New research exploring the volunteering experiences and perspectives of people from the global majority. Find out more
Use this page to learn how to protect yourself and others from phishing attacks.
A phishing attack is when scammers (pretending to be someone else) send fake emails, usually to thousands of people at once. Scammers can even pretend to be your organisation.
The goal of these emails is to get people to:
There are many reasons scammers send these emails.
Phishing emails are getting harder to spot. Some emails will still get past even the most observant user. Whatever the size and nature of your charity, you'll receive phishing attacks at some point.
This section contains some easy steps you can take to protect yourself and others. But be aware that there’s a limit to what you can expect your users to do.
Make sure people only have the minimum user rights required to perform their role. This'll help you reduce potential damage if your staff are the victims of a phishing attack.
Most people in your organisation do not need administrator privileges either on their operating systems or on the software they use. The consequences of a phishing attack can be far worse if someone using administrator privileges gets caught out. It can be very damaging to your organisation.
People must not use accounts with administrator status to browse the internet. Or when checking their emails. This'll reduce the risks from phishing.
Use two factor authentication (2FA) on your important accounts such as email. This means that even if an attacker gets your passwords they still won’t be able to access that account. They'd need the second piece of information to do so.
Consider the ways someone might target your charity. Think about how you can help people spot requests that seem out of the ordinary. Below are some common phishing tricks.
Think about your usual practices and how you can help make these tricks less likely to succeed.
You need to also think about how scammers may pretend to be your organisation. You should consider looking at how your outgoing communications appear.
Expecting everyone to identify and delete all phishing emails is an impossible request. It would also have a negative effect on a charity’s productivity.
But many phishing emails do fit the mould of a traditional attack. To avoid these you can encourage people to look for the common warning signs.
Encourage your staff and volunteers to ask for help if they think that they have been a victim of phishing.
When you think a successful attack has occurred you need to:
Do not punish staff if they get caught out. It discourages people from reporting in future and can make them fearful. They then spend excessive time and energy scrutinising every email they receive. Both these things cause more harm to your organisation in the long run.
If you think that you (or your charity) are a victim of online fraud, scams or extortion, take the following steps.
Reporting is responsible. It demonstrates that you've taken action to identify problems within your organisation. It also helps the Commission to gauge threats that may affect the wider sector. Enabling them to take steps to address these with targeted advice and guidance.
A digital footprint is data about you or your organisation left behind when you've been online. Attackers use public information to create convincing phishing messages. They use it to pretend to be you. This information is often gleaned from your website and social media accounts.
National Protective Security Authority (NPSA) is a good resource for larger teams of staff and volunteers. Try their PDF guide to use with employees.
Get regular updates on NCVO's help, support and services