Charities must take steps to reduce the risk of being affected by fraud, the Charity Commission has warned.
The regulator issued a regulatory alert yesterday about phishing attacks on charities after a rise in the number of reports about the offence.
Phishing is a fraud attack that involves duping people into handing out sensitive information such as usernames, passwords and bank details.
This often occurs through email, pop-up messages on websites, phone calls or text messages. Action Fraud, the UK’s fraud and cyber-crime reporting centre, receives approximately 8,000 phishing reports a month.
The Charity Commission said in the alert that charities should take some preventive steps, such as keeping virus protection and software up to date, and installing anti-spyware programmes.
Charities should also make regular backups of files to external hard drives, memory sticks or online storage providers, and should be careful to ensure staff do not click on links or attachments in unsolicited emails or SMS messages.
The regulator also warned that fraudsters can attempt to impersonate trusted people’s email addresses to get staff to hand over sensitive information, and that staff should be told to check email headers to ensure the email is genuine.
If a charity believes its bank details have been accessed by a fraudster, it should get in touch with its bank immediately, the alert said.
The alert was a response a spate of cyber frauds against charities, including a £500,000 "vishing and spoofing" fraud against Highland Hospice in Scotland in July.
A police statement at the time said the hospice was one of a number of organisations in the Highlands region that had been affected, and £2.5m was taken from businesses in the area during the spate of frauds.
In another case, Bury Hospice was the victim of a "sophisticated" fraud in July involving an online virus check that resulted in the charity losing £235,000.
Bolton Hospice was targeted by fraudsters in July in an attack that was foiled by staff.
A statement from Bolton Hospice at the time said the attack included "a triangulated attack that involved contacting one of our major suppliers and having our bank’s telephone number on caller display".
The Fundraising Regulator also issued a warning last month that fraudsters were sending invoices to charities demanding payment for the Fundraising Preference Service. The costs of the FPS are covered by the voluntary levy that the regulator has been asking the largest fundraising charities to pay.