SecureBridge Blog

Cyber Security Advice for UK Organisations

Plain-English guidance on the threats facing charities, NGOs and small businesses. Written by the SecureBridge team.

Data breach concept
Password Security 17 June 2026

Billions of Stolen Passwords Are Circulating Online. Here's What Your Organisation Should Do Now.

Security researchers have uncovered one of the largest collections of stolen login credentials ever seen online, containing records linked to millions of UK accounts. If your staff reuse passwords across work and personal accounts, your organisation could already be at risk.

When researchers publish findings about massive credential dumps, the headlines tend to focus on the scale of the numbers. But for charities and small businesses, the practical question is simpler: could someone use these stolen passwords to log into your systems right now?

The answer depends almost entirely on whether your staff reuse passwords. If a team member uses the same password for their personal email and your organisation's Microsoft 365 account, a breach of that personal email provider hands attackers the keys to your work systems too. This is called credential stuffing, and it is one of the most common ways small organisations are compromised.

The fix is straightforward. Every work account should have a unique password that is not used anywhere else. A password manager makes this practical even for non-technical staff. Combine unique passwords with multi-factor authentication on all critical accounts and you remove the vast majority of risk from credential leaks.

What to do this week: Ask your team to check their work email address on a breach notification service such as HaveIBeenPwned. Any match should trigger an immediate password change on that account and any other account using the same credentials.

SecureBridge can help you roll out a password management policy and multi-factor authentication across your organisation. Get in touch to book a free cyber health check.


Cyber threat intelligence
Phishing

Why Phishing Emails Are Getting Harder to Spot in 2026.

3 June 2026

Attackers are no longer sending obvious fake emails full of spelling mistakes. Modern phishing campaigns use automated tools that steal real credentials at scale.

The phishing emails circulating in 2026 look nothing like the crudely written scam messages of a decade ago. Attackers now use sophisticated toolkits that generate near-perfect copies of legitimate login pages, complete with real branding, working HTTPS certificates and even pre-filled email addresses to make them feel personalised.

One increasingly common approach involves deploying information-stealing malware through phishing attachments. Unlike traditional phishing, which asks a user to type in their password, infostealer malware silently copies every saved password from a device and sends it directly to the attacker. A single successful infection can compromise dozens of accounts at once.

For charities and SMEs, the risk is compounded by the fact that staff rarely receive any formal training on how to identify these threats. Without training, even cautious employees can be caught out, particularly when attackers time their messages to look like urgent IT notifications or invoices from familiar suppliers.

Signs a message may be a phishing attempt: urgency or threats of account suspension, requests to click a link and enter credentials, unexpected invoices or delivery notifications, sender addresses that look slightly wrong on close inspection.

SecureBridge's Cyber Awareness for All Staff programme trains your team to recognise and report phishing attempts confidently, without needing a technical background.

Phone security keys
Staff Awareness

Delivery Scam Texts Are Targeting Your Staff. What You Need to Know.

22 June 2026

Fake parcel delivery notifications remain one of the most effective scam methods in the UK and are increasingly targeting work devices, not just personal ones.

A text arrives saying a parcel could not be delivered and asking you to reschedule by clicking a link. The message looks exactly like one from Royal Mail, DPD or Evri. The link leads to a convincing fake page asking for a small redelivery fee and your card details. This is a delivery scam, and it continues to catch thousands of UK residents and employees each year.

The reason these scams remain effective is simple: most people are genuinely expecting deliveries. When a scam text arrives at the same time as a legitimate parcel, staff can easily mistake one for the other. Attackers know this, which is why they send messages in large volumes to maximise their chances.

Beyond the financial loss of entering card details, these pages often also harvest email and password information. A staff member who uses the same password for their work email as for their online shopping could inadvertently hand an attacker access to organisational systems.

Simple rule to share with your team: never click a link in an unexpected delivery text. Instead, go directly to the courier's official website by typing the address into a browser and track the parcel there using any reference number provided.

AI scam report
AI Threats

AI-Powered Fraud Is Growing Fast. What UK Charities and Small Businesses Need to Know.

8 June 2026

Criminals are using AI to create deepfake voices, clone the appearance of trusted contacts and generate highly personalised scam messages at scale.

AI voice cloning scams work by generating a convincing audio replica of a trusted person's voice using only a few seconds of publicly available audio. Attackers then phone a finance officer or trustee, impersonating the chief executive, and request an urgent bank transfer. Because the voice sounds genuine, many targets comply before verifying the request through other channels.

Deepfake video calls represent a similar threat. In documented cases, finance staff have participated in video meetings with what appeared to be multiple colleagues, all of whom were AI-generated. The meeting ended with a large fraudulent payment being authorised.

For UK charities and SMEs operating with small teams and limited oversight structures, these attacks are particularly dangerous. There may be only one person with payment authorisation, reducing the chance that a second pair of eyes catches the fraud.

Practical defences: Establish a verbal confirmation policy for any payment request above a threshold, using a pre-agreed code word or a call back to a known number. Never approve large payments based solely on an email, text or unexpected call, regardless of who appears to be asking.

SecureBridge's Safe AI Use and Data Protection training helps your team understand AI-enabled threats and respond safely.

Robot on the phone
AI Safety

Is Your Organisation Using AI Tools Safely? What Every Senior Manager Should Understand.

5 June 2026

AI tools like ChatGPT, Copilot and Gemini are used daily by staff in many small organisations, yet most have no policy covering data entry or output verification.

When a member of staff pastes a beneficiary's personal details into a public AI tool to help draft a letter, they may be violating your organisation's data protection obligations. Under UK GDPR, personal data entered into a third-party AI system may be stored, processed and used to train future models, all of which constitutes a form of data transfer that requires a lawful basis.

The same applies to financial information, donor data, safeguarding notes and any other sensitive material. Even seemingly harmless prompts can contain enough information to identify individuals if combined with other data.

Beyond data protection, AI tools also introduce the risk of over-reliance. Staff who use AI to draft communications, summarise documents or answer questions may not always check whether the output is accurate. Factual errors in trustee reports, funding applications or beneficiary communications can have serious consequences.

Recommended steps for senior managers: Adopt a written AI use policy. Define which tools are approved, what categories of data may not be entered, and how AI outputs must be reviewed before use. Review the policy annually as the technology changes.

SecureBridge can help you develop a practical AI policy that protects your beneficiaries and keeps you on the right side of the law. Book a free consultation.

Malware delivery threat intelligence
Staff Awareness

Most People Cannot Tell Real Content From Fake Online. Here's Why That Matters for Your Team.

10 June 2026

Research consistently shows that the majority of people struggle to distinguish genuine information from AI-generated content, fabricated news stories and manipulated images.

In a study examining people's ability to identify AI-generated text, images and audio, researchers found that accuracy rates were barely better than chance for the general population. This means that for every fake news article, fabricated invoice or deepfake voice message, roughly half of recipients cannot reliably tell it is not genuine.

For charities and small businesses, the practical implication is that your team cannot be expected to use instinct alone to identify deceptive content. Scammers count on exactly this. They craft messages that look right, feel urgent and arrive in contexts where people are busy and distracted.

Effective protection requires process, not just awareness. When staff have clear procedures to follow, such as verifying payment requests by phone, checking sender addresses carefully or consulting a colleague before clicking an unusual link, they are protected even when their instinct fails them.

Practical step: Run a brief team exercise where you show examples of genuine and fake communications side by side. Most staff will be surprised by how convincing the fakes are. That realisation is the starting point for a meaningful improvement in your security culture.

Threat intelligence data
Phishing

Fake Invoice Emails Are Still Catching Finance Teams Off Guard. Here's How to Protect Yours.

3 June 2026

Invoice fraud is one of the most financially damaging scams facing UK charities and small businesses, using fake invoices to trick finance staff into making payments to fraudulent accounts.

Researchers recently exposed an active invoice fraud campaign impersonating major retailers and payment platforms while it was still being constructed. The campaign used urgency as its primary lever, with messages warning recipients that their account would be suspended or a large charge would go through unless they acted immediately.

The technique works because it short-circuits careful thinking. When someone believes they have minutes to prevent a significant financial loss, they are less likely to pause and verify the sender. The attackers design everything around this psychological pressure.

Charity finance teams are particularly exposed because they often operate with fewer controls than larger organisations. There may be only one person who handles payments, no formal approval process for invoices from new suppliers, and limited time to carry out verification checks.

Controls that make a real difference: Require a phone call to a known supplier number before changing bank account details on an invoice. Set a financial threshold above which two people must approve any payment. Never call a phone number printed on a suspicious invoice, as this may also be controlled by the attacker.

If your organisation processes payments, SecureBridge's managed IT and security services include email filtering that catches many invoice fraud attempts before they reach staff. See our services.

Google login scam
Cloud Security

Cybercriminals Are Using Fake Copyright Notices to Steal Google and Microsoft Logins.

2 June 2026

A phishing campaign sends convincing copyright infringement warnings with countdown timers that direct recipients to fake login pages designed to capture cloud account credentials.

The campaign works by sending an email that appears to come from a legal or intellectual property body, warning the recipient that copyrighted material has been found associated with their account. A countdown clock creates urgency. The link leads to a page that looks identical to a Google or Microsoft login, where entering credentials hands them directly to the attacker.

Once attackers have access to a Google Workspace or Microsoft 365 account, they can read all emails, access shared drives, impersonate the account holder to colleagues and clients, and lock the legitimate user out entirely. For charities, the consequences can include exposure of beneficiary data, financial fraud and reputational damage.

The best defence against this type of attack is multi-factor authentication. Even if an attacker obtains a password through a fake login page, they cannot access the account without the second verification step. Most major cloud platforms offer this as a free feature that can be enabled in minutes.

Check this now: Log into your Google Workspace or Microsoft 365 admin panel and verify that multi-factor authentication is enabled and enforced for all users. Do not leave it as optional. Optional security controls will be bypassed.

SecureBridge sets up and manages cloud security configurations for charities and SMEs as part of our Cloud and Email Security service.

Health data security
GDPR

What a Data Breach Could Actually Cost Your Charity Under UK GDPR.

16 June 2026

For charities holding sensitive information about beneficiaries, the legal, financial and reputational consequences of a data breach can be devastating.

Under UK GDPR, any organisation that suffers a personal data breach resulting in risk to individuals must report it to the Information Commissioner's Office within 72 hours of becoming aware. Failure to report can result in fines of up to 2% of global annual turnover or £8.7 million, whichever is higher. For a small charity, even the lower end of potential fines can be existential.

Beyond regulatory penalties, there are indirect costs that are often overlooked. Notifying affected beneficiaries or service users, responding to ICO investigations, repairing reputational damage with funders and donors, and rebuilding compromised systems can take months and cost far more than the original fine.

Many charities believe they are not attractive targets for attackers because they hold no financial data. This misunderstands the threat. Beneficiary information, safeguarding records, health data and donor details all have significant value on criminal markets, and charities are often targeted precisely because their defences are weaker than those of commercial organisations.

Minimum protections every data-holding charity should have: Encrypted storage for sensitive records. Access controls ensuring staff only see data relevant to their role. A documented incident response plan that includes who to call and what to report. Regular backups tested for recovery. A clear data retention policy.

SecureBridge helps charities understand and meet their data protection obligations through our Cybersecurity Essentials and compliance guidance services.

Social media AI bots
Social Media

Two Thirds of Online Fraud Starts on Social Media. Is Your Organisation Prepared?

9 June 2026

Data from Lloyds Bank shows that the majority of fraud reported by UK customers originates on Facebook, Instagram or WhatsApp.

For charities and small businesses, social media fraud takes several forms. Staff may receive direct messages on personal accounts from what appears to be a supplier or partner, requesting a call or payment. Charity social media accounts may be targeted for takeover, allowing attackers to solicit donations from followers. Volunteers may be recruited through fraudulent job postings and then asked to act as money mules.

The reason social media platforms are so effective for fraudsters is the combination of scale and trust. A message from a friend's compromised account carries more credibility than a cold email from an unknown sender. Algorithms also mean that fraudulent adverts can be precisely targeted at people likely to respond.

Protecting your organisation means addressing both the technical and the human layer. Secure your social media accounts with strong unique passwords and multi-factor authentication. Set up alerts for any changes to your profile or payment information. And train staff to be sceptical of any financial request that arrives through a social channel, regardless of who appears to be sending it.

Immediate action: Review who has admin access to your organisation's social media accounts. Remove anyone who no longer needs access. Enable login notifications so you are alerted to any suspicious sign-in activity.

Google account security
AI Threats

How Scammers Are Manipulating AI Support Chatbots to Take Over Accounts.

4 June 2026

Researchers have documented cases where attackers successfully manipulated automated AI customer support systems into changing account recovery details, handing them full control.

The attack works by engaging a company's AI chatbot with a carefully crafted conversation designed to convince it that the attacker is a legitimate account holder who has been locked out. In documented cases, the chatbot proceeded to change the account recovery email address, handing the attacker full control without any human ever being involved.

This is a new category of threat that combines social engineering with the limitations of current AI systems. AI chatbots are trained to be helpful and to resolve customer issues. Attackers exploit this by framing their request as a support issue and persisting until the chatbot complies.

For organisations that use AI chatbots for customer or supporter-facing interactions, this should prompt a review of what actions the chatbot is permitted to take autonomously. Account changes, password resets and any action with financial or security implications should require human verification.

Key question to ask your technology suppliers: What actions can your AI support tools take without human oversight? Any action that involves account security, payment details or personal data should require verification through a separate channel.

Steam login screen
Phishing

Fake Verification Pages Look More Convincing Than Ever. How to Train Your Team to Spot Them.

12 June 2026

Fraudulent login pages that mimic real platforms have become nearly indistinguishable from the genuine article. Without specific training, staff cannot be expected to identify them by appearance alone.

Modern phishing pages are built using the actual source code of the websites they imitate, meaning they share the same fonts, colours, layout and even interactive behaviour. They typically also have valid HTTPS certificates, so the padlock icon in the browser bar offers no protection. The URL is usually the only reliable indicator that something is wrong, and even then, attackers use domain names that are easy to overlook when reading quickly.

Common techniques include using characters that look similar to letters in the legitimate domain, adding words before or after the real domain name, or using country code domains that look official at a glance. Without slowing down to read the full address carefully, it is easy to miss.

Training staff to check URLs is valuable, but the most robust protection comes from a combination of technical controls and behavioural habits. Password managers that only auto-fill on the correct domain are one of the most effective defences, because they will refuse to fill in credentials on a fake page even if the staff member does not notice the difference.

Recommended habit to build: Before entering any credentials on a login page, pause and read the full URL in the address bar. If you did not navigate there yourself, close the page and go directly to the service's official website instead.

Our Phishing and Social Engineering Awareness programme includes practical exercises that help staff apply these habits under realistic conditions.

App store on mobile device
IT Management

Unlicensed Software Is Putting Your Organisation at Risk. Here's What to Check.

8 June 2026

Malware hidden in pirated software has infected hundreds of thousands of devices globally, silently stealing stored passwords, session tokens and financial information.

Cracked software, meaning commercial applications modified to bypass licensing checks, is distributed through unofficial websites and peer-to-peer networks. The people downloading it believe they are getting a free version of a legitimate tool. What they are often actually installing is that tool plus additional malware that activates once the software is running.

Information-stealing malware of this type is particularly damaging because it operates silently. The user sees no sign that anything is wrong. Meanwhile, the malware copies saved passwords from browsers, session cookies that allow attackers to access accounts without a password, and any documents matching patterns the attacker has specified.

For charities and SMEs, the risk of unlicensed software on work devices is compounded if those devices are also used to access organisational cloud accounts, banking portals or donor management systems. A single infected device can compromise an entire organisation.

Audit checklist: Review software installed on all work devices. Verify each application is licensed and sourced from an official provider. Remove any software whose origin cannot be confirmed. Consider a mobile device management solution to maintain oversight of devices used for work.

SecureBridge's Managed IT Support includes regular device audits and software inventory reviews as standard.

Microsoft Defender security
Cybersecurity

Modern Cyber Attacks Rarely Use Just One Method. Here's How They Combine Threats.

15 June 2026

Security researchers have exposed criminal networks simultaneously running phishing pages, remote access tools and malware distribution from shared infrastructure.

A typical modern attack on a small organisation might begin with a phishing email that delivers malware. The malware establishes a persistent connection back to the attacker's server. The attacker uses this to harvest credentials over several weeks, mapping the organisation's systems before taking any visible action. When they finally strike, they may simultaneously exfiltrate data, encrypt files and send fraudulent emails from compromised accounts.

The multi-layered nature of these attacks means that single-point defences are insufficient. Antivirus software alone will not stop a sophisticated phishing campaign. Email filtering alone will not protect against malware that arrives via a USB drive or a compromised personal device. Defences need to be layered.

For small organisations, this can feel overwhelming. The practical approach is to work through the most impactful controls first: multi-factor authentication, email filtering, endpoint protection, access controls, regular backups and staff training. These do not need to be implemented all at once, but they do all need to be in place eventually.

A useful framework: Think about your defences in three layers. Prevention (stopping attacks before they succeed). Detection (knowing when something has gone wrong). Recovery (restoring normal operations quickly). Most small organisations focus only on prevention and are then unprepared when an attack gets through.

Microsoft Windows updates
IT Management

Why Keeping Windows Updated Is One of the Most Important Things Your Organisation Can Do.

10 June 2026

Microsoft's June 2026 security update patched over 200 vulnerabilities, including three actively exploited zero-days. Unpatched systems remain one of the most common entry points for attackers.

A zero-day vulnerability is a security flaw that is known to attackers before the software vendor has had a chance to patch it. When Microsoft releases a security update that fixes a zero-day, it is simultaneously publishing information that tells every attacker in the world exactly where to look in unpatched systems. Organisations that delay installing updates are therefore at increased risk for every day they wait.

Many small charities and SMEs have devices running outdated versions of Windows, often because updates were postponed to avoid disruption and then never rescheduled. In some cases, organisations are running software that requires an old version of Windows to function, meaning the entire device is left unpatched indefinitely.

Patch management, ensuring that all devices receive security updates promptly, is one of the most cost-effective security controls available. It requires no special expertise once set up correctly, and it addresses a significant proportion of the vulnerabilities that real-world attackers exploit.

Steps to take today: Check Windows Update on all devices and install any pending updates. Set updates to install automatically outside working hours. Identify any software that prevents updating and plan for its replacement.

SecureBridge's Managed IT Support includes automated patch management so your devices stay protected without requiring manual intervention from your team.

Ransomware and data theft
Ransomware

Ransomware and Data Theft: The Twin Threats Every UK Charity Must Plan For.

18 June 2026

Modern ransomware attacks combine file encryption with data theft and threatened publication, meaning even organisations with backups face extortion pressure.

Modern ransomware attacks typically combine two threats. First, the attacker exfiltrates sensitive data from the victim's systems. Then they encrypt the victim's files, making them inaccessible. The ransom demand covers both the decryption key and the promise not to publish the stolen data. Even organisations that restore from backups face the threat of their data being published.

For charities, the data most at risk includes beneficiary contact details and case notes, donor records, staff personal information, financial accounts and any safeguarding or healthcare information. The publication of this data can cause direct harm to vulnerable individuals, trigger regulatory investigations and permanently damage donor trust.

The good news is that most ransomware attacks target organisations that have made themselves easy victims. Unpatched software, weak passwords, no multi-factor authentication and staff who have not been trained to recognise phishing are the conditions attackers look for. Addressing these substantially reduces your risk.

Recovery planning essentials: Maintain encrypted, offline backups that are tested for restoration at least quarterly. Document a step-by-step incident response plan. Know in advance who you would contact, including the National Cyber Security Centre (NCSC) and the ICO. Practice the plan at least once a year.

SecureBridge helps organisations put in place both preventative security and robust backup and recovery capabilities. Book your free cyber health check to understand where your organisation currently stands.

Apple iPhone mobile security
Mobile Security

Why Staff Using Personal Phones for Work Creates Security Risk Your Organisation May Not Have Considered.

17 June 2026

When staff use personal devices to access organisational systems, malware on those devices can reach your data, donor records and cloud accounts too.

Bring-your-own-device arrangements, where staff use personal phones or tablets to access work email, cloud documents or internal systems, are common in charities and SMEs because they reduce equipment costs. But they also mean your organisational data sits on devices you cannot manage, update or wipe remotely.

Mobile banking trojans are particularly concerning in this context. Once installed on a device, typically through a malicious app or compromised website, they can intercept bank transfer approvals, steal authentication codes and capture login credentials for any app on the device. If that device is also used to access your organisation's Microsoft 365, your cloud backup, or your donor management system, the attacker may gain access to all of those too.

The solution is not necessarily to ban personal devices. A mobile device management policy can establish minimum security requirements that any device used for work must meet, including screen lock, encryption, up-to-date operating system, and approved apps only. Staff agree to these conditions as a condition of accessing work systems on personal devices.

Minimum requirements for any device accessing work systems: Screen lock with PIN or biometric. Up-to-date operating system. No sideloaded or unofficial apps. Ability to remotely wipe organisational data if the device is lost or the employee leaves.

Social media apps
Social Media

Social Media Tutorials Offering Free Software Are Spreading Malware. Here's What to Tell Your Staff.

10 June 2026

Fake tutorials on TikTok and Instagram, claiming to show how to access paid apps for free, are being used to distribute information-stealing malware to thousands of devices.

The pattern is straightforward. A short video demonstrates how to download a paid application without paying for it. The instructions direct viewers to an unofficial website where they download a file. The file contains both the promised software and malware that installs alongside it without any visible indication. The malware then begins silently harvesting credentials.

This type of threat spreads effectively because social media platforms optimise for engagement. Tutorials that promise something for free generate high engagement and are therefore promoted widely by algorithms. By the time platforms identify and remove them, they may have been viewed millions of times.

For organisations where staff use personal devices for work, this creates a direct pathway from a personal mistake to an organisational breach. The person who follows a tutorial on their phone and installs malware on a Friday evening may inadvertently expose the charity's cloud accounts when they log in on Monday morning.

Simple guidance to share with staff: Do not install software from links shared on social media. Legitimate software is available from official app stores and the developer's own website. If a tutorial involves downloading from an unofficial source, it should be treated as suspicious regardless of how many views it has.

Data and privacy
Password Security

What Really Happens After a Password Breach: The Cascading Consequences for Your Organisation.

2 June 2026

A single compromised staff account can be the starting point for a much more significant incident. Here is how breaches escalate and what you can do to stop the cascade.

When credentials are first stolen, they are typically sold or shared within criminal communities. The initial attacker may not be the one who uses them. Weeks or months later, different actors may attempt to use the credentials to access other services where the same password was reused. This is why breaches that appear to involve only one service can lead to compromises across multiple platforms.

For organisations, a single compromised staff account can be the starting point for a much more significant incident. Attackers who gain access to one account often spend time mapping the systems they can reach from that foothold, looking for ways to escalate their access before taking any action that would be noticed.

The legal exposure for organisations that suffer data breaches due to poor credential hygiene is also growing. Under UK GDPR, organisations are expected to implement appropriate technical measures to protect personal data. Failing to enforce multi-factor authentication or password policies can be cited as evidence of insufficient controls in enforcement action by the ICO.

The three essentials: Unique passwords for every account, enforced through a password manager. Multi-factor authentication on all accounts that support it. A process for immediately revoking access when a staff member leaves or a device is reported lost.

Online scams
Staff Awareness

Online Scams to Watch Out for When Booking Travel or Venues for Your Organisation.

4 June 2026

Travel and venue booking scams are a growing problem for organisations whose staff make bookings on behalf of others, with fraudulent websites appearing above legitimate providers in search results.

Fraudulent booking websites typically appear in search results alongside or even above legitimate providers, often by purchasing advertising space. They use professional design, positive reviews and competitive prices to appear credible. After payment is made, either nothing arrives or a confirmation is sent for a booking that was never actually made with the real venue or transport provider.

Follow-up scams are also common. After a payment, victims may receive emails claiming there is a problem with the booking and requesting additional payment via a different method. These follow-on requests often use urgency and the original booking reference to appear legitimate.

For charities and SMEs, the financial loss from a fraudulent booking can be significant, particularly if it involves accommodation for a group of staff or beneficiaries, or a venue hire for an event. Beyond the direct loss, there is also the cost and stress of making alternative arrangements at short notice.

Safe booking practices: Always book through the official website of the provider, accessed by typing the address directly rather than clicking a search result. Verify the booking directly with the provider before final payment. Use a credit card or card with purchase protection for any significant bookings. Be suspicious of any post-booking request for additional payment through a different method.

Staff awareness training that covers practical scam recognition is one of the most effective ways to protect your organisation from financial fraud. See SecureBridge's training programmes.

Protect Your Organisation Today

Book a free IT and Cyber Health Check with SecureBridge. We will identify the most important steps for your specific organisation and give you a clear action plan, at no cost.

Book Your Free Health Check