A cyber case study from Ecclesiastical
Cyber attacks are a common risk and any organisation, regardless of size or complexity, could be a target.
While it is tempting to think it will happen to someone else, research shows that regardless of the size and complexity of your organisation, anyone can be targeted.
In July 2019, a charity in Manchester became the victim of an email/bank scam where payment of almost £100k was transferred to the incorrect bank account.
The organisation was undergoing an extension to their centre and had been paying their invoices by BACS transfer for several months. A copy of a valid invoice and a request for change of bank details (on the building company’s letterhead) was received via email.
At this point, the organisation’s finance manager was on holiday and did not respond to the email straight away. Upon their return, they received a call chasing the payment and checking that the bank details had been changed.
The caller provided a legitimate excuse, explaining that the details needed to be changed due to fraudulent activity on the previous account. The finance manager replied that they had already paid the invoice for that period but confirmed they would update the bank details in preparation for the next payment.
When the next valid invoice was received, the funds were transferred to the new account as requested. It wasn’t until the real building contractors began chasing for payment that the scam was revealed. It was a simple mistake but it resulted in a significant cost to the organisation.
"On finding out that the payment to our building contractors had been fraudulent, I felt sick to my stomach. The loss of these funds would have seriously affected the completion of our building extension. If we needed to find replacement funds this would have taken months, if not years, to secure, which would have had a detrimental effect on our ability to deliver much needed support and services to young people" - The Charity Finance Manager
This type of spear phishing attack is not uncommon and 80% of businesses and 81% of charities reported having received fraudulent e-mails or being directed to fraudulent websites in the last 12 months.1 It is therefore important that organisations ensure they have appropriate insurance cover in place to protect them from a range of cyber-attack scenarios and the consequences.
Prevention is protection
Organisations need to take measures to protect their systems and prevent or limit the impact of cyber crime. As cyber crime evolves, these types of attack (and the subsequent claims) are likely to increase. Basic cyber security measures include:
- Implementing training to ensure staff and volunteers are able to recognise and respond to threats.
- Updating antivirus software and other software programmes to ensure that they include the latest patches.
- Using strong passwords and encryption to protect data.
- Backing-up data to a safe and secure location on a regular basis.
Find more detail about how to protect your data and organisation from cyber crime by contacting us: firstname.lastname@example.org