Cyber security is one of the greatest concerns for UK charities, as cyber attacks continue to grow more regular and more sophisticated. From ransomware to phishing scams, cybercriminals are developing targeted tactics designed to exploit organisations with limited resources and high-value data.
Unfortunately, charities are specifically vulnerable, often due to limited cyber security budgets, a reliance on third-party platforms, and the sensitive nature of the data they hold. As highlighted in our guide to cyber security best practices for charities fundraising online, even well-meaning organisations can find themselves exposed without realising it.
As Helen Stephenson, Chief Executive of the Charity Commission for England and Wales, stated: “Charities play a crucial role in our society and in every community. Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance.”
According to the UK’s National Cyber Security Centre, as of February 2025, there have been more than 39 million reported scams, resulting in the removal of 210 distinct scam campaigns across 380,809 URLs.
In this guide, we’ll explore one of the most dangerous and deceptive forms of cyber attack facing the nonprofit sector today: spear phishing.
What you’ll learn:
- What a spear phishing attack is and how it works
- Why charities are increasingly being targeted
- Real-world examples of spear phishing in the charity sector
- How to spot and prevent these attacks
- Steps your charity can take to strengthen cyber resilience
What is a Spear Phishing Attack?
To understand spear phishing, it’s helpful to first understand phishing in general. A phishing attack is a type of cyber scam where criminals imitate trusted individuals or organisations, often through emails, text messages, or phone calls, to trick victims into handing over delicate information such as login credentials, social security numbers, financial data, or personal details.
Phishing attacks prioritise quantity. The messaging is typically generic and sent in bulk to hundreds or thousands of recipients, with the hope that just a few will take the bait. These emails often appear to come from known sources like banks, delivery companies, or service providers, and use scare tactics to provoke a quick response.
Spear phishing, on the other hand, is far more targeted and far more dangerous. Spear phishing attacks prioritise quality over quantity. Rather than blasting a generic message to the masses, the attacker crafts extremely personalised and convincing messages aimed at a specific individual or organisation. This could be an email that references a recent donation, uses the recipient’s name and job title, or mimics the writing style of a known colleague or partner.
Because they appear so legitimate, spear phishing attacks are substantially harder to detect and far more successful. In fact, according to IBM’s 2023 Cost of a Data Breach Report, phishing remains the most frequent cause of data breaches worldwide. Barracuda’s 2023 Spear Phishing Trends report adds further weight to the concern, revealing that the average organisation receives five spear-phishing emails per day, more than 1,700 per year.
For charities, this trend is particularly concerning. These attacks often target staff or volunteers with access to donation platforms, donor databases, or financial systems, making the potential impact of a single successful spear phishing attempt damaging.
How Spear Phishing Works
Spear phishing is a calculated, multi-step attack that relies on psychological manipulation and personalisation. Unlike generic phishing campaigns, spear phishing takes time, effort, and precision.
Here’s how attackers usually execute these scams:
Target Identification
The first step involves choosing a specific individual or organisation. In the third sector, this is often a senior staff member, anyone with authority to approve payments or access donor data. Attackers look for people who are active online or featured in public-facing materials such as annual reports or event listings.
Researching the Target
Once a target is identified, cybercriminals perform in-depth research to gather personal information.
This can include:
- Email addresses and job roles from the charity’s website
- Social media posts about recent events or funding milestones
- Online publications or interviews mentioning the individual
- Connections to partner organisations or suppliers
The attacker builds a clear picture of their target’s role, responsibilities, communication style, and likely points of contact, helping them create a convincing impersonation.
Creating and Sending the Phishing Message
Armed with this intelligence, the attacker crafts an extremely convincing message, commonly via email, that appears to come from a trusted source. It might mimic a real funder, senior colleague, or IT provider, and include urgent language to prompt action. These messages may:
- Request login credentials or prompt a password reset
- Ask for a wire transfer or invoice payment
- Contain malicious links to fake websites
- Include infected attachments
Once the target interacts with the message, the attacker may gain access to sensitive systems, redirect funds, or steal confidential information.
Spear Phishing Examples and Types in the Third Sector
Charities and nonprofits are progressively being targeted with sophisticated forms of spear phishing. Below are the five most common types of spear-phishing attacks encountered in the third sector:
Scamming
Scamming represents 47% of spear-phishing emails, making it the most established form. These attacks aim to steal personal and financial information, including bank account numbers, donor details, and staff credentials. In charities, this might take the form of a false donation request, a fraudulent invoice, or a spoofed email from a senior leader asking for urgent payment processing or the purchase of gift cards.
Brand Impersonation
Brand impersonation attacks trick recipients into thinking an email comes from a trusted external provider or well-known company, such as Microsoft, Google, or a charity CRM platform. These messages might include fake login pages or security alerts, prompting staff to hand over their passwords.
Business Email Compromise (BEC)
In a BEC attack, spear phishers impersonate someone internal to the organisation, often a director, CFO, or external partner and request sensitive information or bank transfers. These attacks often:
- Appear to come from a legitimate internal email
- Use language and context specific to the organisation
- Target finance teams, donor managers, or operations staff
For example, a finance assistant at a charity might receive an email seemingly from the CEO asking for a confidential transfer of funds to a supplier, but it’s actually a scam.
Conversation Hijacking
Conversation hijacking is a more developed tactic where the attacker inserts themselves into an existing email thread or starts a new message that appears to follow on from a legitimate discussion. This usually happens after gaining access to an email account via prior phishing or credential theft. In a nonprofit setting, this could involve:
- Continuing a conversation with a grant funder
- Referencing a recent event or donation campaign
- Providing a “new bank account” for upcoming payments
Because the message fits the flow of prior communications, recipients are far more likely to comply.
Extortion
In some cases, attackers use extortion tactics, threatening to leak sensitive data unless a payment is made. This could involve compromising an email account, locking a database, or even threatening reputational damage.
A powerful real-world example occurred in 2019 at a small hospice in the West Midlands. A staff member received an email, seemingly from Microsoft, requesting a password change. After following the instructions, the attacker took control of the user’s email account.
They changed the forwarding rules so the victim couldn’t see emails being sent from their account. Within hours, donors reported suspicious messages, and an investigation revealed the email account had been compromised, with access to credit card details of 35,000 individuals. This case underscores the potential scale of damage, even in small organisations.
How to Protect Your Charity from Spear Phishing Attacks
While spear phishing attacks are becoming progressively more sophisticated, charities can take clear, actionable steps to reduce risk and strengthen their cyber defences. Below are six best practices every nonprofit should adopt to safeguard against these threats.
1. Train Your Team
Human error remains one of the leading causes of successful phishing attacks. That’s why regular security awareness training is essential. Charity staff and volunteers should be educated on:
- Recognising malicious emails and urgent language
- Verifying unexpected requests for financial or sensitive information
- Reporting anything that looks unusual
- Implement communication and policies for remote workers
- Train your team to use Microsoft Defender
With many charity staff working from home or in hybrid setups, cybercriminals are capitalising on remote working.
2. Strengthen Email Security
Because spear phishing attacks rely heavily on email, strengthening your organisation’s email and overall security is essential:
- Implement Two-Factor Authentication (2FA) to block unauthorised access
- Use advanced email filtering tools to detect and block malicious messages
- Educate staff to examine sender email addresses closely and learn how to stop phishing emails before they reach inboxes
These steps create multiple layers of defence to protect your organisation’s most targeted entry point.
3. Verify Suspicious Requests
One of the most effective ways to prevent financial fraud is to verify any unusual or high-value requests:
- Use dual authorisation for payments above a certain threshold
- Instruct staff to call and confirm requests using known contact details, not those provided in an email
Even a brief phone call could be the difference between protecting donor funds and falling victim to charity fraud.
4. Keep Software and Hardware Updated
Running outdated software or hardware can create critical security gaps. To reduce vulnerabilities:
- Regularly install updates for your operating systems, web browsers, email clients, and security software
- Deploy endpoint protection tools to identify and block potential malware threats
- Don’t overlook your equipment. The hardware lifecycle is a critical component of IT security—aging devices often lack the capacity to support essential updates
Ensuring your IT infrastructure is current and maintained is key to preventing data breaches and security issues.
5. Report and Respond Quickly
If something seems suspicious, staff should know exactly what to do:
- Report suspicious emails or activity to your IT team or provider immediately
- If an incident occurs, act fast to reset passwords, isolate affected systems, and notify any stakeholders or donors
- Having a clear incident response plan in place can significantly reduce the impact of an attack
Time is significant; delayed responses often lead to bigger damage.
6. Partner with an IT Support Company
A trusted IT support partner gives your charity peace of mind and ensures your cyber security is professionally managed. At Qlic, we work with hundreds of charities to provide:
- 24/7 managed IT support
- Comprehensive cyber security services
- Guidance on achieving Cyber Essentials certification
- Support with cybersecurity audit and compliance
As a Cyber Essentials-certified provider, we help charities of all sizes build strong cyber defences and ensure ongoing compliance.
Final Thoughts
Spear phishing is one of the most dangerous and deceptive cyber threats facing charities today. These highly targeted attacks can lead to data breaches, financial loss, and reputational damage, often with damaging consequences for the beneficiaries and causes you support.
But proactive measures can drastically reduce risk. By ensuring your staff gets robust training, strengthening email security, and fostering a culture of vigilance, your organisation can build resilience against these sophisticated attacks.
Don’t wait for an attack to happen. Start strengthening your defenses today.
Would your charity like to learn more about spear phishing, cyber security grants, cyber threats, and how to keep your organisation secure? Get in touch with the team at Qlic here.