The UK Government has issued an alert directed at charities operating in the United Kingdom after a recent spike in the number of fraud cases where scammers impersonate employees of a charity.
A spokesperson from the UK’s Charity Commission said that “we have received several reports from charities who have been targeted by fraudsters impersonating members of staff, specifically attempting to change employees’ bank details.”
“With a strong social engineering element, the fraudster often states that they have changed their bank account details or opened a new bank account.”
According to Info Security Magazine, “all the requests to change employee bank details were made via email. The Charity Commission urged all of the nation’s charities to be on the lookout for similar requests to their HR department, finance department or staff within the authority to update employee bank details.”
Charities are an extremely attractive prospect for scammers and hackers alike, according to recent data published by the UK government in its ‘Cyber Security Breaches Survey 2019’, which shows that more than two-thirds of high-income charities had recorded a cyber breach or attack on its network in 2018. Of that figure, more than 80% of the impacted organisations fell victim to a successful phishing campaign.
These emails are often sent from spoofed email addresses that appear on the outset to be identical to the domain address of the charity in question, but with a few minor tweaks. An email will be sent, and if the receiver doesn’t do their due diligence, an update can be made to change the financial details of a legitimate employee account to that of a scammer.
“With a strong social engineering element, the fraudster often states that they have changed their bank account details or opened a new bank account,” the Charity Commission spokesperson said.
The government has urged charities and non-profit organisations to avoid opening attachments sent from an unknown or spoofed email addresses, and to exercise caution when receiving an unusual request that diverges from the organisation’s normal set of security and financial procedures.
“Check email addresses and telephone numbers when changes are requested. If in doubt, request clarification from an alternatively sourced email address or phone number,” the spokesperson continued to explain. The government has also reiterated the importance of handling sensitive information of their donors and suppliers to mitigate the risk of becoming a target for fraudsters and scammers. “Sensitive information you post publicly or dispose of incorrectly, can be used by fraudsters to perpetrate fraud against you. The more information they have about your charity and employees, the more convincingly they can appear to be one of your legitimate employees,” the spokesperson concluded.