In November 2024, the Charity Commission announced that it had opened 603 cases relating to fraud and a further 99 cases relating to cyber crime. As part Charity Fraud Awareness Week, the Charity Commission published guidance ‘Protect your charity from cyber crime’ reminding charities how to protect themselves from cyber crime and a shorter guide on fraud, which was accompanied by a revised CC8 Internal financial controls for charities.
Cyber Crime is defined as any crime employing computers or the internet, including financial fraud or service disruption. Charities are attractive targets due to their digital systems and sensitive data. Cyber attacks can lead to financial loss, data breaches, and reputational damage. Types of Cyber Crime include:
- Phishing: Fraudulent emails or messages tricking users into revealing sensitive data or clicking malicious links.
- Impersonation: Fake websites mimicking real charities to steal donations.
- Malware: Malicious software, including ransomware, which locks data until a ransom is paid.
What can charities do?
Reducing Risks: Charities should educate trustees, employees, and volunteers on cyber risks and preventive measures. This should include knowing what to do if, for example, a phishing email is received and how to keep their knowledge up to date. Cyber risks and responses should be incorporated into the general risk assessment. Risk assessments and responses should be proportionate to the data held and the activities of the charity. The guidance references to some specific resources that charities can use for guidance and training to foster cyber awareness.
Guidance and Training: The National Cyber Security Centre (NCSC) offers tailored guides and training for small, medium, and large charities to improve cyber security, including free online resources and exercises, links to some of these tools are set out in next steps below.
Responding to Cyber Attacks: Charities should have a response plan, report attacks to Action Fraud, and keep records to mitigate harm and prevent future incidents.
Reporting Cyber Crime: Reporting to Action Fraud is important for obtaining support for the charity and tracking attack trends across the sector. Serious incidents may also need to be reported to the Charity Commission How to report a serious incident in your charity. If the event includes data loss then a charity may also need to report to the Information Commissioner. Trustees should keep a record of what happened and seek legal advice if needed.
Next steps
We recommend that trustees consider the guidance and resources available in conjunction with their risk assessment to understand their data and risks, and identify proportionate actions.
Guidance
- NCSC specific guide about how to defend against malware and ransomware.
- NCSC free online cyber security training for beginners. (30 mins) including tips about how to prevent cyber crime, such as:
- How to protect your charity from phishing attacks
- How to set strong passwords, and why
- How to keep your devices secure
- The NCSC’s 10 Steps to Cyber Security
- NCSC cyber security toolkit for boards
- NCSC cyber attack exercises. These recreate common cyber attacks. You can use the exercises to practice your response to, for example, a phishing attack.
Read the latest Charities and Non-profit newsletter to find out more about further changes that will impact the sector.
If you would like to discuss how these changes might affect you, please get in touch with our team.
This article was correct at the time of publishing.
