• Profile picture for user Vinh Nguyen

    Vinh Nguyen

    Vinh Thanh Nguyen is currently Technical Consultant at Mimecast where he has been since November 2018. Vinh has been working in the technology industry for almost 5 years and draws on his previous experiences of startups and larger enterprises to understand and help align customer business needs with the technical solutions that Mimecast provides.  Since starting at Mimecast Vinh has adopted a key focus on the human element of security, consulting and providing product demonstrations around the additional security available to an organisation from a staff perspective.

    Prior to his role at Mimecast, Vinh worked as solution architect for cloud-based communications platform Whispir, a Melbourne-based startup in Australia.

    Comments:0

    Add comment
Vinh Nguyen

How charities and not-for-profits are being targeted

Content

Charities and not-for-profits play an important role in our society. They provide vital services to those in the community who need assistance and provides the public with a safe and transparent way to give back to their communities.  

Thanks to the goodwill and generosity of our communities, and of collective individuals, the charity sector has grown in leaps and bounds: 

  • In the 2019 reporting year, charity revenue grew by 6.8% – significantly more than the 2.2% growth of the Australian economy in the same period. 

  • Donations rose to $11.8 billion in the 2019 reporting year – an increase of $1.3 billion from the previous year1. 

 
As community member seeing these numbers, you can’t help but feel proud of how Australians are doing their part to support these vital services and help the most vulnerable in our communities. 

Now let’s change the lens that we use to look at charities and not-for-profits, and think of how they would look from a cybercriminal’s perspective. You can most likely see how these institutions could be a ‘treasure trove’ for hackers.  Threat actors and cybercriminals have proven time and again that they don’t discriminate in their choice of targets, and they don’t limit themselves to big businesses with deep pockets.  
 

Hackers are not above targeting charities

A common misconception, and not limited to just charities and not-for profits, is the notion ‘we’re too small for the hackers to want to deal with us’.  The ASCSC’s ‘Cyber Security and Australian Small Businesses2’ report states that there is one report made to the ACSC every 10 minutes from SMBs, and that 62 per cent of respondents surveyed have experienced a cybersecurity incident.  Over half of Australian charities fall under the SMB category: 

 

Image
Content

Image source: Australian Charities and Not-for-profits Commission - Australian Charities Report 7th edition  


Cybercriminals are opportunists, and they will exploit any opportunity they can get. Unfortunately, charities and non-for-profits generally don’t have the funds to spend on elaborate cybersecurity, which makes them especially vulnerable. Let’s take a closer look at how charities and not-for-profits become prime targets for cybercriminals. 
 

Do your donations go where they’re supposed to? 

Donations and gifts are just some of the ways that the generous support their favoured charities and not-for-profits, usually in the form of money. There are of course, strict rules around who can donate, how much, and how, to keep everything regulated and above-board. 
 
The Australian Charities and Not-for-profits Commission requires charities to provide information about their finances, and larger charities must submit an annual financial report that includes their operational costs and financial information. For most non-profits, sources of revenue can include: 

  • Federal and State Government Grants 

  • Community Grants 

  • Donations 

  • Fundraising 

  • Fees for service 

Specifically, donations generally make up a large portion of the revenue coming in for charities and not-for-profits. Given how the way of working has changed due to the pandemic, so has the way donations are collected. Non-profit organisations use digital platforms designed to make the donating process as convenient as possible, enabling donors to send through their contributions in just a few clicks.  
 
Applying the same logic, cybercriminals set traps in a way that unsuspecting users can send them funds in just a few clicks, or even get the donor’s credit card information without raising any alarm bells. One of the ways they do this is by creating their own fake charity, or even posing as a genuine charity.  
 
While it's bad enough that the donors suffer a personal financial loss, many don’t consider the follow-on consequences for the real organisation. Many of these charities and not-for-profits build their entire reputations on trust and transparency, which is why their branding carries a lot of weight and importance. Given that donations are a big part of their revenue, any doubt in the legitimacy of a donation request can result in huge financial losses. Brand reputation is one of their most valuable assets, and anything that compromises that can be a death sentence for the organisation. 
 

You’re donating more than just money 

When you donate, you share a lot of information that hackers would love to get their hands on. First name, last name, credit card information, online account details (e.g. PayPal), email address, mobile number etc. Charities love to thank their donors, either through an e-mail or SMS, and stay in touch for more potential donations later down the track.  
 
With these personal details, in addition to the knowledge that these individuals have been known to donate to specific charities and not-for-profits, cybercriminals can construct a highly sophisticated scam targeting these individuals. For example, a professional-looking phishing e-mail containing all the recipient’s details could lead would-be donors to a fake page that looks exactly like the charity or not-for-profit they donated to previously.   

The digitally-savvy among us, especially those who have gone through some form of cybersecurity training, are generally better equipped to pick up on these highly sophisticated scams. However, this isn’t the case for everyone. It’s unfortunate but a lot of the elderly fall for targeted scams of this type. The ACCC ‘Targeting scams’ report calls out how people aged 65 years and over reported higher losses than any other age group, with almost $38 million lost too cybercrime. 

 

Image
Content

Image source: Targeting scams - report of the ACCC on scams activity 2020


Cybercriminals can also be double-dipping. Not only is personal information useful for crafting sophisticated attacks, but it’s also worth something on the dark web.  I recommend reading my colleague Dan McDermott’s article on what your personal data is worth on the dark web. 
 

Awareness is the best defence 

Charities and not-for-profits do so much for their respective communities, and although it’s not a pleasant topic to talk about, in my view it’s very important that organisations in a similar situation are aware of the risks. The more people and organisations become aware of cyber risks, the safer we all will be. It’s on these organisations to educate donors on how to spot scams, and on donors to do their due diligence before making their contribution to a good cause. 
 
In my next article, I’ll be diving into other areas about the vulnerabilities organisations face, including outdated software/security patches, the risk associated with volunteering, and more on security strategy and resourcing. 

 

Sources: 

  1. Australian Charities Report 7th Edition - Australian Charities and Not-for-profits Commission, published May 2021 

  1. ACSC - Small Business Survey 

Vinh Thanh Nguyen is currently Technical Consultant at Mimecast where he has been since November 2018. Vinh has been working in the technology industry for almost 5 years and draws on his previous experiences of startups and larger enterprises to understand and help align customer business needs with the technical solutions that Mimecast provides.  Since starting at Mimecast Vinh has adopted a key focus on the human element of security, consulting and providing product demonstrations around the additional security available to an organisation from a staff perspective.

Prior to his role at Mimecast, Vinh worked as solution architect for cloud-based communications platform Whispir, a Melbourne-based startup in Australia.

Stay safe and secure with latest information and news on threats.
User Name
Vinh Nguyen