Phishing and Social Engineering Awareness for Charities and Volunteers
June 21, 2024
Charities and volunteer organisations are crucial in addressing societal needs and supporting vulnerable populations. However, their mission-driven focus often makes them attractive targets for cybercriminals employing phishing and social engineering tactics.
Charities and nonprofit organisations depend on people—stakeholders of all sorts—to make their missions go around. Yet risk leaders in this sector continue to believe that the people they don’t know—external bad actors—are the biggest threat to mission success. The sobering truth is that insiders—like volunteers and staff—pose a far more potent threat to your mission.
How? The people who serve your charity hold the keys to your organisation’s reputation, financial health, and the well-being of your physical and financial assets. However, they also present vulnerabilities that cybercriminals exploit through phishing and social engineering tactics. Bad behaviour, such as clicking on suspicious links or downloading attachments from unknown sources, can inadvertently introduce malware or ransomware into the organisation’s network. Ignorance of internal controls and disregard for safety and security policies can exacerbate these risks, providing easy entry points for malicious actors.
While most risk leaders recognise the nexus between people’s peril and reputation, they may underestimate the potential impact on compliance with data protection regulations. Mishandling of donors, employees, and other personally identifiable information (PII) can damage the organisation’s reputation and lead to legal repercussions and financial penalties.
This article aims to raise phishing and social engineering awareness among charities and volunteers about these threats, provide comprehensive prevention strategies, and ensure they can continue their vital work securely.
Social engineering is the art of manipulating individuals into divulging confidential information or performing actions that compromise security. Social engineering exploits human psychology unlike traditional hacking, which targets technical vulnerabilities.
The types of information these criminals are seeking can vary. Still, when individuals are targeted, the criminals usually attempt to deceive them into disclosing passwords, bank information, or granting access to their computers. This access allows the perpetrators to secretly install malicious software, granting them control over the victim’s computer and access to sensitive data.
Criminals resort to phishing and social engineering tactics because it’s often easier to exploit human trust than to breach technical defences. For instance, it’s simpler to deceive someone into revealing their password than to attempt to hack it directly, especially if the password is sufficiently strong.
The dedication and flexibility of charity staff and volunteers are admirable qualities that contribute to the organisation’s success. However, these same traits can also make them vulnerable to social engineering tactics employed by cybercriminals.
In many charitable organisations, especially those with limited resources, staff and volunteers wear multiple hats and are often stretched thin. This can lead to a mindset where individuals may not see themselves as responsible for cyber security. Some may believe that cyber security is solely the responsibility of the IT department. However, protecting sensitive information is everyone’s responsibility within an organisation.
Another common misconception is that robust systems and technology alone can protect against cyber threats. While implementing secure systems is crucial, cybercriminals often target the human element—the staff and volunteers themselves. Even the most sophisticated security measures can be circumvented if individuals are not vigilant and aware of potential risks.
Cybercriminals often employ social engineering tactics, offering assistance or support to gain access to sensitive information. For example, individuals may receive unsolicited calls from scammers posing as technical support representatives offering to fix computer issues. These scammers exploit the goodwill and trust of individuals to obtain login credentials and other personal information.
By understanding why volunteers and staff are susceptible to social engineering tactics, charities can implement targeted training and awareness programmes to empower individuals to recognise and respond to potential threats effectively.
Cybercriminals employ various social engineering tactics to deceive individuals and organisations, targeting their vulnerabilities to gain access to sensitive information or compromise security measures. Recognising these common techniques is essential for charities and volunteers to protect against potential threats.
A very common trick where cybercriminals send fake emails or messages that look real, trying to get people to share confidential information like passwords or bank details. They might pretend to be from a trusted company and use urgent or exciting language to trick you. Being able to spot and ignore these fake messages is important to stay safe from this type of scam.
For more information on how to spot and recognise Phishing Attacks, read our comprehensive guide.
This trick relies on curiosity. Cybercriminals offer something tempting, like a free download, but it has harmful software. People who take the bait unknowingly let malicious software into their devices and share sensitive information. So, it’s important to be careful and aware of cyber security risks.
Targets important people in a company, senior management, or decision-makers. Cybercriminals carefully plan their attacks to make it seem like they’re someone trusted, such as a CEO. Their goal is to trick these important targets into sharing secret information or approving fake transactions.
This is when cybercriminals hack into real email accounts in a company. It’s a sneaky way for them to pretend to be employees, bosses, or even suppliers. By doing this, they can trick people into sending money or giving them access to sensitive information. To stop this, companies need strong security measures, and everyone needs to be aware of these tricks.
Pretexting is when cybercriminals make up a fake situation or story to trick people into sharing sensitive information. They might pretend to be someone important or act like there’s an emergency. By doing this, they try to get people to give away personal data. To protect against this, it’s important to always double-check requests.
Phishing and social engineering awareness among volunteers and staff is the cornerstone of protecting your charitable organisation. Providing memorable, frequent training and insights on new and evolving forms of social engineering is essential. Remember that anyone who answers a phone, opens an email, or connects to the Internet on behalf of your charity is a potential victim or access point to sensitive and confidential information in your nonprofit’s care or control.
Testing the scams they’re likely to face with phishing simulations is a proactive measure. Deploying these simulations quarterly can help monitor risks without overwhelming staff with excessive testing. Regular testing reinforces awareness and helps staff recognise and respond appropriately to potential threats, strengthening your organisation’s security posture.
Implementing robust email security measures and secure communication tools is vital for protecting your charitable organisation against phishing and social engineering attacks. By fortifying your email infrastructure and communication channels, you can significantly reduce the risk of cyber threats infiltrating your systems.
Clear security protocols should be in place for handling all confidential information. You can adopt recognised cyber security standards like Cyber Essentials and the NIST Cyber Security Framework to guide your policies. Make sure everyone on your team knows and understands these protocols. Training all staff members, regardless of their role, is crucial for building a strong defence against cyber risks.
Keep your policies up to date by reviewing and updating them regularly. Consequently, this helps you stay prepared for new threats and changes in regulations. By staying proactive and continuously improving your security measures, you can protect your organisation’s valuable information and assets effectively.
Many volunteers use their own devices, such as laptops and smartphones, to access organisational resources. It’s essential to implement a BYOD policy that outlines security requirements for personal devices used for work purposes. This policy may include measures such as ensuring devices have updated security software, required strong passwords or MFA, and enabled remote wipe capabilities in case of loss or theft.
By implementing robust BYOD security measures, you can mitigate the risks associated with personal devices accessing sensitive organisational data. This helps to ensure that confidential information remains protected, even when accessed from personal devices.
By staying current with software updates, you ensure that your systems have the latest security features to defend against cyber threats. Additionally, prompt patch management addresses known vulnerabilities, reducing the risk of unauthorised access or data breaches.
Implementing a robust patch management process involves monitoring for new patches and promptly applying them to all relevant systems and devices. Prioritising critical patches that address severe security vulnerabilities is crucial to effectively mitigate immediate threats. With proactive software updates and patch management, your organisation can enhance its cyber security posture and protect sensitive information from potential risks.
For more expert tips and insights, read our article on building a cyber security strategy on a budget here.
When it comes to protecting yourself online, simple strategies can go a long way. Here are some practical tips to help you avoid falling victim to phishing attempts:
Operating with a blend of employed staff and volunteers, charities face a significant human risk element, potentially more so than other organisations. The challenge lies in ensuring that all individuals working within the charity possess the same minimum levels of phishing and social engineering awareness.
At OneCollab, we understand these challenges and are here to help. Our cyber security training programmes shine a light on your organisation’s current human risk areas, empowering you to build a security-savvy workforce.
We recognise that time, budget constraints, and uncertainty about where to start can hinder progress. That’s why we’ve developed a low-cost, fully managed training service that is quick to launch, non-disruptive, and covers all the essential elements for promoting secure user behaviour. Services include:
“As a small charity, managing costs whilst getting the very best support is crucial. OneCollab have helped us with IT support, moving systems and installing their fantastic cyber security services which has been a game-changer for us. Not only have services been affordable, but the team are responsive and give us comprehensive protection and peace of mind knowing we’re doing everything possible to safeguard our stakeholders’ interests.”
– Sean Pontin, CEO of Enable Jersey
Ready to strengthen your charitable organisation’s cyber security posture? Contact OneCollab today to learn more about our phishing and social engineering awareness training programme and start protecting your charity from cyber threats.
Cyber security shouldn’t be a headache. Get clear and actionable insights delivered straight to your inbox. We make complex threats understandable, empowering you to make informed decisions and protect your business.
Call us +44 20 8126 8620
Email us [email protected]