In recent weeks we have heard much about the threat to the public and private sectors from COVID-19-related cyber-attacks. Charities face the same threat.

In this guest article, Alan Bryce, Head of Development, Counter Fraud and Cybercrime at the Charity Commission for England & Wales highlights the commission’s work in this area.

In October 2019 the Charity Commission published findings from our research into cybercrime targeted against charities. Although this research pre-dates COVID-19, the prevention lessons that can be drawn remain valid and provide timely insights into how COVID-19 cybercrimes can be tackled.

Changing how charities think about cybercrime is key to making the charity sector more resilient. The starting point is to accept that every charity will, at some point, be targeted. What matters is that charities can demonstrate they have done everything they reasonably can to prevent the cybercrime. This means putting procedures in place to identify and respond appropriately when cybercrime does occur. With the guidance and good practice now available, charities should feel increasingly empowered to play an appropriate, proportionate role in the fight against cybercrime.

Understanding the threat

There is relatively little charity-specific cybercrime research available. That is why last year we undertook, in partnership with the Fraud Advisory Panel, the largest ever charity cybercrime survey in the UK, and potentially worldwide.

We asked a representative sample of 15,000 registered English and Welsh charities to complete a voluntary fraud and cybercrime survey. This achieved an impressive 22% response rate, higher than many similar surveys in the private and public sectors. This reflects the increasing importance that charities now place on tackling cybercrime. For the first time we now have statistically significant, representative findings that inform our understanding of the cybercrime risk faced by charities. The results are generally encouraging.

Perceptions of cybercrime risk

Cybercrime is a relatively new issue. Perhaps unsurprisingly our survey showed that charities’ perception of the threat is still developing:

  • Just over half of charities (58%) think cybercrime is a major risk to the charity sector.
  • Almost a quarter (22%) believe cybercrime is a greater risk to the charity sector than other sectors.
  • In general, large charities are more likely to appreciate the risk of cybercrime.

Analysing charity cyber attacks

  • Phishing and malicious emails are the greatest cyber threat (39%), followed by hacking/extortion (15%).
  • Over a third of charities (36%) don’t know which type of cyber-attacks they’re most vulnerable to.

Reporting by charities remains low, with just less than a third reporting to the police, a quarter to their bank and only 13% to the Charity Commission. Of most concern is that nearly a third did not report to any external body when they’d fallen victim to some form of cyber-attack. Without timely reporting, prevention warnings and other forms of intervention to help protect the wider charity sector will have limited impact.

Encouragingly, two-thirds of charities took action to strengthen their defences after a cyber-attack, principally with revised IT security arrangements and new or updated training.

Find out more

Additional guidance and a range of free online resources are available at:

For practical guidance on how to spot – and stop – coronavirus-related fraud, see our Bates Wells checklist: