UK Government alerts charities of rising social engineering attempts

• A suspicious email campaign was found attempting to alter the bank details of employees of charities.
• The Charity Commission advised charities to always shred confidential documents before throwing them away.

A cybersecurity alert has been issued to charities in the U.K. to warn them of mandate fraud, which recently observed a jump in the number of cases being reported.

What happened?

The Charity Commission for England and Wales admitted to receiving several complaints about fraudsters targeting charities in the country.

• A suspicious email campaign was found attempting to alter the bank details of the employees of charities.
• All the requests to change employee bank details were made via email to the authorized departments or staff with the authority to update employee bank details.
• The Charity Commission notified charities to look out for similar requests in their HR department, finance department, or at staff level.

A spokesperson for the Charity Commission said, "We have received several reports from charities who have been targeted by fraudsters impersonating members of staff, specifically attempting to change employees bank details."

Modus operandi

The scammers reportedly sent fake emails from spoofed email addresses mimicking closely the real email address of the member of staff being impersonated.

"With a strong social engineering element, the fraudster often states that they have changed their bank details or opened a new bank account," said a Charity Commission spokesperson.

Actions taken by the commission

As per the Charity Commission’s notice, charities were advised to refrain from opening any attachments or clicking on any links contained in unexpected or unusual emails.

• They have been asked to take first verify the details of emails requesting changes to an employee's details.
• There were suggestions to think thoroughly to handle sensitive information and requests. It shall reduce the likelihood of becoming a target for fraudsters.
• Commission advised to always shred confidential documents before throwing them away.

"Check email addresses and telephone numbers when changes are requested. If in doubt, request clarification from an alternatively sourced email address or phone number," said the Charity Commission spokesperson. "Sensitive information you post publicly or dispose of incorrectly can be used by fraudsters to perpetrate fraud against you. The more information they have about your charity and employees, the more convincingly they can appear to be one of your legitimate employees."

Cyber Security Breaches Survey 2019 earlier this year had revealed that over two-thirds of high-income charities recorded a cyber breach or attack in 2018. Of those charities affected, the vast majority (over 80 percent) had experienced a phishing attack.