The risk of fraud – especially cyber fraud – is not going away.  

The Department for Digital, Culture, Media and Sport Cyber Security Breaches Survey, published in March 2021, records that one in four charities reported a cybersecurity breach in 2020-21, rising to one in two for higher-income charities.

There are steps that you can take to minimise the risk of cyber fraud (scroll down for more).  But what should you do if you discover fraud, or possible fraud? These are the questions you should consider as soon as possible. And we’d strongly advise you to put the basic framework in place now, so it’s ready when you need it.

1. Who is in charge?

First, convene your internal crisis response team. Include a senior decision-maker, someone who understands the technical side of your operations (e.g. IT manager), someone from your communications team, your Data Protection Officer and in-house counsel (if you have one). You need to ensure that there’s appropriate board involvement – consider who will be responsible for keeping your trustees updated, if they are not directly represented.

2. Who can help?

You may need external advisers to complement your internal team – specialist solicitors or counsel, IT/cyber-forensic investigators, and possibly PR advisers.

3. What happened?

You need to know what happened, whether the cyber attack is still ongoing and how to prevent it happening again. Your investigation should uncover and preserve evidence, and record the findings; the crisis management team will then need to assess the findings and determine next steps, with external advice if required.

If the attack is ongoing, consider immediate actions such as changing passwords, updating settings, and informing colleagues and third parties. If you think the fraudsters may have accessed your emails, don’t use email – talk to people directly.

4. Whom should we tell?

Notify your insurer, report a suspected criminal offence to Action Fraud (the National Fraud and Cyber Crime Reporting centre), and consider your obligations to regulators including the Information Commissioner’s Office and the Charity Commission (you may need to make a serious incident report). You should usually take these steps as soon as reasonably possible – even if your investigation is ongoing.

Consider how you will support anyone who was directly involved, and educate all your staff and volunteers about what to do in case of future attacks or suspicious correspondence.

You need to consider external communications – what you say about what happened and whether you do this proactively or reactively. If personal data has (potentially) been compromised are there specific individuals you need to notify?

5. How much should we spend?

Consider what has actually been lost, the prospects of recovery and the risks of further losses.  This should inform your decisions about proportionate spending on your investigation and associated steps. There can be real value in learning lessons that better protect you against future incidents. Consider the financial implications of the fraud – consult with insolvency specialists if you are worried.

6. Can we get our money back?

As we’ve said above, notify your insurers immediately with a view to claiming for losses if possible.

Consider whether a third party may be liable for your losses, for example, the party responsible for your security systems, or whether the cyber fraud occurred due to the inadequacy of another party’s security systems. Preserve all relevant evidence and consult with your solicitors to see whether you could commence a civil claim that is proportionate and stands a realistic chance of recovering some or all of the funds.

7. How can we stop this happening again?

As well as the steps outlined below, your investigation should result in specific actions that will prevent against recurrence.

How can you prevent cyber fraud?

  • Review or create your data security breaches policy and train your staff to ensure that they are equipped to prevent and manage future cyber fraud, even in unusual working conditions.   Your policies and training should cover the following:
  • Be alert to unusual or urgent requests for money or sensitive information and challenge them. Run unfamiliar requests past colleagues for a common sense check – if your colleague isn’t in the room, call them.
  • Scrutinise email addresses. Never take requests to amend a sort code or account number at face value. Banks will never ask you for PINs, passwords, or payment authorisation codes.
  • Make sure that your normal processes for fraud prevention are reliable even if staff are working from home. These include processes such as dual authorisation and the monitoring of financial transactions, and security basics – such as virus protection, unique user IDs and passwords, and restricting access to online payment systems and other sensitive information.
  • Beware of offers that come out of the blue, do not click links or open emails from senders you don’t already know, and do not give out personal or sensitive information.
  • Above all, stay vigilant and stay calm. Do not respond if you’re feeling panicked or unsure about an unfamiliar communication, even – and especially – if you’re being told to act urgently.

We’ll be exploring how to respond to a crisis in more detail at Spotlight: the annual Bates Wells Conference on 22 November – virtual places are available to book now.  We’ll also be releasing Managing in a crisis, which will be available next month. This guide will include more information about the obligations of the board and how to report a serious incident to the Charity Commission.