Articles

3 cyber threats facing charities today

15 August 2025

Charities are targeted by cyber attacks just as much as businesses, in fact 40% of businesses and 30% charities reported having experienced a breach or attack in the last 12 months (Cyber Security Breaches Survey 2025, NCSC).

Charities often make attractive targets due to the personal and sensitive data the hold as well as perceived weaker security. There are a number of common attacks that lead to a large percentage of cyber insurance claims and present a risk to charities. 

Social engineering attacks

Social engineering is an umbrella term for a number of tactics used to manipulate people into giving access to systems, sharing confidential information or redirecting payments.

Criminals use common methods such as:

  • Phishing emails – prompting staff or volunteers to click malicious links or files;
  • Phone scams – pretending to be recognised suppliers or partners; and,
  • Other impersonation attacks where they may pretend to be senior staff or partners asking for urgent actions to be taken.

To combat these types of attack, a strong culture of security and education is needed to ensure all staff, volunteers, beneficiaries and system users are using strong password management and multi-factor authentication across the systems they have access to. It is also vital for people have a basic understanding of what to look for in a suspicious email or call and how to report it.

Setting up proper access control will reduce the risk of bad actors gaining access, as some users will not have the same access as others. Good cyber-security software will also detect potential hackers and attacks, automatically blocking access and alerting the administrator. This setup also reduces the risks of bad actors or simple human error within the organisation.

Strong due diligence and verification processes will help mitigate against any payment diversions, scams or fraud.

Insider threats

  • Sometimes overlooked, an insider threat is a risk posed by individuals within the organisation, rather than external attacker. Sometimes this can be a secondary risk as a result of a social engineering attack, but other times it may be a separate, malicious, or unintentional, risk posed by those inside the charity.
  • In recent years, remote working as well as the increase in social engineering attacks has given rise to this threat. Examples include:
  • A volunteer downloads donor records to a personal device and then the device is lost or compromised.
  • A former employee retains access to the CRM after leaving.
  • A staff member unknowingly clicks a phishing link, giving attackers access through their account.
  • A staff member accidentally copies a confidential report to a publicly shared folder.
  • A trustee manipulates payment processes or systems to divert charity funds into a non-charity owned account.

To mitigate against these threats, a similar approach is needed with strong access control management and staff/volunteer training on how to handle data and use the systems securely. Offboarding procedures should also be taken into account with access control and senior leaders should encourage people to report things that don’t seem right.

Supply chain attacks

Charities, like businesses, will often use third-party tools and vendors to manage services such as payments, CRMs, cloud storage or web hosting. This gives rise to its own risk – attackers increasingly exploit vendors and suppliers to steal data and potentially gain access to multiple other organisations’ data.

Although limits on access can be placed on third-parties, you will have limited control or visibility over the cybersecurity practices of your suppliers, making it harder to detect weaknesses in the chain.

Some potential examples of this happening include:

  • A cloud-based donor database provider is breached, exposing the personal information of thousands of supporters.
  • A software update from a trusted IT vendor includes hidden malware injected by attackers.
  • A web developer uses outdated plugins, creating vulnerabilities on a charity’s donation page.

Managing this risk is partly down to due diligence and building trusted relationships with suppliers – it being wise to seek information about their data protection and security procedures. Defining in and reviewing contracts on who is responsible for data breaches and data handling is a vital step to being prepared if a cyber incident should occur.

Insuring cyber risks

While many cyber threats can be effectively mitigated through staff training, strong access controls, and keeping systems up to date, the frequency and sophistication of attacks continue to grow. As the potential financial and reputational damage increases, cyber insurance is also evolving to address the changing risk faced by charities.

Upcoming Webinar: Cyber Risk Simplified

Access Insurance will be breaking down to top cyber concerns for charities in their upcoming webinar on the 16th September 2025 2pm. Tim Larden, Sales & Marketing Director at Access Insurance unpacks the cyber risks that charities should be ready for, how to manage them with best practices, and what can and can’t be insured with cyber insurance.

Reserve your spot

)
Sign Up

Sign in to continue reading

Access all our articles and search the provider directory for free.