Insights |Cyber Security

19th October 2021

Cyber fraud and cyber crime in the charity sector

Figures from the Department for Digital, Culture, Media and Sport (DCMS) indicate that more than a quarter of charities suffered cyber attacks or cyber security breaches last year.

The Cyber Security Breaches Survey 2021, published by DCMS, found that 26% of almost 500 voluntary sector organisations surveyed had reported cyber fraud over the previous year. The report shows that while charities generally compare favourably with private sector businesses – 39% of which said they had suffered cyber security breaches or attacks – the number rises to 51% among charities with annual incomes of £500,000 or more. A quarter of those organisations that had suffered attacks said they had to deal with them on a weekly basis.

The survey, which took place between October 2020 and January 2021, found that the most common type of cyber attack for charities was phishing, identified by 79% of respondents. Phishing often involves trying to con recipients into giving away personal details or passwords. This was followed some way behind by impersonation attacks, suffered by 23% of respondents, where emails are sent out impersonating the charity. Among the charities that identified breaches or attacks, the survey found that 18% ended up losing money, data or other assets.

And even if money, data, or assets were not lost, 4 in 10 charities were still negatively affected for reasons such as requiring new, post-breach measures or having staff time diverted to deal with the problem, the report found – a reputational risk for any charity.

The fallout of such attacks was highlighted last year when more than 100 UK charities reported being caught up in the Blackbaud cyber attack, which targeted commonly used financial software.

While the DCMS report makes it clear that cyber security is still a major issue for many charities, the proportions reporting negative effects of breaches or attacks in 2021 are significantly lower than in previous years. This is not because attacks are any less frequent, the report says, but it could be due to more organisations implementing basic cyber security measures following the introduction of the General Data Protection Regulation (GDPR) in 2018.

Cyber security is also higher on the agenda of trustees, researchers found; 68% of charities said it was a high priority for them, compared with 53% who said the same in a previous study in 2018.

Charities are bigger cyber attack targets than they realise

Many charities, especially the smaller ones, fail to realise the value of the data they possess, according to a report by the National Cyber Security Centre (NCSC). Unfortunately, cyber criminals do realise the value of this data, making charities vulnerable targets to a cyber attack.

While the average person may find it unconscionable to steal from a charity, there are a number of perpetrators looking for some financial gain, besides the typical cyber criminal. This may include:

  • Suppliers and third parties – it’s common for charities to outsource the responsibilities of running, maintaining, and securing their data.
  • Terrorists – terrorist groups are likely to deface websites and publish victims’ personal details online, which is a process known as doxing.
  • Nation states – nation states use cyber crime to further their agendas.
  • Insiders – one of the biggest threats, and disgruntled staff with access to employer’s data may commit cyber crimes seeking money or simply for revenge.
  • Hacktivists – hackers will target charities if they disagree with the charity’s purpose or are motivated by a specific cause.

In order to prevent cyber-criminals from accessing your charity’s valuable data, the NCSC Small Charity Guide recommends taking these precautions:

  • Back up your data and protect it with strong passwords
  • Protect your organisation from malware
  • Keep your smartphones and tablets safe.

Simple advice and a sobering but easy way to protect against cyber threats

Here is an example of how small differences in passwords can make a huge difference to would-be cyber attackers.

Password Time to crack
charity 22 milliseconds
Charity 18 hours,

58 minutes,

27 seconds

Charity1 5 months,

2 weeks,

3 days

CharityNo1 1 millennium,

7 centuries,

6 decades

How ESA Risk can help charities become cyber-secure

At ESA Risk, our Cyber Security consultants have years of experience in the industry that equip them to protect your confidential data and your money from cyber criminals. Get in touch with us at, on +44 (0)843 515 8686 or via our contact form, to find out how we can help make your charity cyber-secure.

This article was published as part of Charity Fraud Awareness Week 2021.

contact us online or by phone

Get the advice you need

Our expert consultants are on hand to give you the support you need.

What are you looking for?

Get the advice you need

Deep dive for the answers you need
Or contact us on +44 (0)843 515 8686 or at

Deep dive for the
answers you need

Lawyers, accountants, advisors, investors, senior
management. You name them, we help them find the answers
they need. Ready to discover how we can help you?