I wonder how many of us have ever received a “phishing” email? It is perhaps a sign of the times that it is now often not necessary to explain what the term “phishing” means. There has been much publicity around attempts, often successful, to persuade a recipient to click on a link that will download malware or send the user to a malicious website.
Such links can come through a variety of means e.g. email, text message, WhatsApp or other social media content. The sender can then use the link to collect information such as passwords, personal details of donors, bank account details or perhaps even install ransomware which will render accounting systems unusable until a ransom is paid over.
The fraudster might even go on to use data collected, to impersonate the targeted organisation by then targeting customers, clients and donors and being able to appear genuine thanks to the information collected through the phishing attack.
The risk to a church or charity being a victim of such an attack is considerable and the implications might not only be financial but also reputational, not to mention the additional risk to other individuals whose details are stored on the system concerned.
For example, a staff member at one church inadvertently clicked on a link in a fraudulent email and, as a result, malware was downloaded to the church’s system. This gave the fraudster access to the church’s Gift Aid records which included personal details of the donors, which were then used to attack many of the donors individually. This information was of particular benefit to the fraudster as many of the individuals were less aware of the risks of clicking on links in emails sent directly to them.
I am sure many of us feel frustrated at the increasing number of emails which appear each day in our inboxes, partly as a result of an ever-expanding list of subscriptions or marketing lists that we find ourselves on. This not only makes it difficult to spot genuine emails but also difficult to identify phishing emails. A very simple first step is to make use of the automatic categorisation of emails that most providers offer so that only important emails find their way into the main inbox. Of course, it is still necessary to check the other inboxes, but categorising emails in this way should help to identify those which could potentially be phishing. Where possible, unwanted emails from marketing lists should be unsubscribed from, rather than just ignored.
It is also worth making email addresses difficult to be automatically picked up from websites etc. One way of doing this is to use “at” instead of “@” in published email addresses with a separate note asking users to use the “@” symbol when emailing. This will avoid the email address being picked up by website scanning software.
Individuals within a church or charity who are regular recipients of emails should be trained in how to identify potentially fraudulent emails. Does the email look right? Are there spelling or grammar mistakes or perhaps any images might appear to be blurred? These are all signs that the email might not be genuine. However, even fraudulent emails can be of a very high standard, and it is always worth asking some very basic questions:
- Does the email address look genuine (not just the name of the sender but the whole address)?
- Would I expect to receive an email from this person or organisation?
- Is this person asking me to do something that is not part of my normal role, e.g. where an email is received asking a trustee who is not normally involved in financial matters to ask the treasurer to make a payment?
Many organisations arrange through their IT support service for test emails to be sent to users. This allows the organisation to check how alert users are and how many of them might click on fraudulent links. Such emails tend to include clues which should have alerted the user that they were not genuine, and which can then be used as examples in future training events.
As you will appreciate this whole subject is becoming more and more complex, but thankfully there is guidance available to help us navigate the potential problems. The National Cyber Security Centre (the NCSC) website contains lots of useful information:
- Learn more about defending against phishing attacks at Phishing attacks: Defending Your Organisation
- And how to avoid attacks at Phishing attacks: How to avoid them
- And read the Small Charity Guide at Small Charity Guide
- Make use of NCSC Training for staff which can be found at Staff Training Resources
If in doubt it is always worth checking. Very little is so important that it must be done immediately. The golden rule is never click on a link or picture within a message unless you are absolutely sure that it is genuine.
Phishing attacks will continue to increase in number, but hopefully by following the available guidance the effects of those attacks can be minimised.
Sharpen
Quarterly emails for trustees, treasurers and Church and Charity Leaders. Practical tools, technical resources and expert guidance to safeguard your mission and ministry.
Archie McDowall
Archie joined our Accounts Examination Services team in 2020. Prior to this he was Deputy General Treasurer of the Church of Scotland and before that he managed the charity audit section of a firm of Chartered Accountants. Archie has been involved in advising treasurers and trustees of charities for many years and has also served as a trustee of various charities.
Archie and his wife Sarah live in Essex, where he preaches and leads worship in various different churches on a regular basis. Their daughter, son-in-law and two grandchildren live in Lancashire. In his spare time Archie enjoys going to the theatre.
Archie is passionate about the local church and the ways in which it serves its community and the most vulnerable on the margins of society. He recognises the importance of supporting volunteers within churches, particularly those who are facing pressures to comply with increasingly complex legislation on finance and governance.
