Guidance

Protect your charity from cyber crime

Find out how to keep your charity cyber secure, respond to cyber attacks, and report cyber crime.

From:
The Charity Commission
Published
27 November 2024

Applies to England and Wales

Contact the Action Fraud 24/7 helpline if you are experiencing a live cyber attack.

The helpline will help you to get essential advice and support.

Find more information about how to respond to a cyber attack.

What is cyber crime

Cyber crime is any crime that uses computers or the internet.

This can include crimes such as fraud. For example, hacking into a computer to steal bank account details.

Other cyber crimes are not for financial gain. For example, criminals can attack computer systems to disrupt services.

This guidance covers:

  • the most common types of cyber attacks
  • things you can do to protect your charity

Read about how to protect your charity from fraud.

Why your charity is at risk from cyber crime

Like other organisations, charities have assets that criminals value such as money and sensitive data.

Many charities use digital systems such as computers and the internet to, for example:

  • store sensitive data about employees, volunteers, donors and beneficiaries
  • use online banking
  • deliver online services
  • fundraise online

This makes them an attractive target for cyber crime.

Cyber attacks can have a huge impact on your charity. Your charity could lose money or sensitive data. Its reputation could also be damaged.

But there are simple measures you can put in place to protect your charity.

You and your fellow trustees must manage your charity’s resources responsibly by, for example:

  • being aware of the risks to your charity from cyber crime
  • taking reasonable steps to protect your charity from cyber crime
  • responding to cyber attacks properly to reduce the harm to your charity

You may be able to delegate cyber security to someone else at your charity, such as an IT team. But all the trustees remain responsible for making sure your charity is protected.

Types of cyber crime

Find out more about the most common types of cyber attacks below.

Remember, there are things you can do to reduce the risk to your charity from cyber crime.

Phishing

Phishing is the most common type of cyber attack.

Criminals trick victims to visit malicious websites. This is usually by tricking them into clicking a link in an email or text message. The criminal can then use the website to:

  • steal sensitive data such as bank details, usernames and passwords
  • install malicious software (‘malware’) onto your charity’s digital devices

Phishing attacks can target specific people or organisations, including charities. For example, by pretending to be:

  • a real person such as a trustee, or
  • a real organisation such as your charity’s bank

Example

A charity employee gets an email that says it’s from the charity’s bank. The email says the charity’s account has been hacked. There is a link to click to update the charity’s bank account password.

While the email looks real, the employee decides to call the bank to check the email is genuine. The bank confirms there are no issues with the charity’s bank account.

The employee realises they have been sent a phishing email. In line with the charity’s procedures, they report the email to Action Fraud and then delete it.

Impersonation

Be aware that criminals can pretend to be real charities online. For example, by setting up a fake website that looks like the website of a real charity.

The aim is to steal donations.

These are not direct cyber attacks, but you should be aware that criminals can steal money this way. You should report any suspicious websites claiming to be related to your charity to Action Fraud.

Malware

Malware is malicious computer software. Criminals infect digital devices with malware to:

  • steal sensitive data
  • overload devices with data
  • delete vital software

A common type of malware is ransomware.

Criminals use ransomware to stop you accessing the data on your digital devices. For example, by encrypting (locking) files on your computer. The attacker can then threaten to destroy or sell your data if you do not pay a ransom.

There are steps you can take to protect your charity from malware attacks.

Example

A trustee gets an email asking them to update the password for their charity email account. The trustee clicks the link, which takes them to a blank webpage. They close the page and delete the email.

The next day, the charity cannot access its online data. This includes bank details for the charity’s donors. Criminals used the blank webpage to install ransomware onto the trustee’s computer. Then they locked the charity’s data. The criminals threaten to sell the charity’s data online unless they pay a ransom. The charity reports the attack to Action Fraud and the police.

Reduce the risks to your charity

Make sure relevant people at your charity such as trustees, employees and volunteers:

  • know the risks from cyber crime
  • understand how to protect your charity from cyber crime, for example by knowing how to spot phishing emails
  • know what to do if your charity is a victim of cyber crime

As trustees, you should decide what your expectations are on preventing cyber crime and make sure these are met. Your expectations will depend on the size of your charity and the resources it has. For example:

  • the steps you expect trustees, employees and volunteers to take if they receive a phishing email
  • the cyber security training you expect trustees, employees and volunteers to complete to keep their knowledge and awareness up to date

Use the resources below to help you identify:

  • the risks to your charity from cyber crime
  • the steps you can take to reduce the risks and protect your charity

Guidance and training for small charities

Guidance for small charities

The National Cyber Security Centre (NCSC) has produced the Small Charity Guide. It has the basic information and tools you need to protect your charity.

The resources in the guide are free or low cost and easy to use. You can put them in place quickly. The guide can help you to:

  • protect your digital devices from common cyber attacks, such as phishing and malware
  • back up your charity’s data in case it is lost or stolen

As well as using the Small Charity Guide to help you take these practical steps, you can ask relevant people at your charity to read and use the guide, such as:

  • trustees
  • employees
  • volunteers
  • anyone else you think should use the guidance

This will help you to create a culture of cyber awareness in your charity.

The NCSC also has a specific guide about how to defend against malware and ransomware.

Training for small charities

The NCSC has free online cyber security training for beginners. It’s easy to use and takes less than 30 minutes to complete.

The training has tips about how to prevent cyber crime, such as:

  • how to protect your charity from phishing attacks
  • how to set strong passwords, and why
  • how to keep your devices secure

The NCSC also has cyber attack exercises. These recreate common cyber attacks. You can use the exercises to practise your response to, for example, a phishing attack.

You can use these resources to:

  • understand the practical steps you can take to improve your charity’s cyber security
  • help people at your charity (such as trustees and employees) improve their knowledge

Guidance and training for medium and large charities

Guidance for medium and large charities

Medium and large charities may have:

  • more complex IT systems
  • a specific trustee, employee or team to manage their cyber security

These charities may want to start with the NCSC’s 10 Steps to Cyber Security. This technical guidance:

  • gives a summary of the NCSC’s advice for security professionals
  • breaks cyber security down into 10 manageable tasks. This makes it easier to put the measures in place

The NCSC has a cyber security toolkit for boards. The toolkit can help you and the other trustees to:

  • understand and discuss the risks to your charity from cyber crime
  • plan how you will respond to cyber attacks

The NCSC also has a specific guide about how to defend against malware and ransomware.

Training for medium and large charities

The NCSC has a list of certified training courses for medium and large charities.  

Cyber security services and tools

Services and tools for all charities

Charities can use a range of NCSC Active Cyber Defence tools. Most of these are free. These tools can help you protect your charity and include:

  • a tool that warns you if you are under attack, for example, from malware
  • a tool to help you protect your emails
  • a tool to help you protect any websites you have

Services and tools for small charities

If you are a small charity, you can check your cyber security with the NCSC’s free online service. It helps you to look for common weaknesses in, for example:

  • your emails
  • your website
  • the web browser you use

It will give you step-by-step guidance to help you fix cyber security issues.

Services and tools for medium and large charities

Medium and large charities can join the NCSC Cyber Essentials Scheme to certify that your charity is cyber secure. The scheme can help you to:

  • understand your charity’s level of cyber security
  • protect your charity against the most common cyber attacks
  • show that you are serious about your charity’s cyber security

How to respond to a cyber attack

You should plan how your charity will respond to a cyber attack. This is so everyone knows what to do and when.

You can set this out in a policy or cyber attack action plan. Here are some tips to help you:

  • you should report all attacks to Action Fraud, even if they did not cause your charity any harm. Set out who has responsibility at your charity for doing this
  • you should act quickly – this will help you reduce the harm to your charity
  • your policy should say who needs to be informed about the attack, such as the chair
  • you should also keep a record of what happened, and when

Make sure everyone knows how they should respond. You can encourage them to stay calm, not panic, and follow your charity’s procedures.

If your charity is harmed by a cyber attack, check how it happened. This will help you identify steps you can take to protect your charity in future.

Find out more about how to respond to cyber attacks.

How to report cyber crime

If your charity has been the victim of cyber crime, you should report the cyber attack to Action Fraud.

Reporting cyber crime is important because:

  • you can get advice and support to limit the damage of the attack on your charity
  • experts such as Action Fraud and the police can record and track the types of attacks criminals use
  • other charities can learn from attacks. This can help to prevent similar attacks in future

You may need to report a cyber attack to the Charity Commission. Read our guidance about how to report a serious incident to the Commission.

Updates to this page

Published 27 November 2024

Sign up for emails or print this page

Contents

Related content