Phishing campaigns

According to the Cyber Security Breaches Survey 2024, 94% of charities have experienced a phishing attack. Organisations need to be vigilant to phishing campaigns at all times, but as we see more targeted attacks over the festive period, individuals within your organisation are likely to be more frequently exposed due to an increase in attempts.

These attacks usually leverage human habits and behaviours, and as Christmas is a key time for donations and various charity work, threat actors utilise strategies relating to these campaigns to target charities. Think online retailers, delivery companies, and online booking platforms.

These emails can be very convincing and difficult to spot, but the simplest way to reduce your chances of falling victim to cyber crime is to think before you click.

It sounds easy, but taking the time to familiarise yourself with the most common signs of a scam email and properly reading emails before clicking on anything within them is the best way to protect against them.

Most common signs of a phishing email

There are many warnings that can alert you to a phishing attempt, but the most common signs to look out for are:

• Grammar and spelling errors
• Inconsistencies in email addresses, links, and domain names
• Threats or a sense of urgency
• A sense of scarcity (e.g. act now, only five places left). This encourages colleagues to act quickly
• Unusual requests
• Request for credentials, payment information, or other personal details

If you spot any of these in an email that you receive, be cautious. Before you click on anything, verify the request by visiting the sender’s website or contacting them directly (remember to never click on the links within the email, instead, visit the website directly via your browser), and if you’re still unsure, report it to your cyber security or IT team for inspection.

However, as cyber criminals look for new ways to convince you that emails are genuine in the hope that you’ll take action, phishing campaigns are always changing, and emails are becoming more sophisticated. Because of this, you must remain vigilant even when the usual tell-tale signs of a scam aren’t present. If something about an email doesn’t feel quite right, it’s probably because it isn’t and it’s best to approach with caution by flagging it to the relevant team at your organisation.

Password hygiene and multi-factor authentication (MFA)

Password hygiene is a hot topic when it comes to cyber security, and with good reason. A strong, secure password is one of your main defences against cyber criminals accessing your online accounts.

Alongside a solid password, multi-factor authentication (MFA) adds an extra layer of protection. Most modern websites and apps have the option to enable MFA, and where this is available, it is strongly recommended that you do. Once MFA is enabled, even if a hacker does gain access to your passwords, they will find it difficult to get into your accounts without the unique, one-off code generated by MFA, which is usually sent directly to your mobile device and/ or email address for you to confirm.

Protect your reputation

During the festive season, your charity’s reputation becomes a prime target for cyber criminals. Fraudsters may exploit your brand by creating fake donation campaigns or websites, tricking potential donors. This not only diverts funds away from your mission but can also harm the trust you’ve worked to build with supporters.

• Monitor your digital presence regularly, including social media platforms, to identify and report fraudulent activities using your brand
• Use tools like domain monitoring services to identify websites impersonating your organisation
• Communicate with your supporters about how to verify legitimate donation requests and avoid scams

We support organisations of all sizes to identify and manage risks in their cyber security strategy.

We also work closely with the NCVO, and as a Trusted Supplier, we understand the unique challenges faced by charity organisations and their need to protect sensitive data.