the future. Charities also rely on the public's trust that their donations go to a worthy cause and losing that trust can have a devastating impact on their future operations.

Unfortunately, almost half of charities have weak cybersecurity protocols, making them an easy target. During the pandemic, over a third of charities in the region have been targeted by cyber-attacks, showcasing how important it is to have the correct cybersecurity protocols in place.

What is phishing and how does it affect me?

The most popular type of cyber-attack in 2022 was phishing attacks.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

According to recent research:

  • 1 in 3 employees are likely to click the links in phishing emails

  • 1 in 8 employees are likely to share information requested in a phishing email and finally

  • Over 45% of employees click emails they consider being suspicious “just in case it’s important”.

We all know that email phishing attacks are continuing to increase in complexity and frequency year over year. Hackers are employing more effective technology and methods, constantly honing their skills at crafting email campaigns that appear legitimate and safe.

You might have heard of phishing, vishing, smishing, quishing, spear phishing, whaling, but all the names mean is that there are a lot of different ways that a cyber-criminal is going to try and trick you.

Criminals use all communication methods, so if a new method comes out, you can be sure a criminal will be there trying to exploit it. And these criminals are experts in getting us to act in the way they want, whether that is clicking a link or downloading an attachment.

How could my charity be targeted?

Criminals are constantly on the lookout for personal and sensitive information that they can use to create convincing phishing messages. For charities, it's essential to know what information about your organization is publicly available and how it could be used to lure unsuspecting victims into a phishing scam.

For instance, if you received an email that contained your charity's username and password, would you believe it to be genuine? Unfortunately, usernames and passwords are just one of many things that could be known about your organization, including your IP address, physical address, and phone number.

Cybercriminals can obtain this information from data breaches and use it to craft a convincing phishing email.

Moreover, criminals can use any recent announcements made by your charity to create a fake domain name that looks similar to the legitimate one. For example, if your charity has just announced a new partnership with a support service called "” a criminal might create a fake domain called "" to trick people into thinking it's legitimate.

Another common tactic used by cybercriminals is to create a sense of urgency or importance in their phishing emails. They might use headlines like "New Government Standards Required for All Charities - Find Out More Here!" to trick people into clicking on a link or downloading a malicious attachment.

If a message contains any of the following, really think before you click:

  • Urgency “you must do this now” – here the attacker is trying to induce you to panic so that you don’t question the action being asked of you

  • Authority – messages appearing to come from a boss, colleague, or company you engage with regularly, or with information they shouldn’t have unless they are genuine (your IP address for example)

  • Mimicry – attackers send messages that exploit your daily habits such as “please review your calendar entry – click here”

  • Curiosity – enticing you with something like “breaking news”

What can you do?

Educate your staff and volunteers about the risks and best practices for identifying and avoiding phishing scams. All phishing depends on an element of social engineering or interaction with a person, so you really need to make staff engagement and upskilling a priority. The ECRC has affordable student services who can deliver a bespoke training session tailored to your organisation and the risks it faces. Contact us to find out more.

Implement Multi-Factor Authentication and strong passwords to help prevent cybercriminals from accessing sensitive data.

Have a plan in place to deal with phishing attempts and successful attacks. Make sure your staff know how to report an attack and don’t put barriers in place to reporting, such as disciplinary action. Phishing attacks can be very sophisticated and extremely difficult to guard against but making sure you know how and when an attack has taken place means that you can react in the right way. You really don’t want a staff member too scared to report a successful phishing attack and letting an attacker have an extended period of time in your systems.

Make sure you report all phishing attacks to The National Cyber Security Centre (NCSC) have created an enterprise Outlook add-in for staff to be able to report email phishing directly from their email box. The NCSC will the actively seek to disrupt the criminals sending these messages, protecting you from them as well as the wider community

What next?

By staying vigilant, educating staff and volunteers, and implementing robust cybersecurity measures, you can reduce the likelihood of falling victim to a phishing scam and protect your charity's valuable data.

Here at the centre, we would recommend that you consider

  • Join our community today as one of our growing number of free core members. You will be supported through implementing the changes you need to make to protect your organisation.

  • Consider how you can help your own supply chain – it would be great if you could look at promoting the centre on our behalf. Have a look at our referral scheme to see how referring another school into the centre could benefit you.

  • Take a look at our range of affordable student services, all which could be used by your organisation to make yourself more cyber resilient.

Reporting a live cyber-attack 24/7

If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.

Reporting a cyber-attack which isn't ongoing

Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need. Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050).

Report a phishing attack

If you suspect a phishing attack, please report it to the Suspicious Email Reporting Services (SERS) set up by the NCSC at:

Text messages can be forwarded to 7726


The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page