32% of businesses reported being the victim of a cyber-attack in 2022, as did 30% of charities, and phishing was involved in the majority of these. Phishing is an attack method used by criminals, which relies on human behaviour to allow them system access, as opposed to physically hacking or infiltrating the victim online. At its most basic definition, it is simply an attempt to trick the victim into doing the wrong thing. Whilst some attacks are filtered or easy to identify, for those that slip through the cracks the implications can be devastating, both for the victim themselves and for the company they work for. This means that any investment into preventing these attacks is a highly valuable one.
Charities are particularly vulnerable to cyber-attacks for a number of reasons. As with all companies, the financial assets and sensitive data held by these organisations is sought after by criminals looking to gain money, or to use their data for additional criminal activity. However, their vulnerability is exacerbated by the fact that, as a charity, they are less likely to spend resources on enhancing cyber security and protecting their cyber infrastructure. Additionally, charities tend to have a high volume of staff working part-time, meaning they have less capacity to absorb security procedures or implement strong policies amongst workers. In many cases, charities rely on their staff using personal IT to do their work, which increases the attack surface for criminals to target and means that security vulnerabilities may go unchecked and unnoticed. Furthermore, as much as any cyber attack can be financially crippling and create long-lasting operational challenges, it can be particularly devastating to charities, who often serve some of the most vulnerable people in society.
What does an attack against a charity look like?
The video above details a scenario of how a cyber-attack can occur. The victim was targeted by sophisticated type of phishing known as ‘spear phishing’, which uses well-crafted and compelling tactics, often appearing to originate from a familiar source. In this case, it was a request from a managing director to fill in an online form. The email account was spoofed to look like the MD, and the website was designed to look legitimate, meaning there were no initial red flags. Once the victim had inputted her personal information, her email account was compromised and used to send out further phishing emails asking for donations and money.
After hacking her email account, the criminals moved their attack into its next phase, defrauding the victim through another type of phishing known as ‘vishing’. ‘Vishing’ is underpinned by the same mechanisms as phishing, only it is done by voice over the phone. The victim, panicked by the email hack, received a phone call from her bank, telling her they were aware of suspicious activity, and requesting her details to investigate it on her behalf. Feeling vulnerable, the victim was grateful for the support and gladly provided her banking details over the phone. These details then allowed the so-called bank to access her account, who subsequently defrauded the company of thousands of pounds.
This example is evidence of just how sophisticated and convincing an online cyber-attack can be. By filling out one online form, the criminals were able to collect enough personal information to compromise the victims account, and then contact her personally, taking advantage of her vulnerability in that moment. It is a perfect example of how cyber-crime works without ever needing to hack into someone’s online systems externally, relying on social engineering to gain access instead. The reality is, without continuous training and thorough education, many people, particularly those working in fields unrelated to cybersecurity, would have no idea how to separate a reasonable request online from a fraudulent one. Whilst many phishing attempts are untargeted and can be easily flagged as spam, criminals will go much further to achieve their goals and target people more specifically.
Understanding how this sort of cyber-crime works helps to prevent cases like this from happening. Whilst the original email appeared genuine, further investigation into the actual address it came from could have flagged that it was not sent by the MD. Furthermore, having a policy around what information staff will and will never be expected to provide over email, allows staff to flag any requests that fall outside of this remit. Finally, understanding what information banks will never expect you to reveal over the phone means you will not be at risk of accidentally giving somebody access to your account. Becoming a member of the ECRC can help you understand the diverse types of phishing, the common features of these, and the importance of having MFA enabled on your accounts.
Delivering this sort of preventative education requires an open conversation, and a healthy work environment where people feel supported in questioning anything they might think of as suspicious. Additionally, there needs to be an active effort to remove victim-blaming from the conversation and an understanding that anybody could find themselves falling victim to a cyber-crime. The video does a fantastic job in showing the damage that just one email can do, as well as how disastrous the impacts can be not just to the company, but to the wellbeing of the victim too.
How can the ECRC help?
Joining the ECRC as a free member ensures that your charity and staff are supported in implementing simple changes to improve cyber resilience. When you join as a free member, you are automatically enrolled onto our ‘Little Steps’ programme. This is a weekly email series that drip-feeds you bite-sized practical information, as well as changes you can implement quickly and easily, designed to be followed by a non-technical audience.
Additionally, the ECRC website can signpost you towards other free resources and tools that are available to help you improve your cyber resilience. If you feel as though you would like more thorough support, take a look at the affordable student services we offer. These can help you identify some of the potential vulnerabilities within your organisation if you are concerned about the security of your online systems.
One service to consider is our Security Awareness Training, delivered by students on the CyberPATH programme. Through CyberPATH, students are trained and monitored by senior ethical hackers to provide a selection of cyber services to businesses, which supports the future cyber talent pipeline and keeps the cost to a minimum. Security Awareness Training can be issued across either a full or half day and is tailored to the needs of its specific audience. It is designed to be contextually relevant and accessible for all abilities. SAT is also delivered by Police Cyber Protect officers, who will deliver their service free of charge over a few hours.
If you are unsure or simply want to know more about cyber resilience and what we do at the ECRC, why don’t you book a chat with us today?
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which is not ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)