The Charity Commission has issued a warning to charities that they could be at risk from a ransomware attack after the NHS was targeted last week.
Charities are being urged to be vigilant after over 200,000 organisations, including the NHS, in 150 countries have been affected by a recent ransomware attack. The regulator has warned that the vulnerabilities exploited by the hackers are the same for charities as they are for individuals.
The Commission said it encourages charities to follow protection advice recently issued by the City of London Police and National Cyber Security Centre.
It has published some key protection messages for charities to follow, including emphasising that organisations should not meet any stated demands or pay a ransom.
The key protection messages are:
- Install system updates on all devices as soon as they become available
- Install anti-virus software on all devices and keep it updated
- Create regular backups of your important/business critical files to a device that is not left connected to your network, as any malware infection could be spread to that too
- Do not meet any stated demands and pay a ransom – this may be requested via Bitcoins (a form of digital or ‘crypto’ currency)
Harvey Grenville, head of investigations and enforcement at the Charity Commission, said: "Charities need to be aware of the imminent danger posed by ransomware threats and take appropriate steps to protect their charity from cyber-attack - a charity's valuable assets and good reputation can be put at risk from these dangerous scams.
“I urge all charities, if they suspect they may have fallen victim to cyber fraud, to report it immediately to Action Fraud and to the Commission, under its serious incident reporting regime.”
The Commission said that National Cyber Security Centre technical guidance includes specific software patches to use that will prevent infected computers on your network from becoming infected with the “WannaCry” Ransomware.
It says that additional in-depth technical guidance on how to protect your organisation from ransomware can also be found on the NCSC website.
Be cautious of any unsolicited communications from the NHS
The regulator has also warned that fraudsters may exploit this high-profile incident and use it as part of phishing or “smishing” (SMS phishing) campaigns. It is urging charities to be cautious if they receive any unsolicited communications from the NHS.
It has said that “any email address can be spoofed”, and is telling charities: “Do not open attachments or click on the links within any unsolicited emails you receive, and never respond to emails that ask for personal/charity information or financial details”.
It also warns that the sender’s name and number in a text message can be spoofed, so “even if the message appears to be from an organisation you know of, continue to exercise caution, particularly if the texts are asking you to click on a link or call a number”.
If you think your charity has fallen victim to a cyber-attack, the Charity Commission says you should report it to Action Fraud by calling 0300 123 2040, or visiting www.actionfraud.police.uk.
Trustees are also advised also to report suspected or known fraud incidents to the Charity Commission at [email protected].
The regulator says that serious incident reporting helps the Commission to “gauge the volume and impact of incidents within charities and to understand the risks facing the sector as a whole”.