Charities need to do more to see off the increasing threat of online fraud
Organised international gangs are increasingly targeting Scottish charities, throwing the future of some groups into doubt.
Cyber crime experts are worried about a rise in organisations being hit by online fraud.
One senior figure has called on charities to wise up to the realities of internet crime before it’s too late.
TFN understands that an estimated £1.65 billion per year is lost across the UK charity sector to such frauds.
Figures for Scotland are not available, but it is known that the problem is on the rise here.
Cybercrime and online fraud is on the increase and criminal gangs are targeting charities
Stewart Thom
Criminals use a wide range of strategies to snare unwary charities.
These include email, text and telephone frauds and the use of malicious software.
On top of direct attacks, charities’ reputations can be hit as criminals pose as fundraisers to extort cash from the public.
Cyber crime expert Stewart Thom of the Royal Bank of Scotland lifted the lid on the extent of the problem.
He said: “Fraudsters do not care who they target. They target individuals or companies that they believe have large volumes of cash going through their accounts. Unfortunately we have seen cases where charities are being targeted.
“Fraud has a detrimental impact on charities’ operations and in some cases their ability to continue the great work to support our society.
“Cybercrime and online fraud is on the increase. Unfortunately we are finding organised criminal gangs are using techniques to target charities.
“They are well organised, international, effective and professional in their approach to obtaining the information they require to gain access to our account.”
As well as providing massive opportunities for charities, the use of digital technology and social media carries increased risk of being stung, warns Thom.
“There is now more information online (eg Linkedin, Facebook, corporate websites) that allows fraudsters to identify their targets but more importantly piece together information that allows them to pretend they are from the bank, build up trust and rapport before then requesting that you share your full security credentials.
“Unfortunately, if you disclose your full security credentials then potentially you are providing that to the fraudster who can then use to access your accounts.
“Fraudsters are using social engineering techniques to try and obtain the information that allows them to access your accounts online."
Fraudsters are calling individuals or sending emails pretending to be banks to obtain security information.
The emails try to take a user to a fake website that asks for full security credentials, which is unusual, or to malicious software that can capture information typed into the keyboard. This information is then transferred to the fraudsters
The cyber crime and security expert said there areeasy steps charities must take to make themselves safe.
“Charities need to think about how they protect their organisation and staff online. It is important that charities and the sector in general educate people about the techniques being used by fraudsters but more importantly how they protect themselves. Unfortunately it only takes one person to disclose security credentials that may allow a fraudster to steal your charities money.
“The banking industry, banks and law enforcements are all working together to bring down these organised criminal gangs. A lot of good work has been done but we recognise there is still more to do. Customer education and awareness is key in making people aware of the techniques being used and how you can protect yourself but more importantly your charity,” said Thom.
Top tips to protect your charity from fraud
Email fraud (or phishing).Fraudsters send an email to hoping to obtain your security details or personal information.
Beware of attachments contained within emails especially if it has .exe at the end. The attachment could contain a Trojan or virus that may infect your computer when opened.
Be cautious of links in emails, especially when it sends you to a banking website that asks for full pin and passwords. Banks will not usually do this.
Malicious software (malware/trojan).Malware is software used to gather sensitive information. Trojans, a form of malware, are harmful programmes that steal information.
They can be installed from attachments contained in emails or infected websites visited by users. Trojans can record and send to fraudsters information typed on a keyboard eg passwords typed when you’re logging into online banking, supplier details created on systems or credit/debit card details used to purchases goods and services online.
Download specific security software to protect your computer from malicious software that compliments anti-virus and firewall controls.
Text (smishing). This is when texts are sent to your mobile to try to trick you into clicking on a link that takes you to a fake website that attempts to obtain your security information eg full passwords or pins.
First of all, don’t send sensitive information by text, such as your pin, password, account details or date of birth.
Be wary of links in text message especially if you are taken to a website that asks for full pin and passwords. Banks will not usually text you in this way.
Telephone fraud (vishing) is where fraudsters trick you into divulging security credentials or card details over the telephone. The fraudster uses urgent language to convince you that your bank account has been compromised, often claiming there are fraudulent transactions pending, compelling you to take immediate action to prevent these from being paid.
How can you protect yourself? Never divulge your full security credentials (eg pin and passwords) over the telephone for your online banking. No matter how busy you are!
If you receive a suspicious call, use a different line to call your bank back. Fraudsters can keep their line open, incept your call and pose as your bank.
Remember, never give your banking or personal information to anyone you do not know. Remember, the bank or the police will never ask for your full passwords, token codes, customer login credentials or cards pins.
If you are concerned that your business has been affected by fraud, contact Action Fraud, the UK’s national reporting centre for fraud and internet crime on 0300 123 2040 and your bank.