Why cybercriminals target charities

It’s not just businesses being targeted by cybercriminals.

Cybercriminals have long shown their willingness to target anyone they think they can make money from. Whether young or old, rich or poor, big business or small family firms, hackers will try and gain access to their servers and take away crucial data, or lock it up and demand a ransom to release it.

And charities are no different. While organisations of all types have seen an increase in cybercrime, charities across the globe have also struggled. According to a survey by Ecclesiastical Insurance of UK charities, one in three third sector organisations have fallen foul of cybercrime.

“Like everyone else, charities can be susceptible to fraud and cybercrime,” said Angus Roy, charity director at Ecclesiastical Insurance. In fact, they’re often seen as more susceptible because of a variety of reasons.

The challenges of working from home

“The move to remote working has presented technological challenges for all organisations, and this has created opportunities for cybercriminals,” said Roy. Charities, who are often smaller bodies with fewer, sometimes less tech-literate staff, have struggled more than most to migrate from office work to working from home. In all, 95% of UK charities are currently working from home.

The lower budgets that many charities have also means they’re unable to spend as much on training or security to try and avoid falling victim of issues in the first place. They’re often comprised of older employees or volunteers, who are perhaps less able to understand the potential risks and prioritise or parse issues such as potential phishing emails. “While some charities have taken steps to protect staff working from home, many are still not taking the threat of cyber fraud seriously,” added Roy. That’s borne out in the data:

Phishing attacks are the most prevalent attacks against charities, according to Ecclesiastical Insurance’s data.

Phishing was reported by 15% of charities, and a further 7% of charities reported having encountered spear phishing attacks. Ransomware and general malware were next prevalent for charities.

Biggest risks to charities

One of the highest-profile victims of a hack attack in recent years is Oxfam Australia. In late January, a database containing the personal details of up to 1.7 million people was offered for sale on underground forums. The database, which included details such as email addresses, phone numbers, and the amount they’ve donated to charity, was confirmed by Bleeping Computer to contain legitimate data.

When the charity was informed of the massive data breach, Oxfam informed its donors about the issue and conducted an investigation. “Throughout the course of the investigation, we have communicated quickly and openly with our supporters, while also complying with regulatory requirements,” said Oxfam Australia chief executive Lyn Morgain. “We contacted all our supporters early last month to alert them to a suspected incident, which has now been confirmed.”

But the costliest attack may well have been the data breach at Blackbaud, which is used by organisations to raise charitable donations from donors. Hundreds of victims of the Blackbaud attack were reported, which was believed to have been launched through a ransomware attack.

For charities, the way to try and counteract the risk of cyberattacks is similar to the same way that every other business can try to stop falling foul of hacks. It’s simple: education, education, education.

Although 81% of charities say they were “fully prepared” to deal with a cyberattack, Ecclesiastical Insurance found just over half had a cybersecurity plan in place, and even fewer had a specific cyber risk management plan (42%) or cyber insurance cover (42%). So, make sure you’re well-informed about the potential risks – and have a plan prepared to face the inevitable – is vital.


P.D. Asilomar
prefix 3 years ago
Non-Profits and such have a habit of asking for your IT Security skills for free, which you gladly donate, and then ignore what you tell them. These places are hotbeds of swollen, bloated egos consisting of a core of competitively-arched rich people serving with no pay, but immense egos that have to be stroked and protected, and don’t like someone telling them they’re doing something the wrong way, even if they asked you for it.

No, the APPEARANCE of consulting an IT Security source is what’s important, not really DOING anything about it.

I quit offering services to these outfits long ago. It wasn’t worth the trouble, aggro, personality kefluffles, and tender dowager feelings that had to be soothed.
Leave a Reply

Your email address will not be published. Required fields are markedmarked