Protect your charity from cyber crime.

Article | Nikki Loan | 24th March 2025

Our latest Charities & Non-profit newsletter is now available.

Download the newsletter

In November 2024, the Charity Commission announced that it had opened 603 cases relating to fraud and a further 99 cases relating to cyber crime. As part Charity Fraud Awareness Week, the Charity Commission published guidance ‘Protect your charity from cyber crime’ reminding charities how to protect themselves from cyber crime and a shorter guide on fraud, which was accompanied by a revised CC8 Internal financial controls for charities.

Cyber Crime is defined as any crime employing computers or the internet, including financial fraud or service disruption. Charities are attractive targets due to their digital systems and sensitive data. Cyber attacks can lead to financial loss, data breaches, and reputational damage. Types of Cyber Crime include:

  • Phishing: Fraudulent emails or messages tricking users into revealing sensitive data or clicking malicious links.
  • Impersonation: Fake websites mimicking real charities to steal donations.
  • Malware: Malicious software, including ransomware, which locks data until a ransom is paid.

What can charities do?

Reducing Risks: Charities should educate trustees, employees, and volunteers on cyber risks and preventive measures. This should include knowing what to do if, for example, a phishing email is received and how to keep their knowledge up to date. Cyber risks and responses should be incorporated into the general risk assessment. Risk assessments and responses should be proportionate to the data held and the activities of the charity. The guidance references to some specific resources that charities can use for guidance and training to foster cyber awareness.

Guidance and Training: The National Cyber Security Centre (NCSC) offers tailored guides and training for small, medium, and large charities to improve cyber security, including free online resources and exercises, links to some of these tools are set out in next steps below.

Responding to Cyber Attacks: Charities should have a response plan, report attacks to Action Fraud, and keep records to mitigate harm and prevent future incidents.

Reporting Cyber Crime: Reporting to Action Fraud is important for obtaining support for the charity and tracking attack trends across the sector. Serious incidents may also need to be reported to the Charity Commission How to report a serious incident in your charity. If the event includes data loss then a charity may also need to report to the Information Commissioner. Trustees should keep a record of what happened and seek legal advice if needed.

Next steps

We recommend that trustees consider the guidance and resources available in conjunction with their risk assessment to understand their data and risks, and identify proportionate actions.

Guidance

Read the latest Charities and Non-profit newsletter to find out more about further changes that will impact the sector.

If you would like to discuss how these changes might affect you, please get in touch with our team.

This article was correct at the time of publishing.

Share this content with your network:
Nikki Loan - Partner - Audits and Accounts - PEM

About the author

Nikki Loan

With over 25 years experience in the charity and not for profit sector, Nikki has provided audit services and accounting support Read more about this author …

Download the latest Charities & Non-profit newsletter

Stay informed with the latest updates and insights.

Download