Charities across UK are vulnerable to CEO fraud, warns Charity Commission

News by Jay Jay

The Charity Commission recently shot out alerts to charities across the UK, warning them that cyber-criminals posing as CEOs or senior executives at charities could launch phishing attacks on employees.

The Charity Commission recently shot out alerts to charities across the UK, warning them that cyber-criminals posing as CEOs or senior executives at charities could launch phishing attacks on employees and ask them to transfer money to their bank accounts.

Terming an operation carried out by cyber-criminals as "CEO Fraud", the Charity Commission said that employees at charity organisations need to be careful while handling requests for transfers of funds, even if such requests look like they were made by CEOs.

According to the commission, fraudsters have also targeted schools by posing as the head teacher or principal. It added that such fraudsters often operate in groups where one poses as a CEO and the other poses as a lawyer or a regulator in order to convince their victims that their requests are indeed genuine.

"With a strong social engineering element, the fraudster often requests that they, as the CEO, are not contacted further by the financial officer as they are busy. Alternatively the fraudster may pick occasions when the real CEO is on holiday, preventing the financial officer from checking the validity of the request," it added.

"The fact that Action Fraud have picked out the charity sector as a potential target for phishing attack is no surprise. The shoestring budgets associated with most charitable organisations, and the understandable prioritisation of frontline services over cyber-security products and training is well known, meaning malicious actors can exploit their lack of funding," said Tim Helming, director of product management at DomainTools to SC Magazine UK.

"Organisations need to realise that while prioritising cyber-security may not be immediately obvious on a tight budget, failing to do so could cause more damage to frontline services in the long-run," he added.

The Charity Commission has asked charity organisations across the UK to take certain measures to ensure their employees do not fall for phishing tactics employed by fraudsters. These steps include a review of internal procedures regarding how transactions are requested and approved, training employees to check email addresses and telephone numbers whenever fund transfer requests are made, and asking them not to click on links in emails that look suspicious.

The commission also advised charities to better manage the security of confidential information in order to prevent their leakage to external actors. Shredding confidential documents once their purpose is achieved and restricting the information that employees may post publicly will go a long way in restricting the ability of fraudsters to gather information and to carry out phishing attacks.

Back in March, the UK government's Action Fraud department released a list of eight online scams that organisations and individuals were asked to watch out for. These included the monitoring of social media posts by fraudsters to gain more information about their victims, insertion of malicious software in victims' phones to steal data, and fake investment opportunities marketed by fraudsters by warning people about loss of savings post Brexit.

A separate investigation carried out by security firm DomainTools releaved that every charity studied by the firm, including Cancer Research, The National Trust, NSPCC, Oxfam, The Red Cross, Salvation Army, Wateraid, Save The Children and Unicef, was being spoofed online by cyber-criminals, who often used typos in order to dupe unsuspecting Internet users.

According to the firm, some of the most widely-used fraudulent domains used in phishing attacks were, and

"It remains incredibly easy for anyone to purchase an available domain. This is part of what helps keep the Internet open and democratic, but it also helps cyber-criminals exploit users. 

In this case the spoofing of charity websites has the added benefit of exploiting people's wish to donate to these charities, making them a particularly lucrative target," said Helming.

"These domains will often be directed towards people via email or SMS phishing campaigns, which hope to encourage users to click on seemingly legitimate-looking links such as those included above, which in turn begins another cycle of cyber-crime. 

Phishing can be used by criminals simply to gain credit card or banking information, or as a gateway to install malware on a device or network, which leads to even more serious crimes such as data breaches and or identity fraud," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews