Please click here to read OSCR’s COVID-19 Guidance for Charities

How are charities at risk?

Published: 12/11/2020
Updated: 12/11/2020

Ransomware and extortion

  • Ransomware is where a cyber attacker gains access to an organisations systems or website locks it down so you can't access it and then offers to unlock it in exchange for payment of a ransom. Charities may be targeted directly, be inadvertently affected by an attack aimed elsewhere, or by mass indiscriminate campaigns seeking to exploit as many victims as possible. Attackers may not only steal or deny access to data; they may delete or change it.
  • Extortion is where a cyber attacker steals data or commercial information and threatens to release it publicly or sell it if you don’t pay them a fee. Charities involved in the protection of vulnerable individuals or holding sensitive medical data could be particularly susceptible to this form of extortion.


Malware and Spyware

  • Malware simply means malicious software. Attackers often try to get malware and spyware onto an organizations' systems and devices to steal data or look for other more valuable leads for to use in future criminal acts. There are many ways to get malware onto your system or devices but common ones are by clicking on links on phishing emails or by visiting unsecure websites.


Business email attacks (phishing)

  • There are many ways that criminals can use email to launch cyber-attacks. The most common ones are:
    • Tricking staff, trustees or volunteers into clicking on a link or attachment that seems genuine but in reality contains malicious software or sends you to a fake website.
    • Tricking employees with financial authority into transferring money to criminals is increasing. A UK charity lost £13,000 after the email of its CEO was hacked and a fraudulent message sent to the charity’s financial manager with instructions to release the funds.
    • Gaining access to a staff member/volunteer work email address to send emails purporting to be from the organisation to build trust with a third party. This could be hugely damaging to your charity’s reputation if it led to losses by a third party or supplier of yours.


Fake organisations and websites

  • Criminals exploit the credibility and appeal of charities to trick donors into giving money to what appears to be a legitimate charity. This is often achieved through the creation of fake organisations and accompanying websites.
  • Criminals react quickly to exploit disasters and global events to steal donations. Although not directly targeting charities by cyber means, this activity has potential financial and reputational ramifications for genuine charities.