Back to News & Articles

Cyber Security and the most common types of charity cyber-attacks

Cybersecurity and protecting your organisation from cyber threats can often be overlooked. At Voluntary Support’s first Charity Networking Event of the year last Tuesday, Keep IT Simple delivered a useful presentation on cyber security and the most common types of attacks on charities. We’ve translated this fantastic presentation into an article for you to read through and help protect yourselves from cyber threats.

By some distance, the top cyber security threat experienced by charities in the past year were phishing attacks. This is when attackers try to trick a user into clicking a bad link and typically happens via text message or email.

Other common types of cyber attack include:

• Viruses, spyware, or malware
• Hacking, or attempted hacking, of bank accounts
• Other attempts to impersonate their organisation via emails or online.
• Finally, the takeover of the organisation or user’s accounts via a hack.

Below are a series of five practical steps you can take to reduce the risk to both yourself and your organisation.

Step 1: Backing up your data.

Think about how much you rely on your business-critical data, such as customer details, quotes, orders, and payment details. Now imagine how long you would be able to operate without them.

All businesses, regardless of size, should take regular backups of their important data, and make sure that these backups are recent and can be restored. By doing this, you’re ensuing your business can still function following the impact of flood, fire, physical damage, or theft. Furthermore, if you have backups of your data that you can quickly recover, you can’t be blackmailed by ransomware attacks.

Some data backup considerations:

• Tip 1: Identify what data you need to back up.
• Tip 2: Keep your backup separate from your computer.
• Tip 3: Consider the cloud.
• Tip 4: Read the NCSC cloud security guidance.
• Tip 5: Make backing up part of your everyday business.

 

Step 2: Protecting your organisation from malware.

Malicious software (also known as ‘malware’) is software or web content that can harm your organisation, such as the recent WannaCry outbreak. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software.

This section contains easy to implement tips that can help prevent malware damaging your organisation.

• Tip 1: Install (and turn on) antivirus software.
• Tip 2: Prevent staff from downloading “dodgy” apps.
• Tip 3: Keep all your IT equipment up to date (patching)
• Tip 4: Control how USB drives (and memory cars) can be used.
• Tip 5: Switch on your firewall/VPN.

 

Step 3: Keeping your smartphones (and tablets) safe.

Mobile technology is now an essential part of modern business, with more of out data being stored on tablets and smartphones.

What’s more, these devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than ‘desktop’ equipment.

With this in mind, here’s 5 quick tips that can help keep your mobile devices (and the information stored on them) secure:

• Tip 1: Switch on password protection.
• Tip 2: Make sure lost or stolen devices can be tracked, locked, or wiped.
• Tip 3: Keep your device up to date.
• Tip 4: Keep your apps up to date.
• Tip 5: Don’t connect to unknown Wi-Fi hotspots.

 

Step 4: Using passwords to protect your data.

Your laptops, computers, tablets, and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access.

It is essential that this data is available to you, but not available to unauthorised users.

Passwords, when implemented correctly, are a free, easy and effective way to prevent unauthorised users accessing your devices.

Here are five things to keep in mind when using passwords:

• Tip 1: Make sure you switch on password protection.
• Tip 2: Use 2-step-verification for ‘important’ accounts
• Tip 3: Avoid using predictable passwords
• Tip 4: Help your staff cope with ‘password overload’
• Tip 5: Change all default passwords.

Charity Digital also published an article in January sharing tips on how to make your passwords stronger and strengthen your charity’s cyber security as a result.

You can also click here to view advice from the National Cyber Security Centre on using passwords to protect your devices and data.

 

Step 5: Avoiding Phishing Attacks

In a typical phishing attack, scammers send fake emails to thousands of people, asking for sensitive information (such as bank details), or containing links to bad websites. They might try to trick you into sending money, steal your details to sell on, or they may have political or ideological motives for accessing your organisation’s information.

Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point.

Here are some easy steps to help you identify the most common phishing attacks but be aware that there is a limit to what you can expect your users to do.

• Tip 1: Configure accounts to reduce the impact of successful attacks.
• Tip 2: Think about how you operate.
• Tip 3: Check for the obvious signs of phishing.
• Tip 4: Report all attacks.
• Tip 5: Check your digital footprint.

Below is some guidance on email headers and how to avoid phishing attacks, provided by Keep IT Simple:

1. Open the Suspicious Email: First, open the email you suspect might be a phishing attempt.
2. View Headers or Show Original: Look for an option to view the email headers. In most email clients:
   • Gmail: Click the three dots (More menu) and select “Show Original.” This will display the full email headers.
   • Outlook: Double-click the email to open it, then go to “File” and select “Properties.” The headers are usually found in the “Internet Headers” section.
   • Outlook.com (Hotmail): Click the down arrow next to “Reply” above the email and choose “View message source.”
3. Copy and Paste Headers: Copy the entire text of the email headers. You can paste them into a text editor like Notepad or TextEdit for easier analysis.
4. Inspect Sender Addresses:
   • Look for any suspicious or unfamiliar email addresses in the “From” or “Reply-To” fields.
   • Check if the sender’s address matches the expected domain (e.g., PayPal should have a legitimate PayPal domain).
5. Check for Misspellings or Errors:
   • Examine the headers for any misspellings or grammatical mistakes. Phishing emails often contain errors.
6. Analyse Authentication Results:
   • Headers may indicate whether DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) verification passed.
   • These are authentication methods that help verify the legitimacy of the sender.
   • Copy the header text and go this this website below and paste header into the space and then click “Analyze Header” https://mxtoolbox.com/emailheaders.aspx
7. Mail authentication checks:
   • Eg:  Authentication-Results, Received-SPF, DKIM Signature
   • In recent years, in an effort to combat spam, various methods have been developed to try and validate where an email truly came from. These include SPF, DKIM, and DMARC.
   • Within the email headers the key field to pay attention to is Authentication-Results, as this essentially presents a summary of the different mail authentication checks that the email has been through:
   • SPF (which stands for ‘Sender Policy Framework’) is a way of validating that emails were sent by computers known to belong to the organisation that the email claims to have come from.
   • Here you need to look for the entry “spf=pass” in the “Authentication-Results” field. If this is present then you know the email came from a server associated with the organisation specified by “smtp.mailfrom=”. Note that this might not be the same as the email’s “From” email address – that can still be spoofed.
   • Don’t immediately dismiss emails which didn’t pass the SPF check; due to the way that email and the SPF check works then even legitimate emails sometimes fail.
   • DKIM is a mechanism used to digitally sign the contents of an email, making it useful for also verifying the sender. If in the “Authentication Results” field you see the string “dkim=pass (signature was verified)” then you can trust that the email came from the domain listed in the “DKIM Signature” field.
   • DMARC is a newer mail authentication mechanism which aims to address some known weaknesses of SPF and DKIM, although it is only slowly being used. If you see the entry “dmarc=pass” in the “Authentication-Results” field then you can have confidence that the email came from where it purports to have come from.
   • It’s important to remember however that all that these checks do is to validate which domain the email was sent from – they offer no checks about who owns that domain. That’s why its important to also double check the domain being used (see below).

In the above example, you can see that dmarc=none, spf=none and dkim=none, indicating the email is not safe.

Don’t worry, if you’re not sure what the terms SPF, DKIM, and DMARC mean then you can watch this useful Google Workspace explainer.