Phishing remains one of the most common and damaging cyber threats facing charities in 2026. As cyber criminals become more sophisticated, phishing emails are no longer riddled with easy-to-spot spelling mistakes or obvious red flags. Instead, attackers are now using artificial intelligence, realistic branding, and tailored language to deceive even the most vigilant staff members.
It’s essential for every organisation to understand these new tactics and make their teams and donors aware as well.
What is phishing?
Phishing is a tactic used by cyber criminals to deceive individuals into sharing sensitive information or installing malicious software. These emails often imitate trusted organisations or colleagues, creating a false sense of legitimacy. While email is still the most common delivery method, phishing attempts can also arrive via text message, social media platforms and messaging apps.
Why are charities being targeted?
Charities continue to be targeted for several reasons:
- They often hold valuable personal and financial data.
- Cyber security tools and training may be less extensive due to budget constraints.
- Hybrid and remote working environments increase the likelihood of staff using personal devices.
Attackers are aware of these vulnerabilities and tailor their methods accordingly.
Phishings trends in 2026
Phishing attacks have evolved significantly over the past year. Below are some of the latest tactics seen across the sector.
1. AI-driven phishing emails
Attackers now use AI tools to craft emails that closely mimic the writing style of colleagues, suppliers and even CEOs. These messages can appear highly personalised, referencing real projects or previous conversations, making them far harder to identify as fraudulent.
2. Fake multi-factor authentication requests
Cyber criminals are increasingly imitating security alerts, prompting users to re-authenticate or reset passwords urgently. These emails often lead to realistic but fraudulent login portals where credentials are harvested in real time.
3. QR code phishing (Quishing)
With QR codes now common in workplaces and public spaces, attackers are embedding malicious codes in emails. When scanned, these can redirect users to fraudulent websites or trigger credential-stealing malware.
4. Spoofed platforms and services
Impersonations of Microsoft 365, cloud storage providers, CRM systems and payment platforms are widespread. These emails often include branding and layouts identical to the genuine services, making them particularly deceptive.
5. Targeted attacks on leadership and finance teams
Spear phishing and business email compromise attacks are becoming more targeted. Criminals focus on individuals with authority to approve payments, access financial systems or hold strategic information.
Key signs an email may be a phishing scam
Although phishing emails are becoming more convincing, there are still reliable indicators that something may not be right:
1. Unexpected requests for sensitive information
Legitimate organisations will not ask for passwords, bank details or two-factor authentication codes via email.
2. Urgent or pressuring language
Emails that claim your account will be locked, payroll cancelled or files deleted should be treated with caution. Inform your internal or external IT team if you receive any emails including this language.
3. Unusual links or attachments
Hovering over a link before clicking can reveal whether the website address matches the sender’s claim. Even slightly altered domains can indicate malicious intent.
4. Generic or incorrect greetings
Emails addressed to “User”, “Colleague” or an incorrect name may suggest a mass phishing attempt sent to lots of organisations.
5. Mismatched sender addresses
The display name may look genuine, but the underlying email address could reveal inconsistencies or suspicious domains.
6. Unexpected QR codes
If you receive a QR code in an email, verify the source before scanning it, especially if it relates to logging in or authentication.
Practical steps to protect your charity
1. Enable multi-factor authentication
This adds a crucial layer of security and helps prevent attackers accessing accounts even if passwords are compromised.
Microsoft Authenticator, Google Authenticator, and Authy are all great Multi-Factor Authentication tools to use.
2. Provide regular cyber security training
Ongoing training helps staff identify phishing emails and reduces the likelihood of mistakes. Simulated phishing exercises can be particularly effective.
We recommend using Proofpoint, which offers a wide range of training modules alongside the ability to run realistic, staged phishing tests to help staff learn how to identify potential threats.
3. Strengthen technical safeguards
Ensure your charity uses updated spam filters, anti-malware tools and secure mobile device management where possible.
There are many tools that provide spam filtering and email protection, research into the best one for your organisation before signing up.
4. Encourage a culture of verification
If an email seems unusual, encourage staff to verify it through a separate communication method. A quick phone call can prevent a costly breach.
Below are two webinar recordings that explore some phishing tactics, cyber security best practice and the real-world challenges charities are facing today.