Gone phishing: how charities can spot email scams a mile off

We share some important tips for charities to avoid falling victim to potentially devastating and convincing email fraud.

Paul Rubens | 9th Oct 19

One in five charities were targeted by online criminals in the last year, according to government figures.

Fraudsters specifically target charities, according to Professor Mark Button, a counter-fraud expert at the University of Plymouth, because staff and volunteers often receive less online security training than employees in for-profit organisations. In the overwhelming majority of cases, criminals attempt to defraud charities using a technique known as phishing.

What is phishing? It involves scammers sending out fraudulent emails, often purporting to be from reputable companies or individuals, or setting up fake web which are designed to look like genuine ones.



A typical phishing email – which could be sent out to millions of email addresses – may appear to come from a bank, warning the recipient that their account has been “suspended” for security reasons, and that the account has to be “verified”. To do this they are encouraged to click on a link, which goes to a fake version of the bank’s web site.

If the recipient enters their account username and password, the criminals will then be able to use those credentials at the genuine bank site to steal the victim’s money. Clicking on the link may also trigger a virus or other malware to be installed on the victim’s computer, enabling the criminals to steal credit card information, passwords to more accounts, or other valuable information.

> See also: 3 security strategies for charities that are more secure than passwords



Spearphishing is a more sinister variant of phishing. In a spearphishing attack the criminals target a specific individual, and the fraudulent email will be tailored to that person.

For example, a spearphishing email may be sent to the finance director of an organization, and purport to come from the chief executive using his or her name. The email may say that an urgent payment needs to be made to a specific account within the hour, and may be timed to coincide with the chief executive’s holiday to make it hard for the finance director to check that the email is genuine.

The Charity Commission recently warned of scammers sending ‘requests to your finance department or staff with authority to transfer funds’ which claim to be from a charity’s CEO but are actually from a spoofed email address.

> See also: Top 10 cyber security resources for charities


How charities can stay safe

The results of a phishing attack can be catastrophic, but here are some tips to help spot fraudulent emails and websites and avoid becoming a victim:

  • Be very wary of any email that says that “your account has been compromised” and never “verify your account” or update your login details to any account via links in the email. No reputable organisation will ask you to click on a link in an email and then enter username and password details.
  • Look at the sender’s email address, not just the sender. An email from a bank will not come from an address like “bank.security@gmail.com”
  • Never click on any email link to get to a business website. It is much safer to type in the web address of a bank or other business into your browser to ensure that you end up at the genuine web site
  • Be very wary of any email which tries to convey a sense of urgency, especially if it involves transferring money – perhaps because an invoice is “overdue” and must be paid immediately.
  • Never use the contact details contained in an email to verify the contents of the email, because these may also be fraudulent.
  • Verify that any financial institution’s website is genuine by clicking on the green lock icon in the browser’s address bar and checking that it belongs to the institution concerned.
  • Phishing emails are often sent out to millions of people, and are therefore addressed in vague terms to “Dear valued customer” or “Dear Sir or Madam”. English is not the first language of many fraudsters, so be particularly wary of emails which contain poor spelling or grammar, or unusual turns of phrase.
  • Never open an email attachment unless you are sure that it is genuine. Clicking on an attachment called “invoice.doc” from an unknown source could result in a dangerous virus infection.
  • Minimise the amount of professional information you publish about yourself on the internet, as this makes launching a spearphishing attack against you easier.