Avoid These COVID-19 Cyber Scams Targeting Nonprofits

First Republic Bank
March 18, 2021

Nonprofit organizations provide some of the most vital services in the country and in order to accomplish their mission, it takes a committed team of volunteers and donors operating on a very tight budget. Due to limited resources, cybercriminals view nonprofits as easy prey sitting on a wealth of personal information about their support staff, customers and donors.

Many nonprofits may think they’re not big enough to be a target However, their smaller size is one of the things that makes them even more appealing to cyber thieves. Unlike large corporations, nonprofits and schools usually have fewer IT staff and resources, making them particularly vulnerable. IT staff frequently juggle responsibilities to keep the organization’s systems running, which often means they have less time to focus on online security.

Cybercriminals, however, are relentlessly focused on finding their way into computer systems through system vulnerabilities, circumventing established safeguards or by social engineering (tricking) employees into unwittingly disclosing sensitive information or moving money.

A cyber incident can cause irreparable damage to your information assets and your good reputation, resulting in the loss of precious funds and donor trust. Ultimately, cybercrime negatively impacts the community you serve.

Common cybercrime tactics and defenses

In 2020, as more business began to be conducted online and more employees shifted to working from home, incidents of financial cybercrime rose considerably. Cybercriminals took advantage of the uncertainty of the pandemic and the resulting economic downturn to cause chaos. In 2021, many organizations are still facing the same issues that left them vulnerable to attacks previously, so it’s important to understand what kind of cybercrime your organization may be vulnerable to, and what your staff can do to protect themselves.

Financial fraud targeting non-profits is most often committed by gaining access to the email of an employee, service provider or donor. Cybercriminals use malware (software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system) and cleverly crafted emails to steal passwords for the target’s email account(s). They use this access to learn the timing of donations and other financial transactions, and then intervene at the most opportune time to redirect funds into a bank account they control. These low-tech tactics are inexpensive and highly effective, and they can happen from anywhere in the world.

If cybercriminals are not able to gain access to an  email account, they often shift their tactics through the use of look-alike domains. This is where the cybercriminal will create a fake domain name that looks very similar to the real name (for example, instead of and send an email that appears to come from a legitimate employee, vendor or donor. The email is used to trick an employee into unwittingly entering passwords into a fake webpage, responding to an email with sensitive information or processing a fraudulent donation.

The pandemic has also created new opportunities for scams by cybercriminals as they often exploit current events to gain access to personal information and money. There has been a serious uptick in scams involving fake vaccines, PPE, COVID-19 testing, emergency small business loans, tech support, and unemployment benefits fraud. Ransomware attacks (a type of malicious software designed to block access to a computer system until money is paid as a  “ransom”) have also evolved during the pandemic as cybercriminals create fake COVID-19 mobile apps that pretend to give live updates of the pandemic, but instead really expose users to malicious software that will lock their mobile device.

Additional steps to protect your organization

While the constantly evolving tactics of cybercriminals can seem daunting, nonprofits can take proactive steps to protect themselves.

Employee awareness. It is crucial that all employees understand non-profits are easy targets and that email security should be a top priority. Enabling two-factor authentication for all email accounts will help prevent the risk of email compromise. Employees should also be educated on not engaging in unexpected suspicious emails and to verbally confirm all payment instructions when received via email.

Update software and conduct due diligence. At a minimum, systems should have aggressive spam email filtering, antivirus software and financial malware detection software. Software should be updated and patched regularly. Before downloading applications related to COVID-19 ensure proper due diligence has been performed such as checking reviews, and when the application was last updated.

Create a documented Incident Response Plan. The actions to take if systems are compromised — who will do what and when — should be clearly documented and understood. For example, in the event of a cyberattack, will you have a meeting to discuss the steps to take, or will roles and steps be delineated in advance so people can launch into action? More specifically, if there is a ransomware attack, who is going to take things offline? This should all be clear well before a cyberattack happens.

Restrict privileges. Limit the number of people who have administrative privileges that allow them to make changes to systems. Only a few people need this ability, and you don’t want a cyber thief to obtain the password of someone who has administrative privileges.

Protect usernames and passwords. Train employees to create unique usernames and change passwords often — or put software in place that requires passwords to be changed — and stress the importance of not using the same passwords on social media and other personal and business accounts.

Pause and investigate. Would this executive send this type of request? Is this a new payment? Has the timing of the payments or requests changed? A major way to prevent fraud is to question unusual requests, last-minute changes to payments or instructions. When in doubt, pick up the phone and communicate with the relevant parties. It’s important for senior management to provide continuous cybersecurity education and make it clear to all staff that it is okay to call them directly to confirm a financial transaction or an out-of-pattern data request (an example might be, “email me all W-2s of our employees”).

While taking these additional steps can be cumbersome, they are essential to protect your employees’ personal information and your organization's funds.

You don’t have to go it alone

Cyber breaches continue to make headlines and the reports only capture a percentage of the crimes.

At First Republic, we offer complimentary cybersecurity services to proactively safeguard your accounts and improve your security posture. To schedule and learn more about these services, please contact your Preferred Banker, Relationship Manager or Wealth Manager.

This information is governed by our Terms and Conditions of Use.