Phishing and Social Engineering

Phishing and Social Engineering Awareness for Charities and Volunteers

June 21, 2024

Ollie Rayburn


Charities and volunteer organisations are crucial in addressing societal needs and supporting vulnerable populations. However, their mission-driven focus often makes them attractive targets for cybercriminals employing phishing and social engineering tactics. 

Charities and nonprofit organisations depend on people—stakeholders of all sorts—to make their missions go around. Yet risk leaders in this sector continue to believe that the people they don’t know—external bad actors—are the biggest threat to mission success. The sobering truth is that insiders—like volunteers and staff—pose a far more potent threat to your mission. 

How? The people who serve your charity hold the keys to your organisation’s reputation, financial health, and the well-being of your physical and financial assets. However, they also present vulnerabilities that cybercriminals exploit through phishing and social engineering tactics. Bad behaviour, such as clicking on suspicious links or downloading attachments from unknown sources, can inadvertently introduce malware or ransomware into the organisation’s network. Ignorance of internal controls and disregard for safety and security policies can exacerbate these risks, providing easy entry points for malicious actors. 

While most risk leaders recognise the nexus between people’s peril and reputation, they may underestimate the potential impact on compliance with data protection regulations. Mishandling of donors, employees, and other personally identifiable information (PII) can damage the organisation’s reputation and lead to legal repercussions and financial penalties. 

This article aims to raise phishing and social engineering awareness among charities and volunteers about these threats, provide comprehensive prevention strategies, and ensure they can continue their vital work securely. 

Understanding Social Engineering 

What is Social Engineering? 

Social engineering is the art of manipulating individuals into divulging confidential information or performing actions that compromise security. Social engineering exploits human psychology unlike traditional hacking, which targets technical vulnerabilities. 

The types of information these criminals are seeking can vary. Still, when individuals are targeted, the criminals usually attempt to deceive them into disclosing passwords, bank information, or granting access to their computers. This access allows the perpetrators to secretly install malicious software, granting them control over the victim’s computer and access to sensitive data. 

Why Do Criminals Use Social Engineering Tactics? 

Criminals resort to phishing and social engineering tactics because it’s often easier to exploit human trust than to breach technical defences. For instance, it’s simpler to deceive someone into revealing their password than to attempt to hack it directly, especially if the password is sufficiently strong. 

Why Are Volunteers and Staff Susceptible to Social Engineering? 

The dedication and flexibility of charity staff and volunteers are admirable qualities that contribute to the organisation’s success. However, these same traits can also make them vulnerable to social engineering tactics employed by cybercriminals. 

“It’s Not My Job” Mentality 

In many charitable organisations, especially those with limited resources, staff and volunteers wear multiple hats and are often stretched thin. This can lead to a mindset where individuals may not see themselves as responsible for cyber security. Some may believe that cyber security is solely the responsibility of the IT department. However, protecting sensitive information is everyone’s responsibility within an organisation. 

“There’s an App for That” Misconception 

Another common misconception is that robust systems and technology alone can protect against cyber threats. While implementing secure systems is crucial, cybercriminals often target the human element—the staff and volunteers themselves. Even the most sophisticated security measures can be circumvented if individuals are not vigilant and aware of potential risks. 

“Thank You for Calling” Scams 

Cybercriminals often employ social engineering tactics, offering assistance or support to gain access to sensitive information. For example, individuals may receive unsolicited calls from scammers posing as technical support representatives offering to fix computer issues. These scammers exploit the goodwill and trust of individuals to obtain login credentials and other personal information. 

“I Was Being Nice!” Vulnerabilities 

By understanding why volunteers and staff are susceptible to social engineering tactics, charities can implement targeted training and awareness programmes to empower individuals to recognise and respond to potential threats effectively. 

Common Techniques 

Cybercriminals employ various social engineering tactics to deceive individuals and organisations, targeting their vulnerabilities to gain access to sensitive information or compromise security measures. Recognising these common techniques is essential for charities and volunteers to protect against potential threats. 


A very common trick where cybercriminals send fake emails or messages that look real, trying to get people to share confidential information like passwords or bank details. They might pretend to be from a trusted company and use urgent or exciting language to trick you. Being able to spot and ignore these fake messages is important to stay safe from this type of scam. 

For more information on how to spot and recognise Phishing Attacks, read our comprehensive guide. 


This trick relies on curiosity. Cybercriminals offer something tempting, like a free download, but it has harmful software. People who take the bait unknowingly let malicious software into their devices and share sensitive information. So, it’s important to be careful and aware of cyber security risks. 


Targets important people in a company, senior management, or decision-makers. Cybercriminals carefully plan their attacks to make it seem like they’re someone trusted, such as a CEO. Their goal is to trick these important targets into sharing secret information or approving fake transactions. 

Business Email Compromise (BEC) 

This is when cybercriminals hack into real email accounts in a company. It’s a sneaky way for them to pretend to be employees, bosses, or even suppliers. By doing this, they can trick people into sending money or giving them access to sensitive information. To stop this, companies need strong security measures, and everyone needs to be aware of these tricks. 


Pretexting is when cybercriminals make up a fake situation or story to trick people into sharing sensitive information. They might pretend to be someone important or act like there’s an emergency. By doing this, they try to get people to give away personal data. To protect against this, it’s important to always double-check requests. 

Phishing and Social Engineering Prevention Strategies 

Educate and Train Staff 

Phishing and social engineering awareness among volunteers and staff is the cornerstone of protecting your charitable organisation. Providing memorable, frequent training and insights on new and evolving forms of social engineering is essential. Remember that anyone who answers a phone, opens an email, or connects to the Internet on behalf of your charity is a potential victim or access point to sensitive and confidential information in your nonprofit’s care or control. 

Testing the scams they’re likely to face with phishing simulations is a proactive measure. Deploying these simulations quarterly can help monitor risks without overwhelming staff with excessive testing. Regular testing reinforces awareness and helps staff recognise and respond appropriately to potential threats, strengthening your organisation’s security posture. 

Implement Robust Email Security and Secure Communication Tools 

Implementing robust email security measures and secure communication tools is vital for protecting your charitable organisation against phishing and social engineering attacks. By fortifying your email infrastructure and communication channels, you can significantly reduce the risk of cyber threats infiltrating your systems. 

  • Spam Filters: Utilise advanced spam filters to block malicious emails before they reach users’ inboxes. 
  • Multi-Factor Authentication (MFA): Enhance email account security by requiring users to provide multiple forms of verification, such as a password and a unique code sent to their mobile device. 
  • Email Encryption: Protect the confidentiality of sensitive information by encrypting emails, ensuring that even if intercepted, the contents remain secure and unreadable to unauthorised individuals. 
  • Secure Messaging Apps: Implement secure messaging apps for internal communication purposes. These apps often come with end-to-end encryption, ensuring that messages remain private and secure. 

Develop Strong Policies 

Clear security protocols should be in place for handling all confidential information. You can adopt recognised cyber security standards like Cyber Essentials and the NIST Cyber Security Framework to guide your policies. Make sure everyone on your team knows and understands these protocols. Training all staff members, regardless of their role, is crucial for building a strong defence against cyber risks. 

Additionally, regular testing of your security policies is important. Conduct unannounced tests to see how well your protocols work in real situations. These tests can simulate different social engineering tactics, like phishing emails or fake phone calls, to check if your team can recognise and handle potential threats.

Keep your policies up to date by reviewing and updating them regularly. Consequently, this helps you stay prepared for new threats and changes in regulations. By staying proactive and continuously improving your security measures, you can protect your organisation’s valuable information and assets effectively.

BYOD (Bring Your Own Device) Security 

Many volunteers use their own devices, such as laptops and smartphones, to access organisational resources. It’s essential to implement a BYOD policy that outlines security requirements for personal devices used for work purposes. This policy may include measures such as ensuring devices have updated security software, required strong passwords or MFA, and enabled remote wipe capabilities in case of loss or theft. 

By implementing robust BYOD security measures, you can mitigate the risks associated with personal devices accessing sensitive organisational data. This helps to ensure that confidential information remains protected, even when accessed from personal devices. 

Regularly Update Software and Patch Management 

By staying current with software updates, you ensure that your systems have the latest security features to defend against cyber threats. Additionally, prompt patch management addresses known vulnerabilities, reducing the risk of unauthorised access or data breaches. 

Implementing a robust patch management process involves monitoring for new patches and promptly applying them to all relevant systems and devices. Prioritising critical patches that address severe security vulnerabilities is crucial to effectively mitigate immediate threats. With proactive software updates and patch management, your organisation can enhance its cyber security posture and protect sensitive information from potential risks. 

For more expert tips and insights, read our article on building a cyber security strategy on a budget here. 

Specific Recommendations for Volunteers 

When it comes to protecting yourself online, simple strategies can go a long way. Here are some practical tips to help you avoid falling victim to phishing attempts: 

  • Take your time: Cybercriminals often try to rush you into making hasty decisions. If an email or message urges you to act quickly or creates a sense of urgency, approach it with caution. Always take the time to review the details carefully before taking any action. 
  • Verify information independently: If you receive an unsolicited message claiming to be from a familiar company or organisation, don’t trust it blindly. Take a moment to conduct your own research. Use a search engine to visit the official website or look up the company’s contact information in a trusted directory. 
  • Don’t rely solely on links: Instead of clicking on links provided in emails, take control of your browsing experience by manually entering the website’s address into your browser’s search bar. If you hover over a link in an email, check the URL at the bottom to ensure it matches the expected destination. 
  • Confirm with the sender: Even if an email is from someone you know, it’s always wise to verify with them directly if you weren’t expecting any attachments or links. Reach out through another channel, such as a phone call or text message, to confirm the message’s authenticity. 
  • Exercise caution with downloads: Avoid downloading files from unknown or untrusted sources, especially if you weren’t anticipating any attachments. Downloading files from suspicious emails can put your device and personal information at risk of malware or phishing scams. 
  • Report suspicious activity: If you encounter any emails, messages, or calls that seem suspicious or out of the ordinary, don’t hesitate to report them to your organisation’s IT department. Early detection and reporting can help prevent potential security breaches and protect both your personal information and the organisation’s data. 


Operating with a blend of employed staff and volunteers, charities face a significant human risk element, potentially more so than other organisations. The challenge lies in ensuring that all individuals working within the charity possess the same minimum levels of phishing and social engineering awareness. 

OneCollab can Help 

At OneCollab, we understand these challenges and are here to help. Our cyber security training programmes shine a light on your organisation’s current human risk areas, empowering you to build a security-savvy workforce. 

We recognise that time, budget constraints, and uncertainty about where to start can hinder progress. That’s why we’ve developed a low-cost, fully managed training service that is quick to launch, non-disruptive, and covers all the essential elements for promoting secure user behaviour. Services include: 

  • Engaging and bite-sized security awareness training programmes 
  • Regular simulated phishing assessments 
  • Continuous dark web monitoring 
  • Essential policy implementation 
  • Ongoing human risk scoring 

Customer Testimonial

“As a small charity, managing costs whilst getting the very best support is crucial. OneCollab have helped us with IT support, moving systems and installing their fantastic cyber security services which has been a game-changer for us. Not only have services been affordable, but the team are responsive and give us comprehensive protection and peace of mind knowing we’re doing everything possible to safeguard our stakeholders’ interests.”

–  Sean Pontin, CEO of Enable Jersey

Ready to strengthen your charitable organisation’s cyber security posture? Contact OneCollab today to learn more about our phishing and social engineering awareness training programme and start protecting your charity from cyber threats. 

Download Your Free Guide to Phishing Scams

Simplify Security: Sign Up for Our Cyber Newsletter

Cyber security shouldn’t be a headache. Get clear and actionable insights delivered straight to your inbox. We make complex threats understandable, empowering you to make informed decisions and protect your business.