Avoid phishing attacks

Use this page to learn how to protect yourself and others from phishing attacks.

A phishing attack is when scammers (pretending to be someone else) send fake emails, usually to thousands of people at once. Scammers can even pretend to be your organisation.

The goal of these emails is to get people to:

• reveal sensitive information such as bank details
• click on links to unsafe websites.

There are many reasons scammers send these emails.

• To trick people into sending money.
• To steal personal details to sell on.
• Because they have political or ideological motives for accessing your organisation’s information.

Phishing emails are getting harder to spot. Some emails will still get past even the most observant user. Whatever the size and nature of your charity, you'll receive phishing attacks at some point.

This section contains some easy steps you can take to protect yourself and others. But be aware that there’s a limit to what you can expect your users to do.

Make sure people only have the minimum user rights required to perform their role. This'll help you reduce potential damage if your staff are the victims of a phishing attack.

Most people in your organisation do not need administrator privileges either on their operating systems or on the software they use. The consequences of a phishing attack can be far worse if someone using administrator privileges gets caught out. It can be very damaging to your organisation.

People must not use accounts with administrator status to browse the internet. Or when checking their emails. This'll reduce the risks from phishing.

Use two factor authentication (2FA) on your important accounts such as email. This means that even if an attacker gets your passwords they still won’t be able to access that account. They'd need the second piece of information to do so.

Consider the ways someone might target your charity. Think about how you can help people spot requests that seem out of the ordinary. Below are some common phishing tricks.

• Sending an invoice for a service you haven't used. So when you open the attachment malware is automatically installed.
• Sending people emails that look authentic requesting money or information.
• Pretending to be from a large, well-known organisation. This is in the hope that some of the email recipients will have a connection to them.

Think about your usual practices and how you can help make these tricks less likely to succeed.

• Do trustees, staff and volunteers know what to do with unusual requests? Do they know where to get help?
• Do they know how to challenge someone impersonating an important individual via email? And how to then take action?
• Do you understand the day-to-day relationships your charity has? If you get an email from an organisation you don't do business with, treat it with suspicion.
• How can you encourage and support people in your charity to question suspicious or unusual requests? Even if they appear to be from important individuals.

You need to also think about how scammers may pretend to be your organisation. You should consider looking at how your outgoing communications appear.

• Do you send unsolicited emails asking for money or passwords?
• Will your emails get mistaken for phishing emails?
• How could you leave people vulnerable to an attack that looks like an email from you?
• Consider telling your trustees, staff and volunteers what they should look out for. You can make pledges such as 'we will never ask for your password', or 'our bank details will not change at any point'.

Expecting everyone to identify and delete all phishing emails is an impossible request. It would also have a negative effect on a charity’s productivity.

But many phishing emails do fit the mould of a traditional attack. To avoid these you can encourage people to look for the common warning signs.

• Is the spelling, grammar and punctuation poor?
• Is the design (and quality) what you'd expect from a credible, large organisation? Scammers often try to create official looking emails by including logos and graphics.
• Is it addressed to you by name, or does it refer to 'valued customer', or 'friend', or 'colleague'? This can be a sign that the sender does not actually know you.
• Does the email contain a veiled threat that asks you to act urgently? Look out for suspicious words like 'send these details within 24 hours'. Or 'you have been a victim of crime, click here immediately'.
• Does it sound legitimate, or is it trying to mimic someone you know? Look at the sender's name and email, do they look correct?
• Does it sound too good to be true? Such as a large donation in return for banking details.

Encourage your staff and volunteers to ask for help if they think that they have been a victim of phishing.

When you think a successful attack has occurred you need to:

• scan all connected devices for malware
• organise the changing of passwords.

Do not punish staff if they get caught out. It discourages people from reporting in future and can make them fearful. They then spend excessive time and energy scrutinising every email they receive. Both these things cause more harm to your organisation in the long run.

If you think that you (or your charity) are a victim of online fraud, scams or extortion, take the following steps.

• Report this through the Action Fraud website.
• If you are in Scotland, contact Police Scotland on 101.
• Report it as a serious incident to the Charity Commission. Use the Charity Commission (England and Wales) website. Or the Office of the Scottish Charity Regulator (OSCR) in Scotland.
• Find out more about how the Charity Commission treats Fraud and Cyber Crime.

Reporting is responsible. It demonstrates that you've taken action to identify problems within your organisation. It also helps the Commission to gauge threats that may affect the wider sector. Enabling them to take steps to address these with targeted advice and guidance.

A digital footprint is data about you or your organisation left behind when you've been online. Attackers use public information to create convincing phishing messages. They use it to pretend to be you. This information is often gleaned from your website and social media accounts.

• Review the information on your organisation’s website and social media feeds. What do your website visitors need to know? And what detail is unnecessary (but could be useful for attackers)?
• Trustees, staff and volunteers spend time online. Be aware of what information about your organisation they give away.
• Help your staff understand how sharing their personal information can affect them and your organisation. This is not about expecting people to remove all traces of themselves from the internet. You need to support them as they manage their digital footprint. Help them shape their profile so it works for both them and you.

National Protective Security Authority (NPSA) is a good resource for larger teams of staff and volunteers. Try their PDF guide to use with employees.