The NHS was recently crippled over a weekend because of the chaos caused by a cyberattack. There is a common misconception that it’s only large-scale organisations such as the NHS, or high-profile companies, that are under threat. But charities are no different.
They need to maintain high levels of vigilance to spot fraudsters. With extensive databases of personal information and payment details, they are experiencing increasing numbers of cyberattacks, with the threats becoming more sophisticated and better targeted.
Ransomware and cyber-extortion are both relatively new types of fraud. Access to a device or file is restricted until a ransom is paid, or a threat is made until a payment is received.
We are also seeing more attacks in which criminals hide their identities from unsuspecting victims. Charities are at risk of other fraudulent activity such as invoice fraud, chief executive fraud and vishing, which are other routes of accessing finances from within an organisation. These activities are often hard to see with an untrained eye, so it’s important that everyone, from the board to volunteers, is trained in how best to identify unusual activity.
By putting simple procedures in place and educating employees about the risks, threats and preventive measures, cyberattacks can be stopped. Here is how we recommend doing so:
- Install a good quality anti-virus software suite with the latest version, and ensure it is updated regularly.
- As soon as an operating system update becomes available, download it. It will ensure you are working with the most secure version.
- Education is key. Ensure employees and volunteers are aware of the risks associated with allowing malware onto a system, and educate them about the ways it can get onto a device.
- Embed clear processes within your charity for everyone to follow when making payments or changing payment details. This will be key in helping to minimise potential fraud by making sure that all requests, including those emailed internally, are genuine.
- Never divulge online banking passwords or online banking secure codes to anyone on the telephone, even if you think you’re talking to the bank.
- Don’t assume an email, text or phone call is authentic.
- Don’t rely on your phone’s caller display to identify a caller, because fraudsters can make your phone’s incoming display show a genuine number.
- Your bank will never call you and tell you to transfer your money to a "safe" account. If you ever see unusual screens or pop-up boxes when using your online banking, or requests to enter bank passwords at an unusual stage, log out immediately and call your banking provider.
- Back everything up regularly. Make copies of your most important files frequently. Store them offsite as a precautionary action. This will enable systems to be restored in the event of an infection, without your files being lost.
- If you do fall victim to a cyberattack, retain the original emails, maintain a timeline of the attack, keeping a record of times, type and content of contacts, and report it to Action Fraud.
- A range of free resources is on offer, including the Lloyds Bank document Fraud Guidance, which is designed to educate firms or charities on how best protect themselves from falling victim to online fraud attacks.
David Kearney is relationship director at Lloyds Bank Commercial Banking specialising in the charity sector