Summary: The nonprofit community has become a top target for cybercriminals because these organizations typically lack the sophisticated security software and expertise of larger companies. In this article, we discuss common phishing techniques, how to spot phishing emails, and how to reduce the risk of a data breach.
As a small nonprofit, you may assume your organization isn’t going to be targeted by cybercriminals. After all, why would they come after you when they could target huge corporations with massive financial assets and mountains of sensitive data?
Well, huge corporations have internal teams and external vendors managing super-sophisticated cybersecurity infrastructure. Smaller organizations, with limited resources and expertise, represent the path of least resistance.
Of course, small nonprofits handle sensitive donor data and payment information that command a premium price on the dark web. The sad reality is that cyberattacks targeting nonprofits are constant, and they’re getting harder and harder to detect.
More than 90% of Successful Cyberattacks Start with a Phishing Email
You read that correctly. This statistic comes from the Cybersecurity & Infrastructure Security Agency (CISA).
A phishing email is designed to trick the recipient into revealing sensitive information, like passwords and financial account numbers. Victims often fall for the scam by:
- Entering information into a bogus form or simply responding to the email with the information requested.
- Clicking a link or downloading an attachment that automatically installs malware on their device.
Phishing email attacks are so common because they’re relatively easy to execute. Instead of using complex software to get through antivirus software and other defenses, they just send emails to publicly available addresses!
Common Scam Techniques Used in Phishing Emails
Phishing attacks usually appear to come from legitimate email addresses and are professionally designed to appear authentic. Cybercriminals pose as trusted individuals or entities and use different techniques to trick victims, such as:
- Email Spoofing: The sender appears to be your executive director or board chair requesting urgent action.
- Vendor Impersonation: The email includes a fake unpaid invoice or document from a known vendor like QuickBooks, Zoom, or Microsoft.
- Account Login Phishing: Fake login pages for Gmail, Outlook, PayPal, etc. are used to trick users into entering usernames and passwords.
- Grant Scams: Fake offers of government or foundation grants require sensitive information to verify eligibility or application fees.
- Voicemail or Missed Call Phishing: Fake notifications to check voicemail, which are often accompanied by a bogus threat to cancel a subscription or investigate an unauthorized payment, link to malware.
- Gift Card Scams: Someone posing as leadership asks for gift cards as a favor.
- Event or Donor List Scams: The scammer offers to sell a list of donors or event attendees.
How to Spot a Phishing Email
When in doubt, don’t click the link, don’t download the attachment, and don’t respond to the email if you notice these and other warning signs:
- Unusual or misspelled sender email address or link (hover over it – don’t click!).
- “Official” emails from public domain emails like Gmail or Yahoo.
- Unsolicited attachments, especially from unknown senders, which are often used to spread malware.
- Suspicious requests to provide or update sensitive information.
- Threats (ransomware), urgent requests, and unrealistic offers that require immediate action.
How to Protect Your Small Nonprofit from Phishing Attacks
First and foremost, bring in a cybersecurity expert to lead comprehensive security awareness training. When staff and volunteers understand how to spot phishing emails, and their eyes are opened to the consequences of falling for scams, the risk of a data breach drops significantly!
There are four steps small nonprofits can take to avoid the costly consequences of a phishing attack.
- Use email filtering tools. These tools detect spam, malware, phishing attempts, and other malicious content. They can also scan outbound emails to ensure sensitive data is not being sent outside the organization.
- Use multifactor authentication (MFA). Most email platforms offer MFA as a standard feature. Instead of simply entering a username and password, MFA requires a code sent to a mobile device, fingerprinting, answers to security questions, etc. If credentials are stolen, unauthorized users still won’t be able to access your sensitive data without completing that second step!
- Define policies for the proper use and sharing of sensitive data. How should purchases be made? Are wire transfers permitted? Who is authorized to access bank accounts and donor data? Are multiple users allowed to share passwords? Document policies and leave no room for interpretation!
- Report phishing attempts and incidents. If you were tricked by a phishing email, or you suspect a phishing attack, report it! The reporting process should be defined in your policies. In addition to reporting the event internally:
- Forward the email to the Anti-Phishing Working Group (reportphishing@apwg.org).
- File a fraud report with the Federal Trade Commission (reportfraud.ftc.gov).
- File a report with the FBI’s Internet Crime Complaint Center (ic3.gov) if you’ve suffered financial loss or suspect criminal activity.
The bad news is that phishing emails are only growing in volume and sophistication. The good news is that the best defense is common sense with a healthy dose of caution. Educate your team to keep the phishing attacks away from your finances and sensitive data!
