Phishing Attacks Targeting Charities: How Finance Teams Are Targeted for Fraud
In 2021, a UK charity was defrauded of £180,000 through a business email compromise attack that impersonated the CEO and directed the finance manager to make an urgent international transfer. The charity had no MFA on its email accounts, no out-of-band payment verification process, and no security awareness training. This is not an unusual story — it is a common pattern. Charities are attractive targets for fraud because they hold donor funds, often have limited security controls, and their staff are motivated by mission rather than by scepticism. A request that "seems urgent and important" in a mission-driven organisation rarely triggers the scrutiny it would elsewhere.
UK charities lose an estimated £8 million annually to cybercrime — the majority through phishing-enabled payment fraud and CEO impersonation.
How Attackers Target Charity Finance Teams
Charity finance teams are targeted through several specific attack patterns: CEO/trustee impersonation (fake emails from the CEO or a trustee requesting urgent payment transfers — exploiting the authority relationship and sense of urgency); grant payment fraud (fake emails impersonating funders announcing a grant payment, requesting bank details be confirmed — capturing account information for fraudulent transfers); supplier invoice fraud (impersonating a regular supplier to redirect payment to an attacker-controlled account); and spear-phishing using charity-specific information (attackers research the charity's public activities, funders, and senior staff to craft convincing, highly targeted phishing emails). Charities often do not have the security controls or awareness training that would make these attacks fail against corporate targets — making them efficient targets for well-resourced criminal groups.
Protecting Charity Finance Functions from Phishing
Effective phishing protection for charity finance requires: MFA on all email accounts (preventing account compromise that enables BEC attacks from within the charity's own domain); advanced email security with impersonation detection (Coro, deployed by Kyanite Blue, identifies CEO impersonation and supplier fraud attempts); an out-of-band payment verification process (any new payee or payment detail change must be verified by phone on a known number — never by replying to the email); security awareness training for finance staff specifically on payment fraud patterns; and a culture where it is safe to question an unexpected or unusual payment request, even from a trustee or senior leader. The most important single control is the payment verification process — it breaks the attack chain at the point of financial loss.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.