The charitable sector has seen a significant rise in phishing scams in recent years. The Charity Commission Phishing Alert underscores the urgency and magnitude of this issue. Phishing scams are sophisticated operations when cyber criminals impersonate trusted figures or institutions, seeking to deceive staff or volunteers into revealing sensitive information or transferring funds under false pretences. The implications of phishing scams include financial loss and undermining the trust and reputation that charities have worked hard to build.
To combat this escalating threat, charities must adopt comprehensive cyber security measures. Among the most critical steps is the implementation of Impersonated User Protection, a feature within Microsoft Defender for Office 365, as well as regular staff training, implementing strong password policies and maintaining up-to-date security software.
In this blog, we aim to guide charitable organisations through the labyrinth of cyber security threats, focusing on charity phishing scams. We will delve into the nature of these scams, highlight the recommendations from the Charity Commission, and explore the pivotal role of Impersonated User Protection and Microsoft Defender in safeguarding against these malicious attempts.
Charity Phishing Scams: What are they?
Charity phishing scams are designed to deceive individuals into disclosing sensitive information or making unauthorised financial transactions. Phishing has increasingly targeted charities due to their unique position of trust and the critical data they handle. Nonprofits are often prime targets for impersonation attacks, as cyber criminals exploit their reputations to solicit donations, access confidential donor information, or infiltrate their networks.
The implications of falling victim to charity phishing attacks are severe and range from financial loss to significant damage to the organisation’s reputation and the trust of its supporters. For a deeper insight into the importance of cyber security for charities and the primary causes behind charity cyber attacks, consider exploring our detailed discussions in Why is Cyber Security Important for Charities? and Top Causes of Charity Cyber Attacks.
Increased Phishing Scams on People
As explored on our 2023 Charity IT Day during the Beware of Phishers: Essential Guide to the Cyber Threat Landscape Webinar hosted by our industry partners, Proofpoint, cybercriminals are now targeting people far more than organisations as a whole.
This is often not considered the case, with most organisations investing predominantly in protecting their devices and networks. Proofpoint data showed that in 2022, organisations spent just 9% of their total cyber security investment on protecting their people. In the same year, over 90% of data breaches targeted people, demonstrating the need for increased protection and cyber security investment in this area.
Most commonly impersonated users are people such as CEOs and those who hold influential positions within the organisation. Those most vulnerable to attacks are those with access to sensitive information such as bank details and transferable funds.
Attacks of this nature are rapidly increasing as a result of an evolution in the way cybercriminals can create and orchestrate their attacks. The rise in AI technology has vastly increased their productivity and capabilities with a host of unlegislated AI Phishing Tools available for criminals on the dark web.
Such tools make it far easier for malicious hackers to carry out highly sophisticated and multifaceted attacks at scale. Today, phishing scams can be increasingly difficult to detect and include a range of advanced tactics, including domain impersonation and supporting elements such as human-like AI-generated phone calls.
In the first 6 months of 2023, Proofpoint saw a 500% increase in phishing emails vs the whole of 2022, demonstrating the growing scale of the threat.
Understanding the Charities Commission Phishing Alert
The Charity Commission’s phishing alert serves as a critical reminder for organisations within the sector to remain vigilant against sophisticated cyber threats and configure anti phishing defences. Common phishing tactics include sending emails or messages that include impersonation attempts and mimic official communication to make them appear legitimate. These communications may prompt the recipient to click on links, download harmful attachments, or respond with confidential information.
Understanding and recognising these phishing attempts is paramount for charities aiming to protect their data. By staying informed through resources like the Charity Commission’s regulatory alerts, charities can better equip themselves to identify and counteract these malicious attempts.
Risks Associated with Charity Phishing Scams
The risks associated with charity phishing scams extend far beyond financial implications. Financially, the direct loss of funds can be significant, however, the repercussions often reach further and impact the charity’s reputation among donors and stakeholders. A breach of trust can lead to a decline in donations and support.
Phishing attacks can result in unauthorised access to internal networks, leading to data breaches that compromise the personal information of donors, beneficiaries, and employees. These breaches require substantial time and resources to address.
Steps to minimising the risk of Charity Phishing Scams
Minimising the risk of charity phishing scams requires a proactive and comprehensive approach to cyber security. Take a look at our Ultimate Guide to Cyber Essentials for Charities and Nonprofits for the first steps to piecing together and implementing a robust cyber security plan.
Moreover, adopting advanced security solutions like Microsoft 365 Advanced Threat Protection represents a significant leap to safeguard against sophisticated attacks. This advanced feature plays a crucial role in identifying and neutralising attempts to impersonate trusted users, thereby mitigating the risk of successful phishing scams. This segment highlights the importance of Impersonated User Protection and its role as a cornerstone in the arsenal against cyber threats facing today’s charitable organisations.
Introducing Impersonated User Protection
Impersonated User Protection is a critical component in the fight against phishing. This advanced security feature, required for solutions like Microsoft Defender for Office 365, is designed to identify and block attempts by attackers to impersonate trusted users or entities. By leveraging algorithms and machine learning, it scrutinises email patterns, sender behaviours and the authenticity of email sources to detect anomalies that may indicate a phishing attempt.
Microsoft Defender for 365 plays a pivotal role in delivering this protection, offering a comprehensive suite of tools tailored to meet the cyber security needs of charities. This platform not only includes Impersonated User Protection but also provides a range of other security features designed to detect, investigate and respond to various cyber threats. Through implementing these cyber defences, charities can significantly reduce their vulnerability to phishing attacks.
Steps to Enable Impersonated User Protection
Enabling Impersonated User Protection within Microsoft Defender for 365 is a pivotal step for charities looking to fortify their defences against phishing scams. Below is a step-by-step guide on how charities can enable impersonated user protection:
- In the Microsoft Defender portal at https://security.microsoft.com, go to Email & Collaboration > Policies & Rules > Threat policies > Anti-phishing in the Policies section.
- Create an Anti-phishing Policy: Click on ‘+ Create’ to set up a new anti-phishing policy. Name your policy and describe it for easy identification.
- Configure Protection Settings: Within the policy setup, look for the ‘Impersonation’ settings. Here, you can add the users you want to protect from being impersonated. You can also specify the domains that are to be included in the protection.
- Define Actions: Decide what actions to take when an email is identified as impersonating a user or domain. Options typically include redirecting the mail to a designated folder, delivering it with a warning, or deleting it altogether.
- Review and Save: Ensure all the settings are correctly configured to your charity’s needs before saving the policy.
To maintain security vigilance, regularly review and update your anti-phishing policies to adapt to new threats. Educate your staff and volunteers about the importance of reporting suspicious emails and conduct regular training sessions on recognising charity targeted phishing attempts.
Additional Security Measures for Charities
Charities should consider a multifaceted approach to cyber security to bolster their defences against phishing and other cyber threats. Implementing additional security measures can enhance an organisation’s cyber security posture significantly. These can be tools such as advanced endpoint protection, secure email gateways and services that monitor for data breaches.
Charities can also explore grants which are designed to support cyber security initiatives, providing them with the financial resources to adopt these essential tools and services. More information on these grants can be found at Grants for Cyber Security for Charities, offering valuable opportunities for nonprofits to strengthen their security measures without straining their budget.
Regularly scheduled training sessions can help ensure that all team members are aware of the latest phishing tactics and know how to respond to potential threats. This can help significantly reduce the risk of successful attacks by fostering a culture of security awareness and vigilance.
Staying up-to-date on the latest scamming trends and cyber security developments is equally important. The cyber threat landscape is constantly evolving, making it essential for charities to keep up-to-date with the latest information. Resources like Top Cyber Security Trends provide insights into emerging threats and advancements in cyber security.
By combining advanced security technologies with comprehensive training and reviewing the latest trends, charities can create a robust cyber security environment. This proactive approach not only protects against immediate threats but also builds a foundation for enduring security and resilience in the face of evolving cyber risks.
Final Thoughts: Safeguarding Your Charity Against Phishing Scams
In conclusion, the escalating threat of phishing scams to the charitable sector highlights the critical need for robust and proactive security measures. There is an abundance of key movements in these threats, from the sophisticated tactics employed by cybercriminals to impersonate trusted entities, to the significant financial, reputational, and operational risks that phishing attacks pose to charities.
The key to safeguarding your charity against these cyber threats lies in a robust approach to cyber security. This encompasses not only the adoption of advanced technological defences like Impersonated User Protection but also the commitment to staff education and staying informed about the latest cyber trends.
Charities must take immediate action to protect themselves against phishing threats. By integrating the recommended practices and tools discussed, and fostering a culture of cyber security awareness and vigilance, charities can confidently navigate the digital landscape.
Would your charity like to find out more about cyber security and how best to tailor cyber security to fit your organisation’s needs? Book your FREE Cyber Security Consultation with our IT experts at Qlic IT by clicking the button below.