On Thursday 21st October Global Cyber Alliance hosted a Twitter Chat in support of Charity Fraud Awareness Week. Charity Fraud Awareness Week is an award winning campaign run by a partnership of charities, regulators, law enforcers, representatives and umbrella bodies, and other not-for-profit stakeholders from across the world to raise awareness of fraud and cybercrime and share good practice to #StopCharityFraud. The Charity Fraud Awareness Week was launched in 2017 through a partnership between The Fraud Advisory Panel and Charity Commission of England and Wales and has grown year on year since. More information about the week, resources, guides and checklists are available here.
The Twitter Chat was fast paced and packed full of really great advice from around the globe! We have pulled the transcript of the chat together here as a permanent record – we wanted to make it easy for anyone to access the valuable resources, guidance and information provided by the participating organizations, who kindly gave their time and expertise to help protect charities and nonprofits from online fraud and cyber attack whilst providing donors tips and guidance for safe giving.
So here we go:
Q1: What are the warning signs donors should be aware of when giving online?
@TakeFive Criminals use many different hooks to grab your attention. They try to rush/panic you hoping you’ll let your guard down for just a moment. Taking a moment to stop and think before parting with your money or information could keep you safe.
@StaySafeOnline One warning sign of a fraudulent charity is when they ask for donations in cash or to wire money directly to them. Also check for a lock icon in your address bar when on a charity’s site to ensure a level of encryption is in place
@EC3Europol If you want to donate to a charity, make sure to:
1. thoroughly research them before choosing one
2. take your time, don’t be rushed into making a contribution
3. think twice if you’re prompted to pay through wire transfer or #cryptocurrencies
@CyberEssentials Be aware of fake websites, look for a padlock in the address bar and the letters https://. Check for a certificate to the left of the address bar. Learn about phishing emails and never click a link unless you are 100% sure the email is genuine.
@CharityNav Be extremely wary of random inquiries – even if the email/text message uses the name of a well-known charity or logo/branding. Things like misspellings, poor grammar/syntax, telephone numbers w/area codes that appear suspicious.
Also, the pressure to “Give NOW!” is a common tactic. In the US, orgs that are tax exempt are registered by the IRS. Every charitable orgs have a unique number. If they aren’t found on the IRS tax exempt search or on Charity Navigator, do not donate.
@apwg_eu Reliable charity’s websites give details about their mission, the programs donors want to support, how they use #donations, etc. Be suspicious when no detailed (or very poor) information about their mission or programs is provided.
@GetSafeOnline If the website or payment page address is slightly misspelled, there’s no physical address and/or there’s no charity number (so not registered with the Charity Commission or the equivalent in other countries)
Q2: What tactics do criminals use to trick donors into going to fake websites?
@apwg_eu #Scammers use names like those of real charities and rush their victims into making a donation. Some of them ask #donors to pay in cash, by gift card, or by wiring money. Simply, don’t do it.
@StaySafeOnline Scammers will use phishing and may impersonate emails or charities you trust to persuade you to click on an illegitimate site that is trying to capture your personal data/payment info. Learn more about phishing: https://staysafeonline.org/stay-safe-online/identity-theft-fraud-cybercrime/spam-and-phishing/
@TakeFive Criminals are experts at impersonating people and trusted organisations. They use tactics called spoofing, phishing and cloning to make their texts, emails and websites appear genuine. Remember to Take Five and ask yourself – could this be fake?
@GetSafeOnline Mainly fake emails, texts, social media posts and phone calls, often exploiting a major disaster like an earthquake or famine
@EC3Europol Criminals use many different tactics to trick victims and #phishing is one of them
1. be wary of clicking on links in unexpected emails
2. mouse over the URL to see where a link will direct you
3. watch out when using a mobile device, where you can’t mouse over
@CharityDigiOrg Phishing emails, texts and phone calls are the most popular. Look out for signs of phishing in the information hackers share – misspelling, no personalisation, etc. If you have the smallest suspicion that it’s a hacker and not a charity, ignore and avoid!
@CharityNav Having the same or similar branding as legitimate charities-This is very common. Using the names, perhaps individuals who work at the organization, like the Pres/CEO’s name on the page. Call the charity and verify w/their development/fundraising office.
@EMEA_GCA Great suggestion – calling the charity to double check! And use a number known to be theirs!
@CharityNav Exactly! Check, double-check, triple check. Use Google and search for the charity’s name along with the word “scam”, and search through social media. People are very open online when they feel they’ve been duped/scammed. Research is your friend.
@MKaiserDDC Take advantage of news events: earthquakes, floods, human disasters to draw in people who naturally want to help.
Q3: What steps can charities take to reassure donors that they are genuine?
@GetSafeOnline Include your physical address and charity number. And make it easy for people to contact you to satisfy themselves that you are authentic
@StaySafeOnline Transparency is key! Charities should make financial information accessible on their websites and in publications. Donors should also look up the charity and URL in a search engine to ensure it’s legit.
@TakeFive Remember to #TakeFive #Stop and look up charities and their genuine URLs in a search engine to ensure it’s legit. Always use the recommended secure payment methods too.
@CharityDigiOrg When campaigning it’s good to use multiple channels. For example, a donor can see that you are fundraising on your website, social, out of the home, text, and via other means. You could also set up security measures like banks do to verify details only you would know!
@Sightline_Sec Using a secure website environment for charities is paramount “HTTPS” :)
@CyberEssentials Charities could get #CyberEssentials certification. Being listed on the NCSC Cyber Essentials directory will reassure donors that they have implemented controls that protect against the most common cyber-attacks to keep customer data & donations safe.
@CharityNav Ensure your unique Employer Identification Number (EIN) is easily found on your website. Put it in the footer of your website. It should not be difficult for donors to find. If you’d prefer not to add it to the footer, list on your donate page.
Also, if the name of your charity registered by the IRS is different from the name being used publicly, make that clear on your donate page w/ EIN. Donors should be able to double check your EIN on the IRS tax exempt search page or Charity Navigator.
Fundraising is challenging. Donors have a lot of choice. Do not make it more difficult for them to support your legitimate organization.
@Fraud_Panel Charities should educate donors so they know what a genuine fundraising campaign looks like!
@EMEA_GCA There is some excellent advice from @ChtyCommission for UK based charities and nonprofits on ways to help https://www.gov.uk/guidance/protect-your-charity-from-fraud
@GoodFundScot Charities can reassure donors by:
• registering for the Fundraising Guarantee https://www.goodfundraising.scot/fundraising-guarantee/ or the Fundraising Badge. https://www.fundraisingregulator.org.uk/registration
• Being transparent and ensuring their fundraising is Open, Honest, Legal and Respectful.
@apwg_eu Clearly specify their mission, respond quickly to questions and complaints by facilitating a #phonenumber that donors can call if they have a question or a problem, and keep their paperwork up to date.
Q4: How can a donor check if a charity is legitimate and their website genuine?
@StaySafeOnline Legit charities will be registered with the IRS with an Employer Identification Number. Many will have this number listed on their site. You can also check third-party websites like GuideStar and Charity Navigator to confirm legitimacy.
@Sightline_Sec For a quick check, donors can hover over the charity’s URL they can verify it’s exactly where they want to be going, and if anything looks or feel off in any way reach out to charity via phone or email.
@GetSafeOnline Look for the charity number, then go to https://register-of-charities.charitycommission.gov.uk/charity-search which is a government website that lists all UK registered charities and their details … or the official charity regulator in your country
@CharityDigiOrg You can verify a charity’s information with the charity commission where they are based by using their charity number to search the register. Eng and Wales https://www.gov.uk/government/organisations/charity-commission Scotland https://www.oscr.org.uk/ and NI https://www.charitycommissionni.org.uk/
@EC3Europol Type the charity website directly, rather than clicking on a link. Do your research and see what others are saying. Donate through a fundraising platform that you trust See more tips on the @GetSafeOnline page: https://www.getsafeonline.org/personal/articles/donating-to-charity-online/
@CharityNav Visit the IRS tax exempt search page here: apps.irs.gov/app/eos/ or Charity Navigator: charitynavigator.org Donors can plug in the charity’s unique Employer Identification Number (EIN). If they are who they say they are, they will be found.
Also, we should caution that having a website does not make a charity legitimate. Creating a website takes very little money. Websites can look professional very easily. Donors should always use registration numbers to check their legal status.
@ESARiskUK Look for a padlock icon in your web browser’s toolbar when you visit a charity’s website. This shows they have an SSL certificate which authenticates the site and ensures data and transactions are secure.
@ChtyCommission For charities in England and Wales with an income of over 5K, check if they are registered with us. You can also check their contact details against those we hold: https://register-of-charities.charitycommission.gov.uk/charity-search
@Fraud_Panel Follow these three steps
1. Look for the Fundraising Badge or the Fundraising Guarantee @GoodFundScot @FundrRegular
2. Check the fundraising platform has committed to the UK Code of Fundraising Practice
3. Think carefully before donating into a private bank account.
Q5: What should a donor do if they think they have been scammed or donated to a fake website?
@GetSafeOnline Report it in this order: (1) the bank with whom you have the account the money was paid out from (2) The Charity Commission or equivalent regulator in your country (3) Action Fraud or if not in the UK, the police
@StaySafeOnline There are plenty of resources available. You can report the fraud to the FBI through https://www.ic3.gov/ or report to the Federal Trade Commision here https://reportfraud.ftc.gov/
@CharityDigiOrg If you are unsure that the website is genuine don’t give! Look the organisation up with information that can be verified like with the charity commission and follow donation procedures via the organisation’s main website.
@TakeFive Contact your bank immediately if you think you’ve fallen for a scam and if in England, Wales and Northern Ireland report it to the police at @actionfrauduk If you are in Scotland, please report to Police Scotland directly by calling 101.
@CharityNav In the U.S., report allegations to: The Federal Trade Commission, the Attorney General Office of the state where the organization is doing business, and the IRS. Here are two sites: https://reportfraud.ftc.gov/ and https://www.nasconet.org/
@Fraud_Panel In the UK you can report fraud to @actionfrauduk or @PoliceScotland ! Also think about telling the real charity
Q6: What can charities do to secure their websites and protect their donors whilst giving?
@StaySafeOnline Charities should have firewalls to keep donor information secure and ensure they are only asking for and storing necessary donor data. Learn more about how to protect your org’s data: https://staysafeonline.org/resource/protecting-customer-data-2/
@GetSafeOnline Secure site with SSL, update all plugins & extensions, use secure, unique passwords & 2FA, ensure you’re using secure hosting service, don’t store donors’ private/payment details on a public ecommerce server, have site pen tested at least once a year
@CyberEssentials Make sure your site uses a certified SSL connection Have a strict password policy especially for administrative accounts. Keep software up to date. Use a web hosting service with security as a top priority. Get #CyberEssentials to protect donor’s data.
@CharityDigiOrg Adhere to privacy and GDPR laws. Have a valid SSL certificate. Install secure payment gateways. Make sure you have the right protective tech in place – firewalls, antivirus etc.
@ESARiskUK We’re online for #GCAchat with @GlobalCyberAlln, sharing ideas about how to help your charity become more cyber-secure. Installing firewalls and/or anti-virus software is usually a good place to start.
Q7: What should a charity do if they think a criminal is impersonating their website?
@EC3Europol A charity in this situation should react immediately: gathering all possible evidence and reporting it to the national police
@CharityNav Reach out to their lawyer/legal representative, if they have one. Reach out to their local Attorney General’s Office. Reach out to the Federal Trade Commission. Last, notify your donors cautioning them of the fraud (so that they don’t fall victim).
@GetSafeOnline Issue a warning to all donors, partners and other stakeholders. Report it to the NCSC (or your country’s equivalent) who can investigate and arrange the fake site to be taken down
@StaySafeOnline Send a cease and desist letter to the site admin or domain registrant and notification to the domain registrar. Report to FTC, https://us-cert.cisa.gov/report , or https://www.fbi.gov/investigate/cyber
@TakeFive Report scam ads appearing in paid for space online by visiting the Advertising Standard Authority’s website where you can complete their quick reporting form. (in the UK)
@MKaiserDDC Know you could be in for a wack-a-mole situation. Likely these sites will short-lived. Do quick damage close down and reappear. Need to stay vigilant
Q8: How should charities protect their sensitive donor and beneficiary data?
@GetSafeOnline Make sure the data isn’t stored on a public ecommerce server, review passwords and access privileges, follow the advice on https://www.getsafeonline.org/ business site on data loss prevention
@StaySafeOnline Protect donor data by training staff how to collect, store, and dispose of personally identifiable information. Help your employees understand the importance of data privacy https://staysafeonline.org/resource/5-ways-help-employees-privacy-aware/
@CharityDigiOrg Limit access to only those that need it. Regular GDPR and Data handling training. Store in a proper donor management system with added security, avoid spreadsheets or paper!
@CyberEssentials #CyberEssentials is a simple government backed scheme to help charities protect their sensitive data from cyber-attack. Our free online Readiness Tool with guidance written for charities is a good first step https://iasme.co.uk/cyber-essentials/charities-guidance/
@Sightline_Sec The first step is to know what data you have (make a list), then what systems that data is created in, moves thru, and stored – then prioritize it! Break it down to – what information, if stolen or compromised, would impact your mission.
@apwg_eu As personality traits of the victims might play an important role in charity #scams, charities should develop personalized #training programs amongst their employees to maximize their resilience to #cyberattacks
1. Restrict access to personal data stored on paper
2. Never leave personal data unaccompanied at an event
3. Keep sensitive information separate to limit exposure
4. Follow good data protection and cyber security practices @ICOnews @NCSC
@MKaiserDDC Start with basics: Use the strongest ( a security key) authentication available, Only share data through encrypted platforms (signal, @myWickr), protect website from attacks, create expectations–policies–for staff about their roles
Q9: What is patching and why is it important?
@StaySafeOnline Patching addresses vulnerabilities in software that keep hackers from exploiting a flaw. They are delivered in the form of updates so remember to always perform software updates as soon as they are available!
@GetSafeOnline It’s applying updates to operating systems/software/apps to ensure all the vendors’ security fixes are in place, reducing chances of cybercriminals exploiting weak points in older versions. Set your devices apps to update automatically if possible.
@CharityDigiOrg Protects against security flaws in patches, allows you to control patch deployment and rollback any that may have issues!
@CyberEssentials Common coding errors can create opportunities for cyber criminals. Applying regular patches from manufacturers fixes these vulnerabilities. Find out more here https://iasme.co.uk/cyber-blog/the-five-core-controls-of-cyber-essentials-security-update-management/
@Sightline_Sec Patching installing an update, fix, or make you more secure. Think of it as a patch on a hat-to get wet in the rain, you need to make sure your hat doesn’t have tears or holes in it. Attackers love to poke at things to see where weak spots are.
@EMEA_GCA It closes down known weaknesses – look back at the #WannaCry #ransomware attack of 2017 – those that had applied the available software update (#patch) were safe. Set your systems to auto update –more here: https://gcatoolkit.org/smallbusiness/update-your-defenses/?_tk=update-your-devices-and-applications
@MKaiserDDC The routine maintenance of keeping your systems up and running with the most secure software currently available from your software provider.
@apwg_eu Old #software may contain well-known vulnerabilities that #BlackHatHackers may use to perpetrate their #intrusion. As software updates are usually released by providers, just click and download the latest version to bring your systems up to date.
Q10:What information should charities backup and how often?
@GetSafeOnline All info needed for ops, marketing, financial & regulatory purposes (as long as compliant with the GDPR or the data protection regs in your country). It’s vital in case of ransomware or just a system failure. Should be done daily or in real time
@StaySafeOnline Documents, communications lists, contacts, email files and other critical data or assets should be backed up at least once a week. Remember to keep track of where your backups are stored. Read more about backups: https://staysafeonline.org/stay-safe-online/online-safety-basics/back-it-up/
@Sightline_Sec #1 know what information you have that’s valuable or vital. #2 know where it lives (stored). When you know these two things, you can determine type(s) of back-ups needed and a reasonable cadence. It doesn’t have to be all or nothing.
@EC3Europol: Easy rule of thumb: Back up any data that, if lost, would negatively affect your organisation
Back it up regularly and create copies that are kept offline and/or in a cloud service designed for this purpose. More tips: https://www.nomoreransom.org/en/prevention-advice-for-businesses.html
@apwg_eu Charity’s critical data, information on beneficiaries, invoices and payments details should be backed on a regular basis. These #backups should be recent and could be restored
@MKaiserDDC Start by making sure your most valuable data to you–and bad actors–is safely back up disconnected from your network.
Q11: What should charities do if they think they are subject to a cyberattack?
@StaySafeOnline Immediately disconnect the charity’s network from the internet to cut off bad actors’ access and prevent them from exfiltrating any more data.
@GetSafeOnline Keep calm! Assemble team to prioritise. Tell colleagues, trustees, donors, other stakeholders. Determine MO & stop any spread, you may need to engage a specialist for this. Depending on data involved, you may have to report to the ICO or equivalent
@Sightline_Sec Immediately start documenting what’s happening – screenshots, dates, time! Contact the BoD and IT vendor(s) to set in motion a plan if you don’t have one already. And breathe! An attack can be frightening so remember to breathe.
@CharityDigiOrg Assess the damage. Talk to people in the know – @NCSC. Create a recovery plan. Report to authorities – ActionFraud, ICO. Take preventative measures for the future. Own the attack and use your learnings to help others. Be honest!
@EC3Europol Report any #cyberattack (attempt)! Find some reporting mechanisms here: https://www.europol.europa.eu/report-a-crime If you’ve fallen victim to #ransomware , visit #NoMoreRansom to check if a decryptor is available free of charge: https://www.nomoreransom.org/en/index.html
@Fraud_Panel Check out this helpsheet on cyber security from the @NCSC https://preventcharityfraud.org.uk/document/cybersecurity/
@apwg_eu Check-out the @Europol #cybercrime report site: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online , or report it to [email protected]
@MKaiserDDC They should have prepared in advance :). Have key members–legal, comms, it–in place ready to respond and plans for continuity of operations. If an attack occurs, kick your plans into action.
We have a pretty extensive #IncidentResponse checklist here: https://www.defendcampaigns.org/incidentresponse
Thanks All! WOW this has been a great chat full of really practical advice and useful information – any final thoughts or additional resources you’d like to share?
@CharityNav We’d encourage donors to be vigilant always but esp this time of year as the holiday season approaches. (Also, be vigilant during times of disasters). Don’t ever feel pressured to give. Take your time, and be intentional about your charitable giving.
For more info & to determine how to put a charitable giving plan in place during the giving season, and for the upcoming calendar year (yes, 2022 is around the corner!), visit Charity Navigator. See: https://www.charitynavigator.org/index.cfm?bay=content.view&cpid=6506 and https://blog.charitynavigator.org/2021/10/charity-fraud-awareness-week-do-your.html
@EC3Europol Thanks @GlobalCyberAlln for hosting this #GCAchat! It was good to share our expert tips & learn something new from the other participants!
Last tip: if anyone is looking for some more #cybercrime awareness advice, visit this @Europol page: https://www.europol.europa.eu/activities-services/public-awareness-and-prevention-guides
@EMEA_GCA Check out Cyber Hygiene for Mission-Based Organizations which includes access to the @GlobalCyberAlln Cybersecurity Toolkit for Small Business and the @PIRegistry .org Learning Center! https://globalcyberalliance.org/mission-based-organizations/
@MKaiserDDC Feel free to check out @DefendCampaigns recently launched #KnowledgeBase chock full of information and how to’s https://defendcampaigns.zendesk.com/hc/en-us
@DefendCampaigns also has raining for political organizations on cybersecurity. https://www.defendcampaigns.org/events
@Fraud_Panel Thank you to everyone for joining the #GCAchat #TwitterChat today! For more information on #StopCharityFraud visit https://preventcharityfraud.org.uk/
Our thanks to:
Fraud Advisory Panel using @Fraud_Panel
Take Five to Stop Fraud using @TakeFive
National Cybersecurity Alliance using @StaySafeOnline
Europol EC3 using @EC3Europol
IASME using @CyberEssentials
Charity Navigator using @CharityNav
ESA Risk using ESARiskUK
APWG.EU using @apwg_eu
Get Safe Online using @GetSafeOnline
Charity Digital using @CharityDigiOrg
Michael Kaiser using @MKaiserDDC
Sightline Security using @Sightline_Sec
Scottish Fundraising Standards Panel using @GoodFundScot
Charity Commission for England and Wales using @ChtyCommission
Global Cyber Alliance using @GlobalCyberAlln and @EMEA_GCA
The chat took place using the Hashtag #GCAchat – with #stopcharityfraud #BeCyberSmart and #ThinkB4UClick featuring heavily!
Do follow the expert recommendations and check out the resources provided.