News story

Regulatory alert: charities at risk of cyber attack

Warning about malicious ‘phishing emails’.

This news article was withdrawn on

No longer current.

The Charity Commission, the independent regulator of charities in England and Wales, is issuing this alert to charities as regulatory advice under section 15(2) of the Charities Act 2011.

The information contained within this alert is based on reports made during the past month to Action Fraud, the UK’s national fraud reporting centre.

There are 2 prevalent scams to be aware of:

‘Crime Prevention Advice’ email

Fraudsters are sending out a high number of phishing emails to personal and business email addresses with the message subject heading ‘Crime Prevention Advice’. Charities could also be at risk from this disturbing new email scam and are encouraged to be vigilant.

The campaign’s primary function appears to be the distribution of powerful malware via a malicious email attachment. The email sender appears to be spoofing a Metropolitan Police email address, showing the sender as ‘crime@content.met.police.uk’. The email contains the text:

‘TO THE GENERAL PUBLIC See attached document to read more about crime prevention advice. Regards, Metropolitan Police Service.’

The email includes an attachment titled ‘11212527.zip’. This attachment contains malicious content which downloads the iSPY key logger to the victim’s device. This key logger records keystrokes, steals passwords stored in web browsers and Skype conversation records, takes pictures via webcam and stores the license keys of software, such as Microsoft Office and Adobe Photoshop.

‘Notice of Intended Prosecution’ email

Fraudsters are sending out a high number of phishing emails to email addresses connected to businesses in the United Kingdom, with the message subject heading ‘Notice of Intended Prosecution’ and ‘NIP - Notice Number’ followed by a combination of letters and numbers.

Its primary function appears to be distributing Banking Trojan malware, through a malicious link embedded within the email. The emails purport to come from the Greater Manchester Police, so will be of most relevance to those charities based in the North West of the UK.

It is believed that the URL hidden behind the line ‘Check The Photographic Evidence’ delivers the GOZI/ISFP Banking Trojan which is involved in stealing online banking login details from victims.

In both cases, charities are advised to protect themselves in the following ways:

  • ensure charity software has up-to-date virus protection, though it will not always prevent you from becoming infected
  • do not click on links or open any attachments you receive in unsolicited emails or SMS messages - fraudsters can ‘spoof’ an email address to make it look like it’s from a trusted source
  • if you’re unsure, check the email header to identify the true source of communication - information on how to locate email headers can be found at https://mxtoolbox.com/Public/Content/EmailHeaders/
  • always install software updates as soon as they become available, as the update will often include fixes for critical security vulnerabilities
  • if your current software does not offer an ‘anti-spyware’ function, consider installing software which does, as this can detect key loggers
  • undertake regular backups of your important files to an external hard drive, memory stick or online storage provider - however, it’s important that the device you back up to is not left connected to your computer, as a malware infection could spread to that device too
  • if you suspect your bank details have been accessed, you should contact your bank immediately

If you think your charity has been affected by a phishing scam, or any other type of fraud, you should report it to Action Fraud by calling 0300 123 2040, or visiting www.actionfraud.police.uk.

Trustees are advised also to report it to the Charity Commission as a serious incident.

Serious incident reporting helps the Commission to gauge the volume and impact of incidents within charities and to understand the risks facing the sector as a whole.

Carl Mehta, Head of Investigations and Enforcement at the Charity Commission said:

Charities need to be aware of the imminent danger posed by malicious phishing emails and to take appropriate steps to protect their charity from cyber-attack - a charity’s valuable assets and good reputation can be put at risk from these dangerous scams.

I urge all charities, if they suspect they may have fallen victim to phishing scams, to report it immediately to Action Fraud, and to the Commission under its serious incident reporting regime. You can visit www.charitiesagainstfraud.org.uk for advice and top tips on how to protect your charity against cyber-fraud.

Updates to this page

Published 13 December 2016