Charities and non-profit organisations are increasingly being targeted by cybercriminals. Why? Because they handle donations, store sensitive supporter data, often operate with limited IT resources, and rely heavily on trust.
Email remains the primary entry point for cyberattacks — and for many charities, it’s the single biggest security vulnerability.
Below are the four most significant email security risks facing charities today, and what you can do to protect your organisation, donors, and beneficiaries.
1. Phishing Targeting Donations and Supporters
Phishing attacks against charities often impersonate:
- The charity itself
- Trustees or senior leaders
- Well-known platforms like JustGiving or GoFundMe
Attackers may send fake donation confirmations, urgent campaign appeals, or “account verification” messages designed to steal login credentials or payment details.
For charities, phishing can damage more than finances — it can erode public trust.
Why it’s especially dangerous for charities:
- Donor payment details can be compromised
- Supporter databases may be accessed
- Fraudulent campaigns can be launched in your name
- Reputation and trust can suffer long-term harm
How to reduce the risk:
- Enable multi-factor authentication (MFA) on all accounts
- Provide phishing awareness training to staff and volunteers
- Use advanced email filtering
- Publicly educate supporters on how you communicate officially
2. Business Email Compromise (CEO & Treasurer Fraud)
Charities are particularly vulnerable to Business Email Compromise (BEC), especially those with small finance teams or volunteer trustees.
Attackers often impersonate:
- The CEO or Chair of Trustees
- The Finance Director or Treasurer
- A known grant provider
Many charities use platforms like Microsoft 365 or Google Workspace, and compromised accounts can be used to send highly convincing internal requests for urgent payments.
Because charities move funds quickly — particularly during campaigns or emergency appeals — fraudulent requests can slip through.
Why it’s especially dangerous for charities:
- Direct loss of donor funds
- Payroll diversion scams
- Fraudulent supplier payments
- Regulatory reporting consequences
How to reduce the risk:
- Implement dual approval for payments
- Enforce MFA on all email accounts
- Verify payment requests via phone
- Monitor for unusual login activity
3. Ransomware via Email Attachments
Email remains one of the primary delivery methods for ransomware. A single click on a malicious attachment can encrypt your entire system.
For charities, this can mean:
- Loss of beneficiary records
- Inability to access donor databases
- Disruption to frontline services
- Potential data protection breaches
With limited IT budgets, recovery can be especially challenging.
How to reduce the risk:
- Use advanced threat protection and attachment protection (Endpoint/Anti Virus Protection)
- Block high-risk file types
- Maintain secure, offline backups
- Regularly patch systems and devices
4. Human Error in Small Teams
Charities often rely on small teams and volunteers who may not receive regular cybersecurity training.
Common risks include:
- Sending beneficiary data to the wrong person
- Clicking malicious links
- Reusing passwords
- Sharing sensitive information without encryption
Because many charities process personal and sometimes vulnerable data, mistakes can have serious safeguarding and compliance implications.
How to reduce the risk:
- Deliver simple, practical cyber awareness training
- Implement data loss prevention (DLP) tools
- Use password managers
- Create clear email and data handling policies
5. Messenger system fraud/Other fraud
Individuals within a charity, often due to lack of training or a lack of time, can be susceptible to other types of fraud via systems like WhatsApp, Facebook Messenger or even with items like QR Codes.
Attackers often use:
- A phishing email that impersonates a CEO or leader to insist on a conversation over messenger platforms like Whatsapp leading to a request to purchase large volumes of vouchers or other items that can be electronically sent to the fraudster
- Elements like fake QR codes via email that then sends money to the fraudster
Because charities often rely on lots of part time staff and volunteers that don’t always have the time to sit down and consider actions, the good nature of the charity sector and these people can lead them to action requests without considering the consequences.
How to reduce the risk:
- Remind staff of what requests will come through internally
- Deliver practical cyber training so staff can more easily spot spurious contact methods
- Implement external email banners and other phishing protections on email systems
And as always, if you would like any advice then please contact me at [email protected] , or call me on 01473 345321
