Cyber security is essential for all charities and not-for-profit organisations.
Cyber threats are on the rise in Australia, with charities and not-for-profits prime targets for cybercriminals. In the 2022-23 financial year, ASD received nearly 94,000 cybercrime reports. This averages to one report every 6 minutes.
The effects of a cyber security incident can be devastating which could include:
- financial loss
- data breaches
- reputational damage
- loss of trust from donors and beneficiaries
- harm to the communities you serve.
Key cyber threats
Phishing is a common cyber threat to charities and not-for-profits. Cybercriminals will impersonate an individual or organisation using emails or messages. They will try to trick the recipient into sharing sensitive information or downloading malicious software.
To prevent phishing attacks, train staff on how to recognise scam emails and use multi-factor authentication.
Business email compromise is when a cybercriminal pretends to be someone who represents a company. They may do this by using hacked email accounts or creating domain names that look real. Usually, the goal is to trick victims into sending funds to a bank account they control.
Staff should be wary of requests to make urgent payments or change bank account details. Verify these requests by contacting the sender in another way, for example over the phone or face-to-face.
Ransomware works by locking or encrypting your files so you can no longer access them. Cybercriminals demand a ransom, usually in the form of cryptocurrency, to restore access to the files. They may also threaten to publish or sell data online, unless you pay the ransom.
To prevent and mitigate these attacks, follow our advice to protect yourself from ransomware. This includes backing up important data and securing servers on the network.
Top cyber security tips for charities and not-for-profits
- Turn on multi-factor authentication where possible.
- Check automatic updates are on and install updates as soon as possible.
- Back up important files and device configurations often. Test your backups on a regular basis.
- Use a reputable password manager to create strong, unique passwords or passphrases for your accounts.
- Provide cyber security training, particularly on how to recognise scams and phishing attempts.
- Use access controls and review them often so staff can only access what they need for their duties. This will reduce potential damage caused by malware or unauthorised access to systems.
- Use only reputable and secure cloud services and managed service providers.
- Test cyber security detection, incident response, business continuity and disaster recovery plans often.
- Review the cyber security posture of remote workers and connections. Make sure staff are aware of secure ways to work remotely such as not accessing sensitive information in public.
- Report a cybercrime, incident or vulnerability to protect yourself from further harm.
- Join ASD’s Cyber Security Partnership Program as a business or network partner. This free program provides advice and insights on the cyber security landscape.
Protecting your charity or not-for-profit from cyber attacks is an ongoing process. Review your cyber security regularly to strengthen your charity’s resilience. Seek help from an IT professional if you are unsure.
Resources for charities and not-for-profits
To support your cyber security efforts, we offer resources such as:
- Educational pack for small businesses, including the Essential Eight and Exercise in a Box resources. These tools are valuable for conducting cyber assessments and implementing cyber security measures.
- Small business cyber security guide
- Cyber tips for business presentation [PPT 950KB]
- Have you been hacked?
- Questions for boards to ask about cyber security
- Practical cyber security tips for business leaders
- Securing customer personal data for small to medium businesses
- Small business cloud security guides
These resources will help you assess and strengthen your cyber security practices.
Case studies
Cybercriminals gained access to an email account of a charity that raises funds for families in distress.
It was a staff email account which did not have multi-factor authentication turned on. This would have protected the account against hacking attempts.
The cybercriminals used this email account to send a fraudulent invoice to the charity’s finance department. They convinced them to pay the invoice immediately.
Over $30,000 was sent to the bank details on the fraudulent invoice.
A not-for-profit that supports health professionals and hospital patients had arranged to get funding from a corporate donor.
The donor received an email from the not-for-profit, asking to update their bank account details before the funds transfer.
The donor sent funds to these new bank details, not realising the not-for-profit’s email address was different. The real address ended in .org.au, but the email came from an address ending in .org.
A cybercriminal had registered a similar domain name to the not-for-profit and used it to email the donor. Through this deception, they were able to redirect the funds.
Over $20,000 of valuable funding was sent to the cybercriminal.
Staff members from a youth charity noticed that they were unable to access the shared folder that stored all their data.
They tried to log on to the main PC where the shared folder was set up, but found that someone had changed the password. They could not log in.
When checking their USB backup drives, they found their files encrypted with ransomware.
Their IT provider was able to restore their files from an earlier backup that was off-site. After the attack, the charity decided to add extra backup drives to their off-site rotation. This meant they could do more frequent backups and lose less data in an incident.
To protect against future cyber security attacks, the charity took extra precautions. They changed all passwords for their computer, email, and social media accounts, and also enabled encrypted end-to-end VPN connections.