Guidance on Cyber Threats Facing the Charity Sector

The UK’s National Cyber Security Centre (NCSC) recently published guidance on threats facing the charity sector. Below is a breakdown of the NCSC’s guidance, common threats, and resources for improving cyber security for non-profits.

Threat actors target charities for a variety of reasons including monetary gain, access to sensitive information, or to hinder an organization’s cause. These are often coupled with sparse cybersecurity measures within non-profits that further put them at risk. Even when there are measures in place, the fact that many charities have support from part-time staff – such as volunteers – enhances the risk that not all workers will be trained adequately on cybersecurity procedures. Additionally, the NCSC’s report notes that “the impact of any cyber attack on a charity might be particularly high as charities often have limited funds, minimal insurance coverage and, by their very nature, are a supplier of last resort providing services where there is insufficient government or affordable private sector alternatives”, thus enhancing the threats and making it crucial to be prepared.

Below are a few varying examples of cyber-attacks against faith-based organizations:

• In November 2022 a North Carolina church “received an email from Landmark construction, their builder, with payment instructions. A second, nearly identical email, came in just after the first. The emails arrived on a Friday when the office was closed, church leaders explained. Upon checking the emails on Monday, a church representative responded, unknowingly, to a cloned email.” This attack led to the loss of the nearly $800,000 the church had raised for a new sanctuary.
• In March 2022 when The Church of Jesus Christ of Latter-day Saints discovered that their computer systems had been accessed by threat actors, and numerous personal information of “church members, employees, contractors, and friends” had been breached. While US law enforcement did not believe the information would be used to harm individuals, they suspected that the “intrusion was part of a pattern of state-sponsored cyberattacks aimed at organizations and governments around the world.”
• In 2020 more faith-based organizations started utilizing Zoom for worship service as well as other events and meetings. This occurrence led to several instances of threat actors gaining access to the Zoom meetings and sharing explicit – or otherwise offensive – images and information to the meeting participants. This happened during a Louisville synagogue’s virtual service whereby “hackers took over the meeting, sharing pornographic videos and anti-Semitic messages.”

While there are a plethora risks to cyber-security within non-profits there are also many ways to prepare against them. Below is a list of some common threats and resources offered by the NCSC to help mitigate them:

One threat that organizations are at risk for is online scams. An example of this is “clergy scams,” whereby a threat actor will pose as a local religious leader then contact the congregants – often through email or text message asking for money, usually in the form of gift cards. The NCSC states that online exploitation “can include false representations of your products or services, fake endorsements, and using your brand in phishing or malware to make fake campaigns look (and sound) credible.” This can then lead to distrust towards the organization and less willingness to donate. Non-profits experiencing this issue may benefit from reading the NCSC’s guidance on removing malicious content. The NCSC presents step by step information on how to contact hosting companies and domain registrars to stop brand-damaging content from being distributed. It also includes information to ask your organization when considering hiring a takedown provider to stop illegitimate organizations on your non-profit’s behalf.

Another threat organizations can face is telecommunications fraud. Forbes states that “telecommunications fraud comes in many forms, but all of the schemes ultimately seek to extort money out of subscriber or telecom provider accounts. In every kind of fraud, more than one party eventually gets hurt.” One popular way this is done is through “social engineering” whereby a threat actor poses as a legitimate person or well-known brand to scam users out of sensitive information or money. One example of this includes “SMS phishing” which involves mass texts claiming to be from a legitimate source in order to scam potential victims of the text into relinquishing sensitive information. To better prepare for this type of threat, the NCSC provides SMS and telephone best practices for business communications which guides personnel on how to recognize and mitigate telecommunications fraud within an organization.

Exercising an organization’s cybersecurity plans and procedures can be extremely helpful for preparing against threats. Exercises help staff visualize and identify what can go wrong during a cyberattack and how to react and recover in the most efficient way possible. Understanding the ins-and-outs of handling a cyber-attack has the potential to save not only money but also limit the amount of time services may be stalled due to the attack. Non-profits who wish to test and hone their cybersecurity abilities can use the NCSC’s free exercise in a box tool. No previous exercise experience is required to use the tool.

Small charities are encouraged to read the Small Charity Guide which gives step by step instructions on how to back up data, protect against malware, smart device guidance, protect data, and avoid phishing attempts. Cyber-attacks against non-profits are not uncommon. As previously discussed, non-profits – especially small ones – are susceptible to data breaches, identity theft, and phishing attacks, to name a few, as the infrastructure and funding may not be available for formal cyber risk management. However, there are many free resources and guidance that small charities can take advantage of. These can be found on the Small Charity Guide resource page. The page includes webinars, trainings, infographics, and other cyber security materials.

For boards, the NCSC offers a toolkit to enhance cybersecurity discussions among board members. Topics range from establishing a baseline for cybersecurity, ensuring partners and suppliers handle sensitive data safely, planning incident responses, and understanding the threats. These discussions can help educate board members on cyber threats, why cyber security is important, and what board members can do to prevent harm to their organization in the future, thus cultivating a more cyber safe environment. More information as well as the entire toolkit for download is available through the Board Toolkit page.

For larger charities with technical staff, the NCSC provides a ten step cyber security guide on how organizations can protect themselves. This wide range of guidance can help prevent some of the most common cyber threats by informing organizations on risk management, data security, supply chain security, and much more. For malware and ransomware specific guidance organizations can access the NCSC’s malware mitigation page and ransomware hub for information on mitigating these threats. Additional guidance for larger organizations includes information on cyber insurance, which can help organizations not only recoup losses from a cyber-attack but also help negotiate with threat actors should your organization’s data/systems be held for ransom. Additionally, for organizations whose employees use their own internet connected devices for work, the NCSC offers bring your own device (BYOD) guidance. The NCSC’s guidance can help inform medium to large organizations on how to best approach BYOD policies, making devices safer for both employees and their organizations.

No matter whether it is sensitive information, money, or reputational damages, threat actors have and will continue to target non-profits. It is increasingly important to know the risk and stay vigilant as all organizations continue to rely on the cyber realm. For the full list of guidance, resources, and threats check out the January 2023 cyber threat report for the UK charity sector found at: https://www.ncsc.gov.uk/collection/charity/cyber-threat-report-uk-charity-sector