Cybercrime and fraud in the charity sector

During the last year the Charity Commission have revealed that they have had over 600 fraud cases and 99 cybercrime cases reported to them in 2024. The most common cybercrime is phishing attempts. The charity sector is seen as a soft target as it is expected that their internal control environment may not be as robust as large commercial organisations and so is more susceptible to attack.

Therefore, during Charity Fraud Awareness week, on 27 November 2024 the Charity Commission produced various updated guidance on fraud and cybercrime. In particular, our article on the British Library cyber attack demonstrates that prevention is better and cheaper than the cure and it is important for all charities to consider and assess their risk of fraud and cybercrime. There are lots of free help and resources available for charities too from online training, toolkits to risk assessments and this article highlights what resources are available to you.

Internal controls CC8 update

The Charity Commission updated their guidance on Internal controls CC8 update for protecting your charity from fraud and loss. This now has a completely new section – Protect your charity from fraud loss. The fraud guidance covers advice as to what to do when a fraud or attempted fraud happens and to try and stop it in the first place through a review of areas of risk and having strong internal controls.

Actions you should consider now are to ensure you have the right culture to encourage people to voice their concerns and how to do so. Therefore, the guidance explains that charities should:

  • adopt and promote an anti-fraud policy
  • review your fraud risks every year ad reconsider these if there is a fraud or attempted fraud
  • discuss fraud risks with organisations that you work with or fund
  • perform checks on your financial controls to ensure they are being followed
  • ensure your volunteers, employees and trustees understand your fraud prevention measures through regular updates and training
  • understand cyber fraud and cybercrime risks
  • undertake pre-employment checks on all staff
  • have a fraud response plan so that everyone knows what to do if they discover fraud
  • report risks and how they are managed in your Trustees’ Annual Report.

There are more resources, guidance and training available at Preventing Charity fraud website to help you assess your risks and create your policies and plans.

Reporting a fraud

If your charity is unfortunate enough to suffer a fraud, then it is important to understand who you need to report to, and your fraud response plan should cover these requirements. You need to consider whether to report your fraud to:

  • Action Fraud. Action Fraud is the UK’s national reporting centre for fraud and cybercrime where you should report fraud if you have been scammed, defrauded or experienced cybercrime. This website also has free resources, toolkits and training available for organisations to use and latest news on most recent fraud and scams.
  • Police
  • HMRC if relevant
  • Charity Commission using the serious incident reporting framework
  • ICO if it relates to GDPR or personal data.

Cybercrime

The Charity Commission also issued new guidance on Protecting your charity from cybercrime.

One of the most common questions we are asked is are there free resources available to charities to help them in assessing and understanding their risk of cybercrime. There are basic steps that you can take to protect your charity:

  • Consider insurance. Your insurance company should be able to provide you with a quote for various levels of fraud and cybercrime insurance. In order to provide you with a quote they will ask you lots of questions which will help inform them on the risks involved. This exercise itself may be useful in thinking about your fraud and cybercrime risks.
  • Police resources which are regional and the Eastern Cyber resilience centre offers a free resource ‘Little Steps’ that will allow you to be able to apply for Cyber Essentials accreditation at the end of the programme. This is a great way to help you also reduce your insurance premiums by becoming accredited.
  • National Cyber Security Centre (NCSC) website which has lots of free resources, training and tolls available for small charities.

National Cyber Security Centre (NCSC)

This website is the go to place to start your cybercrime protection journey.

The NCSC has a Small Charity Guide that covers the basic information and tools you need to protect your charity. The resources are free or low cost and designed to be easy to use so that you can put them in place quickly. The guide can help you to:

  • protect your digital devices from common cyber-attacks, such as phishing and malware
  • back up your charity’s data in case it is lost or stolen

There is also a guide about how to defend against malware and ransomware.

The NCSC has free online cyber security training for staff available to all – ‘Staying Safe Online: Top Tips for Staff’ and takes less than half an hour to complete. There are also a number of webinars available on the Charity Digital website:

  • Keeping your charity cyber secure
  • NCSC: 5 steps every charity should take to improve their cyber security
  • Cyber Security: Setting up your charity’s risk management regime
  • Prevention is better than the cure: Is your charity doing enough to protect from cyber-attacks?
  • How to get charity leaders to take cyber security seriously

The NCSC has a Cyber Security Toolkit for boards which is designed to ‘help boards to ensure that cyber resilience and risk management are embedded throughout an organisation, including its people, systems, processes and technologies’. Smaller organisations may wish to refer to the Small Business Guide instead. For medium and large charities, then these charities may want to start with the NCSC’s 10 Steps to Cyber Security that breaks cyber security down into 10 manageable tasks to make it easier to put the measures in place. The NCSC also has cyber-attack exercises that recreate common cyber-attacks so you can practice your response.

Finally, the NCSC has a list of certified training courses for medium and large charities.

What can I do now?

Cybercrime is not going to go away and the risk to organisations only increases as criminals become more sophisticated and convincing. Charities need to protect themselves and the above article points at lots of free resources available to help you. So, there is no excuse to start the journey – do not let yourselves become one of those who fell foul of a fraud or cybercrime for the lack of basic awareness, preparation and training.

Have a question about this post? Ask our experts...

Sign up to receive exclusive business insights

Join our community of industry leaders and receive exclusive reports, early event access, and expert advice to stay ahead – all delivered straight to your inbox.

Sign up

We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firm.

Top