The first ransomware attack was in 1989, where the victim was forced to send cash in the post to get their data back. Fast-forward to the first half of 2021 and ransomware attacks are up 151% compared to the same time in 2020, according to data from the Atlas VPN team.

With ransomware on the rise and to mark Charity Fraud Awareness Week, 

The Fraud Advisory Panel and the Charity Commission have collaborated to create the Preventing Charity Fraud website which hosts a range of helpful content. 

This includes a webinar called Ransomware and other cyber attacks, which brought together three speakers involved in charity and not for profit sectors to raise awareness and particularly to share good practice in tackling fraud, and financial crime. 

The four guest speakers in the webinar were Dr Stephen Hill, Special Advisor, Fraud Advisory Panel and Managing Director, Hill Bingham Ltd; Becca K, Charity Sector Engagement Lead for the National Cyber Security Centre (NCSC); Gerry Crow, Director of Operations and Support, Mary Stevens Hospice; and Chris Hall, Head of Marketing, Charity Digital.

What is ransomware?

“A ransomware attack is when a cyber-criminal has managed to get into your system in some way, and encrypt it, either some or all of the other things that are online in your system”, said Becca. “And then, once they've done that, they'll demand a ransom so that you can get access back into your system.”

Becca explained that the fraudster makes it so that they affect the way the charity functions so the victim is desperate to get back online, asking for money. And in desperation, most organisations will try and pay this ransom. So then, of course, ‘they've got their money, and they've won and they're off to the next victim, unfortunately’.

Never too small to be targeted

Crow recalls his experience of Mary Stevens Hospice being hacked, and how he was ‘very wrong’ to think their company was too small and insignificant to be at risk of hacking.

On the day Mary Stevens Hospice was hacked, it was executed through an email disguised as a Microsoft pop-up to update their password, to which the employee filled it in and thought nothing more of it. The employee was alerted to the hacking after receiving multiple emails and calls from their contact list asking about an email that had been sent from their address. After assessing the damage and possible ramifications of a GDPR breach, he got very worried and spoke to the leadership team.

“Initially their thoughts were, ‘let's keep it in-house;” Crow said. “But inside I was very worried. So, I then phoned the Information Commissioner's Office (ICO).. I went through first of all as an anonymous phone call. And I spoke to them and told them what happened. They didn't push me for my details. They were quite understanding and talking real calmly. And the conversation I was having with the operator I was speaking to said, ‘ask yourself two questions: number one, why wouldn't you report it? and number two, what's going to happen to you if someone else reports it?’.”

What happens when you report to the ICO?

Crow then took that message back to the senior leadership team. And even though not everybody agreed, we decided we had to go official. He then phoned the Information Commissioner's Office back, told them officially who he was, where he was phoning from what had happened.

“And they were absolutely fantastic”, added Crow. “They gave us lots and lots of advice, told us what we should do to limit the actual effects of what had happened. And at the time, I know there were lots of rumours that the ICO were horrors if you reported it and they’d come after you. We didn't have that experience at all, they were really, really very helpful.”

When Crow looked at the situation, there was the potential that the hacker had had access to up to 35,000 donor details, including in a lot of cases, credit and debit card details. But what the charity did cost them about £15,000 to put right, ‘which is a lot of money for a charity’.

However, had they not reported it, and someone else had reported it to the ICO and they were found to be covering up, it would have cost them possibly, because there were fines with GDPR, up to a quarter of a million pounds.

Crow concluded: “We know we made mistakes. We've learned from our mistakes. And we're very keen to advertise those mistakes to other charities. Because we're all in it together. We're all here to help each other out. And actually, if we can all battle the hackers, we've got a much better chance of beating them. We lost some money, we lost a bit of reputation, but a lot of good came from it.”

Advice for businesses to protect themselves

There are three things the NCSC think would be the most effective actions for businesses to do to try and reduce the chances of being victim of cyber attack:

1. Use offline backups;
2. check the remote desktop protocol settings, getting all those good, strong passwords in place; and,
3. making sure that the company is cutting back on the vulnerabilities using the NCSC early warning tool and making sure everything gets patched as soon as possible. 

Visit ICAEW’s Cybercrime Week hub with a series of webinars, videos, a podcast, and other resources.