Cybercriminals aren’t just targeting systems, they’re targeting people. Social engineering is a form of cyber-attack where threat actors manipulate individuals into handing over sensitive information or performing actions that compromise security. It frequently starts with something that seems harmless: a convincing email, a friendly phone call, or a message that feels familiar. But behind that friendly façade is someone with spiteful intent.
In this blog, we’ll break down the most common types of social engineering attacks that charities are facing today. More importantly, we’ll show you how to recognise them, how they work, and what you can do to stop them in their tracks.
Whether you’re a CEO, fundraiser, or operations lead, understanding these risks is a vital step in defending your organisation, your data, and the trust of your supporters.
What is Social Engineering?
When the Human Factor Could Be Your Biggest Vulnerability
While most charities are aware of the need to protect their IT systems and software, far fewer recognise that the biggest cyber risk might be sitting right at the desk. Social engineering is a psychological manipulation tactic used by cybercriminals to exploit human nature, curiosity, trust, urgency, and even fear to trick individuals into giving away confidential information or performing actions that weaken security protocols.
Unlike a brute-force cyber-attack that targets your IT infrastructure, social engineering goes after individuals. It’s also often referred to as “human hacking” because it relies on influencing, manipulating, or deceiving someone into doing something they otherwise wouldn’t. And for busy charity professionals who wear multiple hats and juggle competing priorities, this can be a real challenge to recognise.
Why do cybercriminals favour this approach?
Because it works! Social engineers are skilled in deceiving individuals, whether that’s through an urgent email impersonating the CEO, a text that looks like it came from a supplier, or a phone call from someone pretending to be your IT support team. The goal is often to steal login credentials, gain access to donor databases, intercept payments, or download malware that compromises your systems.
Social Engineering Example and Statistics
Here’s an example of how this could happen: a finance officer at a small charity receives a convincing email from what looks like the CEO, urgently requesting a payment to a new supplier. Under pressure and keen to respond quickly, they make the transfer, only to discover later that the email was spoofed. The funds are gone, and the charity is left to clean up the mess, both financially and reputationally.
And this isn’t rare. According to the Cyber Security Breaches Survey 2024, conducted in winter 2023/24, around 32% of charities reported experiencing a cyber security breach or attack in the previous 12 months. That figure rises to 50% for businesses, clear evidence that cyber threats are not just a corporate concern.
In the next section, we’ll explore the different types of social engineering fraud you need to know about and how to stay ahead of them.
Understanding the Different Types of Social Engineering
Understanding how social engineering works, along with identifying its different forms, is your best chance to protect your organisation from an attack.
Let’s explore some common types of social engineering:
- Phishing
- Whaling
- Pretexting
- Tailgating
- Quid pro quo
- Scareware
- Pharming
1.Phishing
Phishing is a type of social engineering attack that relies heavily on deception, usually in the form of emails or direct messages. Attackers might impersonate a major donor, a grant-making body, or even a senior staff member to request funds, personal data, or login credentials.
These messages aim to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to fraudulent accounts, or taking other damaging actions. Read our guide on how to stop phishing emails for practical steps on spotting and avoiding these attacks.
Spear phishing
A more targeted variant of phishing, a spear phishing attack, involves tailored messages aimed at a specific individual or charity. Attackers do extensive research on their target to produce highly convincing communications. They might reference real projects or names to appear realistic, significantly increasing the likelihood of success.
Vishing (Voice Phishing)
Vishing, sometimes called cyber vishing, is phishing conducted via telephone or VoIP. For instance, a fraudster may call a charity’s finance manager pretending to be from a bank, urgently claiming that suspicious activity has been detected on the company’s bank account. The manager, feeling the pressure, provides sensitive financial information or login credentials, mistakenly handing over access to attackers.
Smishing (SMS Phishing)
Smishing is a phishing scam conducted via text messages. An attacker sends a compelling text message pretending to be from your charity’s bank, reporting unusual account activity. They provide a malicious link, urging the recipient to “verify their identity.” Clicking that link could result in stolen credentials or installing malware that infects your mobile device.
Angler phishing
Angler phishing attacks are performed through social media platforms using fake corporate accounts. Cybercriminals pose as customer support or a legitimate charity, interacting with unsuspecting users who reach out for help or support. Given how often charities use social media to engage with donors and supporters, these attacks can seriously harm your credibility and security.
2.Whaling
Whaling, also known as CEO fraud or executive phishing, is an advanced form of spear phishing specifically targeting senior executives or trustees. It often also exploits their authority to influence lower-level staff. For this type of cyber attack, cyber criminals often use sophisticated tactics and extensive research into the targeted person to create convincing messages.
Example of Whaling
Let’s say a senior employee at a charity, like a Director of Development, has been identified by an attacker. This “whale” has a lot of access to donors’ personal details and financial accounts.
The attacker might start by researching the director’s social media. They see a post about a recent fundraising trip to Africa and another about a successful food drive from the previous year. They combine these details to craft an email that seems to come from a colleague.
Because the email mentions specific, factual details that only a colleague would likely know, the director might not be suspicious.
Once trust is established, the attacker can use a sense of urgency to make their move. For example, they might reply to the director’s response: “So glad you’re back! Listen, I’m working from my phone on the train and having trouble logging into the donor database. Could you send me the password for the account we use for new pledges?
Believing the request is legitimate, the director might send over the information, giving the attacker exactly what they need to access sensitive data and potentially steal funds.
3.Baiting
Baiting is another form of social engineering that involves tempting someone to engage with something harmful by leaving attractive bait, whether physical (like an infected USB stick labelled ‘Fundraising Ideas’) or digital (like a tempting downloadable resource on charity governance). Staff, volunteers, or even trustees might unknowingly fall into the trap, driven by curiosity or altruism.
4.Pretexting
This social engineering tactic uses fabricated scenarios, or pretexts, to trick victims into sharing sensitive information. An attacker pretending to be an auditor might call your charity’s receptionist, explaining that they urgently need financial data to complete an audit. By establishing a credible and persuasive story, they convince the employee to share confidential information.
5.Tailgating
Tailgating is a type of social engineering that occurs when a fraudster physically follows someone authorised into secure premises, like your charity’s office or data storage rooms, bypassing security measures. By manipulating natural politeness, such as holding a door open for a stranger, they gain unauthorised physical access, potentially enabling data theft or other damaging activities.
6.Quid pro quo
In quid pro quo attacks, cybercriminals offer something appealing, like free tech support, software upgrades, or even charity discounts, in exchange for information or access. For instance, an attacker pretending to represent your software provider might offer a complimentary “system audit,” asking staff for login details to initiate the process.
7.Scareware
Scareware is a type of malicious software designed to frighten individuals into taking harmful actions. It frequently appears as alarming pop-up ads claiming a security threat or urgent update. When charity employees panic-click these links, their devices or networks can become infected with malware.
8.Pharming
Pharming is an advanced online fraud tactic involving malicious code to redirect website traffic from legitimate charity pages to fake sites. Attackers exploit vulnerabilities in domain name systems (DNS) to hijack users’ visits without them realising, stealing sensitive data like login credentials and donor payment information.
Awareness is Your Best Defence: Actionable Steps to Protect Your Charity
Cybercriminals are very aware that charities store a treasure of valuable data, from donor details to sensitive beneficiary information. Unfortunately, many charities, particularly smaller ones, lack the resources to invest heavily in sophisticated cybersecurity infrastructure. While budget constraints can be a real challenge, one of the most effective solutions is to educate and train your team about cybersecurity threats and defences. And, it might not even be that expensive.
Here are actionable strategies your charity can implement right now to reinforce your defences against social engineering scams:
Implement Regular, Comprehensive Training
Awareness is critical in combating cyber threats. Effective security awareness training enables staff and volunteers to recognise social engineering techniques and respond appropriately to potential threats.
Some useful training methods include:
- simulated phishing tests
- interactive workshops
- scenario-based learning
Develop a “Never Trust, Always Verify” Culture
Encourage everyone in your organisation, from trustees to volunteers, to adopt a mindset of cynicism towards unsolicited or unexpected requests, regardless of how authentic they might appear. Training staff to question and verify communications before responding can significantly reduce your vulnerability.
Strengthen Technical Controls
Technical solutions also play a vital role. Some important measures include:
- Implementing robust spam filters and secure email gateways.
- Establishing strong password policies to minimise vulnerabilities.
- Enabling Multi-Factor Authentication for additional security layers.
- Creating stringent verification protocols for handling sensitive requests.
Implement Internal Policies
Clear internal cybersecurity policies are crucial. Documented policies help ensure consistent, safe practices across your organisation. Some steps include:
- Drafting a comprehensive Cybersecurity Policy.
- Establishing clear processes for managing financial requests, especially wire transfers.
- Regularly updating and enforcing your Bring Your Own Device (BYOD) policies.
Consider Cyber Insurance
Cyber insurance provides an extra safety net, helping charities mitigate financial and reputational losses following a cyber incident.
Conduct Regular Cyber Security Audits
Performing consistent cybersecurity audits helps identify vulnerabilities before attackers can exploit them. These audits also help ensure your charity remains compliant with essential data protection regulations.
Consider Managed Cybersecurity for Your Charity
Managed cybersecurity services offer a proactive, cost-effective way to maintain strong cybersecurity standards without the need for significant internal resources. Partnering with a reliable IT support provider ensures your security remains up-to-date, efficient, and effective.
Closing Thoughts
Social engineering is a sophisticated and growing threat that preys directly on human error and human vulnerabilities, exploiting trust, curiosity, and urgency. And when the weakest link in the security chain is human, building awareness and education becomes your greatest defence.
For nonprofits, the risk is particularly high. With limited IT resources, a focus on mission over cybersecurity, and a wealth of valuable data, from donor records to financial details, charities have become a key target.
Knowing and understanding the various types of social engineering attacks, from phishing and vishing to tailgating and scareware, is fundamental.
To further reinforce your cyber security measures consider partnering with a trusted IT provider who understands the unique needs of charities.
Get in Touch
Worried about your charity’s vulnerability to social engineering?
