Charities play a vital role in communities across the UK. But their unique structures, limited budgets, and high levels of public trust also make them attractive targets for cybercriminals. In 2024, the National Cyber Security Centre reported that more than 30% of charities experienced a cyber attack or data breach. The consequences of these incidents go far beyond financial loss; they can damage reputations, interrupt essential services, and erode donor trust.
In this blog, we explore the top five cybersecurity threats facing charities in 2025 and highlight practical steps you can take to build resilience without over-stretching already tight budgets.
1. Phishing and Social Engineering
Phishing remains the most common attack against charities, often targeting the very thing that drives them: human trust. These attacks typically arrive as convincing emails or messages designed to trick staff into handing over donor information, login credentials, or payment details. In 2024, 83% of phishing attempts targeted financial or donor information, highlighting just how lucrative this avenue is for cybercriminals.
The best defence is layered. Multi-factor authentication should be enforced across all systems, and email filtering tools with advanced link scanning are essential. Just as important is training, staff and volunteers need regular sessions on how to spot suspicious emails and verify unusual requests.
Quick wins for charities:
- Enforce multi-factor authentication (MFA)
- Run regular phishing awareness training
- Invest in advanced email filtering tools
2. Ransomware
Ransomware has become one of the most disruptive threats for charities. Attackers encrypt files and demand payment to restore access, often leaving organisations paralysed. With charities depending on continuous operations and donor goodwill, the stakes are particularly high. In 2024, the average ransom demand stood at £24,000, a figure many not-for-profits simply cannot afford.
Resilience comes from preparation. Charities should maintain encrypted backups that are stored separately from their main systems, ideally offline or immutable. Regular testing of incident response plans ensures teams know exactly what to do in the event of an attack. Combined with strong endpoint protection on every device, these steps significantly reduce the risk of ransomware bringing operations to a halt.
Steps to stay prepared:
-
Keep encrypted, offsite backups
-
Test your incident response plan regularly
-
Deploy endpoint protection across all devices
3. Weak Passwords and Technical Vulnerabilities
Too often, charities rely on outdated systems or re-used passwords, creating easy entry points for attackers. In fact, 62% of all breaches in 2024 were linked to weak credentials or unpatched vulnerabilities. With staff and volunteers often juggling multiple systems, convenience frequently outweighs good security practice.
This is where policy and process make a difference. Strong password requirements and the use of a secure password manager can remove much of the friction for users. Meanwhile, keeping systems patched and up to date closes the door on known exploits. For many charities, working toward Cyber Essentials certification provides a strong baseline and demonstrates commitment to protecting sensitive information.
Where to focus first:
-
Introduce a password manager
-
Apply patches and updates promptly
-
Work towards Cyber Essentials certification
4. Website and Email Spoofing
Donors increasingly interact with charities online, which makes spoofing a particularly damaging threat. Cybercriminals set up fake websites or email accounts that mimic legitimate organisations to divert donations. In 2024, the UK’s National Fraud Intelligence Bureau took down more than 400 fake charity websites.
The solution is both technical and trust-based. Charities should deploy email authentication protocols such as SPF, DKIM, and DMARC to prevent their domains being spoofed. Websites must be secured with HTTPS and use verified donation platforms. At the same time, raising donor awareness is vital—supporters should know how to verify that they are giving safely and securely.
Donor trust checklist:
-
Implement SPF, DKIM, and DMARC on all domains
-
Use HTTPS across your website
-
Educate donors on safe giving practices
5. Insider Threats and Human Error
Not every threat comes from outside. Mistakes by staff and volunteers, or deliberate misuse of access, can be just as damaging. According to recent figures, insider issues contributed to 24% of charity breaches in 2024. With many charities relying on temporary or part-time staff, it’s easy for security to slip.
The key is access control and culture. Data should only be available to those who genuinely need it, and permissions must be revoked quickly when people leave. Regular training and open reporting processes also help to create a security-first mindset. When staff feel confident to admit mistakes without fear of blame, issues can be resolved before they escalate.
Best practices include:
-
Regularly review user access rights
-
Revoke accounts as soon as staff leave
-
Encourage open reporting of mistakes
Building Cyber Resilience
Cybersecurity doesn’t need to be prohibitively expensive. By focusing on layered defences—such as multi-factor authentication, endpoint protection, and regular patching—charities can cover the majority of risks. Frameworks like Cyber Essentials offer a cost-effective route to demonstrating strong security practices. Most importantly, resilience comes from making security a shared responsibility across the entire organisation, rather than leaving it solely to IT.
Real-Life Success Stories
Several charities have already demonstrated the power of proactive IT and cybersecurity strategies. The Fostering Network, for example, worked with Wanstor to resolve a failed Microsoft 365 migration and implement Dynamics CRM. The result was smoother operations for over 100 staff and annual savings of £80,000.
Similarly, Jobs 22 partnered with us to streamline onboarding and device management. By using zero-touch deployment tools, they improved both security and efficiency, enabling faster scaling without compromising resilience. These examples highlight how strategic IT partnerships can deliver both protection and tangible business benefits.
Ready to Learn More?
From phishing scams to insider threats, cybersecurity risks are not going away—but with the right approach, charities can stay ahead. Our full eBook dives deeper into the top five threats, offering detailed strategies, policy templates, and technology checklists designed specifically for the not-for-profit sector.