From entertainment and communication to personnel management and banking, so many services we use in our charities and faith-based organisations have moved online. There are huge benefits to using the internet, but it also presents opportunities for fraudsters and criminals to steal from your organisation (whether it be data or money).
Phishing and social engineering
Social engineering is where a ‘hacker’ uses social skills to obtain more information from a member of staff or someone with knowledge of an organisation. This might take the form of a phone call or email claiming to be someone related to your organisation whilst including shreds of readily-available information in an effort to prove their legitimacy; they then attempt to get additional important, confidential or compromising information from you.
Phishing is a form of social engineering which use email or websites to coax information from someone by posing as a trustworthy organisation. For example, they may email you posing as your bank and request information which can allow them to access your accounts.
You can avoid becoming a victim of social engineering by training all staff and volunteers of the warning signs. Have strict policies regarding the sharing of data – especially personally identifiable information and financial details. Be diligent when reading emails, taking unsolicited phone calls or visiting websites. You can verify whether a request is legitimate by contacting the organisation direct through their publicly listed contact details.
Hacking or intercepting data
Hacking is a broad term. In this case it’s used to describe a malicious actor trying to gain access to your systems by exploiting vulnerabilities in your systems, networks or processes and procedures.
Hacking can take many forms; hackers can ‘brute-force’, where they try to guess the password using lists; they can use malicious software such as viruses, trojans or key loggers to extract information from your systems, disable them or take control; they can block you from using a particular system by flooding it with requests and overloading it (denial of service); they can intercept your network traffic using a fake network access point such as a Wi-Fi network. These are just a handful of hacking techniques that could be used against you.
To avoid becoming a victim of hacking or intercepted data you should exercise good cyber security and risk management. You can read more about this in our Support Centre Guide on Cyber Risk Management.
Theft or ransom?
Cyber fraudsters and criminals generally aim to either steal money from you or steal data from you. If they are trying to steal data, they can either sell it themselves or hold you to ransom to get it back (whether they steal a copy and offer to destroy it in exchange for payment or they encrypt and restrict access to your data until you pay – similar to what happened with the WannaCry ransomware).
Whenever you suspect a cyber-attack, cyber crime, fraud or a data breach, you should remember that the perpetrator is committing a criminal offence; you should contact the police immediately. The best way to do this is through Action Fraud. Through their website, you can report a crime or even get support for an ongoing incident. Find out more about how to respond in our Cyber Risk and Response blog.