The Charity Commission has issued its second alert about cyber-blackmail in two months, warning charities to watch out for emails from a group of online extortionists calling itself the Lizard Squad.
According to the commission, in the past week a number of businesses throughout the UK have reported receiving emails from the group demanding payments of five bitcoins (a digital currency) – equivalent to about £1,600.
The email threatens to shut down the organisation’s website by flooding it with visitors if the ransom is not paid, in what is known as a distributed denial of service attack.
It warns that ransom will increase by five bitcoins for every day the demand is not met and claims that once the group’s action has started, it cannot be stopped.
The commission said that charities targeted by the group should not meet the demands and should report the matter to the national fraud service Action Fraud.
They should also retain emails, note all contact received from the group and call their internet service or web hosting provider to ask for help, the regulator said.
A commission spokesman told Third Sector no charities had yet reported being attacked, but the alert was a precautionary measure as part of the commission’s ongoing counter-fraud work.
In March, the commission issued a similar alert warning of attacks by a group that called itself Team RepKiller, which threatened to release hundreds of automated negative online reviews of selected businesses unless ransoms were paid.
Carl Mehta, head of investigations and enforcement operations at the Charity Commission, said: "Charities need to be aware of the imminent danger posed by this fraudulent group and take appropriate steps to protect their assets and good reputation – both of which could be damaged if the ransom demands of the group are met.
"I urge all charities, if they suspect they have fallen victim to such extortion or ransom fraud, to report it immediately to Action Fraud."
The alert says the advice is particularly relevant to those charities that operate overseas or deal with international partners in high risk zones.
It also shares tips from the internet safety website GetSafeOnline on the ways in which organisations can protect themselves from this kind of attack.
These include considering the likelihood and risks to their organisation of a distributed denial of service attack, speaking to a DDoS prevention specialist and ensuring a website has the hosting facilities in place to handle large, unexpected volumes of website hits.
Any charities that are targeted by the group or wish to report another form of fraud should contact Action Fraud on 0300 123 2040 or via the website.