Fraud prevention and cyber security for charities

It certainly has. And I think we often see, and certainly within CAF we have seen that fraudsters do like to take advantage of any humanitarian crisis. 

When people are interested in hearing about news stories, when there are opportunities for spoofing fundraising activities and taking advantage of an environment where people aren’t sure what’s going on, especially within the charity sector when you’re involved in fundraising and DEC appeals and such things - there are lots of opportunities for fraudsters. 

Certainly within the Covid-19 crisis, many of our threat intelligence feeds that we get from industry specialists - people who are involved in looking at all of the fraud schemes that are out there - they are seeing a massive increase. 

Some of the figures have been four to five thousand percent increases in the amount of fraud they’re seeing. Some of the figures I have here: 500,000 thousand unique different email messages involving scams and 300,000 unique URLs with malicious website targets and 200,000 malicious attachments/files are sent on emails.

That's an awful lot of malicious activity to try and protect yourself from and people are getting caught out, including some big organisations as well as small organisations.

So, I think the charity sector certainly has a lot to think about culturally, you know there is money there during these crisis times, and there is data that they can take advantage of which of course fraudsters will try and sell to take advantage of. And as we heard recently around EasyJet, some of the data that’s been lost includes things like credit cards - of course they can monetise that straight away.

There’s also sometimes a large influx in temporary staff and casual staff that are volunteering and working in an organisation and they often don’t understand the processes, normal ways of working within organisations and so they're also prone for exploiting through social engineering. 

Just the culture of charities, I mean you know we’re here to help people, we're here to try and make things easier for those sectors of the community that are suffering and to be naturally suspicious that you need to be at these times is something that often goes against the grain, and so we have seen a significant increase and the reason why they do it is because it is working.

What fraud and cyber security trends should charity leaders be aware of?

I mentioned the issue around fundraising and how fraudsters will try to spoof charities - maybe it doesn’t affect the charities so much - but of course what it is doing is diverting money that should be going into the right campaigns but ending up in fraudsters pockets - which no one wants to see. 

There is an added aspect of that as charities, you know, we need to think about helping our donors to feel safe about donating to us as well. And making sure that the way we engage with our donors is in such a way that gives them more confidence to carry on with that transaction.

Some of the key things that really come out of Covid-19 is, the fact that most workers are having to work from home. The remote access technology that’s out there at the moment has been under intense attack. And a lot of the big names - you may be aware of organisations like Cisco, Juniper and Palo Alto and a lot of the big security companies - that provide the sort of technologies that people are using to get access to their working environments, they’ve been under attack.

In order to - at the very least - get onto home desktops, maybe even out to snoop on your user IDs and passwords and we call that keylogging, and it’s a little bit scary but it’s a piece of malware that sits on your PC and records everything you type in and sends it off. 

When they’re aware of how that account gets used, those credentials get used and they can take advantage of that and so what it does mean is that you need to have to think about, as a charity, talking to your staff and your workers who are working from home about their environment, their home working environment, how they’re keeping their computers safe and how they are making sure that the way they work is safe as well. So there are lots of aspects to securing the perimeter in the working environment that are under attack the moment.

Other things that we need to think about, of course, is the difficulty in dealing with your customers and difficulty in dealing with your suppliers. 

And the supplier one is quite an important one because often we will use suppliers to perform key parts of the service - looking after our systems and looking after our office locations, looking after our data, doing certain aspects of our business processes. 

And - of course, no surprise - the individuals we speak to are also working from home on computers, sometimes their own computers, and so that the exposure to risk of all parts of the communications we have under lockdown is exposed to a lot more risk.

Of course one of the things you want to try and do is to make sure that you and your customers and your suppliers are thinking about these things, we want to make sure that when we’re talking to people we’re talking to the right people. We want to make sure that people are talking to us and we can give them assurances that people are actually talking to us and not talking to somebody else.

So there are lots of complexities here. And so fraudsters of course take advantage of all of these things. And again, I’ll go back to the comment around awareness for everybody and making sure that they’re thinking about how they’re communicating, what they’re communicating and giving some kind of assurance and just question yourself: actually is this the best way of doing this at the moment?

As we get used to a new norm and I think as you move forward, there’s some other key decisions and things to think about how we’re going to work in the future. Just coming out of this particular step we have to start thinking: okay now we’re working, it is reasonably effective (I hope), is this the best way of doing this? Do we need to start doing some tuning now? And making sure that we’re not leaving anything out there that could be exploited by those malicious intents from the fraudsters.

What can charities do to reduce their risk of digital fraud?

Firstly, recognise the risk and have a look at the culture of the organisation and see where are the most important parts to address. 

It’s a bit of a gap analysis really, but once you recognise the risk it’s easier to see whether you need to focus on your staff and your staff awareness etc...

The very nature of lockdown and maybe future working, where staff might be physically dispersed, means that you need to think how you are going to communicate with your staff, how are you going to securely give this awareness out, how are you going to share infographics and posters and how your online training might work - so those are key things.

The other side of it is of course to look at your IT. Where is your data, where are your systems, what is it that the fraudsters are after. 

Ensure that the business processes around the movement of money is solid. And again that goes back to culture to a certain extent. So this is all down to internal processes, what’s the authorisation process and double check core processes for these kinds of transactions.

And thirdly, looking at your IT systems, depending on the size of the IT system you have, whether you have IT staff there, make sure that your backups are robust, they’re working and they’re not attached to the computers you’re backing up.

I’ve unfortunately had to deal with some of our customers who’ve been hit by ransomware and realised their backup services weren’t working properly and lost a lot of data. You don’t want to be in that position. It’s best to prepare for these things, so question how well you are backing up your systems. Do you test those resources to make sure if you need to get the data back you can get it back quickly and keep your business running.

Make sure your mobile devices are encrypted and secured. Again, people do lose tablets and laptops and that’s the last thing you want, even if there’s a password on them a fraudster can take the hard disk out and read all the data, read all your emails and everything else on there - that’s not good.

That’s a very straightforward thing to do, so there’s questions you can ask your IT team, individual or supplier on how those things are secured. 

Make sure that you just keep everything up-to-date. One of the easiest ways and the most common ways fraudsters get onto systems is to take advantage of known vulnerabilities. 

They’re often not very complex fraud scams and they’re taking advantage of things that are published already in the public domain, which may well have standard patches, security updates for, certainly on Windows you’ll see those, certainly on Google Chrome and Firefox and a lot of the other tools and bits of software that people use on their laptops. They’re all subject to regular security updates. If  you do those as they arrive, you’ll keep yourself secure. 

That’s a very straightforward thing to do. Even the most non-technical people would be able to configure their PCs to do that quite easily using the Microsoft help screens.

Along similar lines, making sure that your antivirus software is up-to-date. Those are very straightforward things and a lot of these ideas and points I’m raising here are detailed quite succinctly on the NCSC website and I’d suggest that charities do have a look at this: this is the National Cyber Security Center.

There has been a focus there for the last year or so on the non-for-profit sector and helping them to become more resilient. There is lots of good material on there, lots of good awareness material. Some of it is written in a very non-technical way so IT, charity IT leaders and certainly the charity trustees can understand what’s required.

From the smallest organisation to medium-to-large charities, there’s lots of useful material there. There are lots of good papers on the ways of addressing some of these risks. Some good infographics as well that will be quite useful to share among your staff so they can understand the part they can play in helping to secure an organisation.

So, slightly changing that culture of trust to one that’s a little bit more cynical and that’s going to try and protect your donors and your donor’s money and try and protect the funds that you’re collecting on behalf of your charity in your campaigns. 

And being a little bit more wise to some of these fraudsters out there. The reality is if a fraudster has problems getting through, they generally will just move onto the next and they won’t waste too much time where they find they’re not getting any traction.

I think what we would try and do in CAF, and we've been working with the NCSC and some other suppliers as well, is to provide free services, free materials to help charity’s awareness of these risks, and just try and improve that so that we see less and less fraud affecting the charity sector in the UK.