The British government issued a cybersecurity alert to charities today warning of a spike in reported cases of mandate fraud in which scammers impersonate employees.
A spokesperson for the Charity Commission said: “We have received several reports from charities who have been targeted by fraudsters impersonating members of staff, specifically attempting to change employees bank details.”
All the requests to change employee bank details were made via email. The Charity Commission urged all of the nation’s charities to be on the lookout for similar requests to their HR department, finance department or staff with the authority to update employee bank details.
Such fake emails may be sent from spoofed email addresses that closely mimic the real email address of the member of staff being impersonated.
“With a strong social engineering element, the fraudster often states that they have changed their bank details or opened a new bank account,” said a Charity Commission spokesperson.
Charities are advised not to open any attachments or click on any links contained within unexpected or unusual emails and to take action to verify the validity of any emails requesting changes to an employee’s details.
“Check email addresses and telephone numbers when changes are requested. If in doubt, request clarification from an alternatively sourced email address or phone number,” said ta Charity Commission spokesperson.
To help reduce the likelihood of becoming a target for fraudsters, the Charity Commission advised charities to think twice about how they handle sensitive information.
“Sensitive information you post publicly, or dispose of incorrectly, can be used by fraudsters to perpetrate fraud against you. The more information they have about your charity and employees, the more convincingly they can appear to be one of your legitimate employees,” said a Charity Commission spokesperson.
A tip given by the Commission was to always shred confidential documents before throwing them away.
The government Cyber Security Breaches Survey 2019 revealed that over two thirds of high income charities had recorded a cyber breach or attack in 2018. Of those charities affected, the vast majority (over 80%) had experienced a phishing attack.
Charities that have been targeted by mandate fraud are advised to report the incident to Action Fraud.