Cyber-crime is a growing threat for charities and community groups, as attacks can cause huge disruption to the day-to-day running of your charity and can have long-term and damaging effects.
If your organisation uses, sends or stores data electronically, then you may benefit from cyber insurance. The data you have, whether it is sensitive customer/donor information or business data, is vulnerable to data breaches and cyber-attacks. A cyber insurance policy can help with the cost of recovery of any lost data, and can even refund any losses you incur as a result of a cyber-attack.
Although the threats from cyber-crime are very real for charities and community groups, it can be difficult to relate the dangers to your own organisation. Terms like ‘hacking’, ‘malware’, ‘botnets’ and ‘ransomware’ are so alien to the average person that it is hard to appreciate the risks.
Below we have outlined a real-life case of cyber-crime that recently affected a charity in the UK, which highlights both the financial damage a cyber-attack can pose and how important it is to have adequate cyber cover in place.
If you have any questions about cyber insurance for your charity, contact BHIB Charities Insurance today on 0330 013 0036 or use our contact form.
The charity involved was a cancer charity that regularly transfers money to other organisations (mostly businesses and Universities) that are involved in medical research regarding cancer treatment.
The charity had been funding a third-party medical research company to carry out a number of research projects, and had been sending money to the company on a monthly basis.
All it took was a few simple steps for the charity to inadvertently pay £59,083.60 directly into a fraudster’s bank account. Thankfully their bank were able to claw back £21,405.50, and because the charity had cyber insurance in place they were able to recoup the remaining £37,678.10 via their insurance company.
The simple steps that led to the charity almost losing close to £40,000 were:
Step 1: An employee at the medical research company’s email address is compromised
An employee at the company the charity had enlisted to carry out research received an email they believed was from Microsoft. They clicked a link in the email and filled out their login details on the landing page. However, the email was not from Microsoft – it was sent by a cyber-criminal who now had full access to the employee’s company email account.
Step 2: The fraudster sends an email to the charity pretending to be from the medical research company
Now they have access to the email address, the fraudster is able to send an email to the charity pretending to be the employee of the research company. They send an email informing the charity that the medical research company has decided to change their banking services provider, and therefore have new payment details which all future invoices payments from the charity should be paid to.
The fraudster even created a fake document to attach to their email which included the medical research company’s logo and contact details, in order to not arouse any suspicions at the charity.
As the email came from their regular contact at the medical research company, and included a professional and authentic-looking document with the new bank details on it, the employee at the charity accounts department who received the request assumed it was legitimate and updated the payment details on their system. Now all the fraudster had to do was wait for the charity’s monthly payment run to go through and be paid.
This simple but effective scam was only noticed when the medical research company contacted the charity a week later to chase up their outstanding payment. Both of the banks and the police were informed, and one of the banks were able to prevent some of the money being cleared into the fraudsters account.
Without cyber insurance, though, the charity would have been almost £40,000 out of pocket purely because of human error.
Tips for cyber security when working from home
With the current social distancing measures put in force by the UK government, a lot of workers are now having to work from home to limit the spread of coronavirus.
This increase in remote working represents an opportunity for cyber criminals to target weaker and less protected networks, and there has been a notable rise in cybercrime in recent weeks.
Here’s some quick security tips to help protect your charity while many of your employees are remote working:
Use strong passwords
One of the simplest changes you can make is also one of the most effective – changing the passwords you and your employees use to login to your various online properties.
Now is as good a time as any to make sure everyone updates their passwords to something more secure.
To make passwords more secure, use at least eight characters including a mixture of uppercase and lowercase letters, numbers and special characters (e.g. !, ?, £ etc.) Avoid using names, places and dates, as these could easily be guessed by cyber criminals.
Enable Multi-Factor Authentication (MFA) wherever possible
Many online services offer Multi-Factor Authentication (MFA) as a way to make your account more secure. This involves first of all inputting your password and then receiving a randomly generated code to your mobile phone via a text message or through an app. You can only complete the login process by entering the code.
This extra layer of protection means even if your password is breached, cyber criminals are still prevented from accessing your account as they will not receive the code.
Activate software updates as soon as possible
Software updates can be a pain, but it is essential that you and your remote working employees action any updates as soon as they can.
Software companies tend to roll-out updates to fix a security breach they have noticed, so your computers will be vulnerable unless they are updated.
If you need more convincing, bear in mind that the much-publicised ‘WannaCry’ attack that affected the NHS in 2017 used known exploits in older Window’s computers that hadn’t been updated.
Produce quick reference guides for employees
Having a lot of workers suddenly have to try and access your network remotely can lead to a lot of support requests landing in your IT department’s inbox.
To prevent this, and to free up your IT staff to focus more on security, produce quick and easy reference guides for everyone which detail exactly how they can login and access the network from home.
Train staff to recognise ‘phishing’ emails
‘Phishing’ is a very common form of cyberattack which can be easily spotted and avoided if you know what you are looking for.
A phishing attack begins with an email being sent that looks like it is from an official, recognisable source e.g. from GOV.UK, HMRC, NHS, Amazon etc. The email attempts to trick the ‘victim’ into providing sensitive information such as bank details, passwords and so on.
Some phishing emails can be very convincing, so training staff on how to spot them is important. Here’s some pointers on what to look out for:
- Look closely at the email address the message has been sent from. Does the domain match up with the purported sender? For example, if it is from a government department such as HMRC the sender address should be @gov.uk – not a personal address like @gmail.com or a random domain like @refunds-notices.co.uk
- Be on the lookout for spelling and grammar mistakes in the email body. If the email really is from a big company or official body then it is unlikely to contain mistakes – particularly really obvious ones
- Check who the email is addressed to. If it has a generic salutation such as ‘Dear Customer’, that is a sign that the sender doesn’t know you and only has your email address rather than any other personal information
- Is the offer too good to be true? If you’ve received a random email saying you’ve won a dream holiday or a cash prize then that is definitely one to be wary of!
Be careful with USB sticks and SD cards
Removable media such as USB sticks and SD cards can introduce viruses to computers, which can then spread to shared networks. Make sure all employees are aware of the dangers of using removable media, and to be sure they trust the source of any removable media they use.
About BHIB Charities Insurance
BHIB Charities Insurance specialise in providing tailored cover for community groups, clubs, societies, voluntary organisations and hobby or special interest groups. We offer more than just insurance and we are passionate about supporting local communities.
Any views or opinions expressed above are for guidance only and are expressed in generic terms. They are not intended as a substitute for readers taking appropriate professional advice relevant to individual circumstances. We would always encourage readers to seek professional advice.