Why Nonprofits Are Targets of Cybercrime and How They Can Protect Themselves

First Republic Bank
August 17, 2018

Nonprofit organizations provide some of the most vital services in the country and in order to accomplish their mission, it takes a committed team of volunteers and donors operating on a very tight budget. Due to limited resources, cybercriminals view nonprofits as easy prey sitting on a wealth of personal information about their support staff, donors and volunteers and the communities they serve.

Many nonprofits may think they’re not big enough to be a target, but their smaller size is one of the things that makes them even more appealing to cyber thieves. Unlike large corporations, nonprofits and schools usually have fewer IT staff and resources, making them particularly vulnerable. IT staff frequently juggle responsibilities to keep the organization’s systems running, which often means they have less time to focus on security.

Cybercriminals, however, are relentlessly focused on finding their way into computer systems through system vulnerabilities, circumventing established safeguards or by social engineering (tricking) employees into unwittingly disclosing sensitive information.

A cyber incident can cause irreparable damage to your information assets and your good reputation, resulting in the loss of precious funds and donor trust. Ultimately, cybercrime negatively impacts the community you serve.

Common cybercrime tactics and defenses

Financial fraud is most often committed by gaining access to the email of an employee or service provider/vendor. Cybercriminals use malware and cleverly crafted email to steal passwords for email accounts, and then they use this access to understand the timing of financial transactions and intervene at the most opportune time to redirect funds to a bank account they control. These low-tech tactics are inexpensive, borderless and highly effective. It is critical to educate employees to watch out for any email asking them to click on a link, open an attachment or to enter their email credentials. In addition to awareness, the most effective technical control is using two-step authentication to access email.

2017 was a lucrative year for ransomware, and it appears as if 2018 will be no different. Cybercriminals continue to exploit control weaknesses to gain access to personal information, encrypt it and then demand a ransom of the victim to regain access. The ransom amounts remain relatively low, with no assurance for the victim that the data will be returned intact or that additional ransom won’t be demanded.

A new twist to ransom attacks in 2018 is that the criminal emails proof of stolen data by providing emailed copies of documents to the breached organization — or even worse to the individuals to whom the data pertains — and then threaten public disclosure on the internet should the ransom not be paid. Although there are instances where stolen data has been publicly disclosed, not all cybercriminals follow through on this threat; a little research on the attacker will often provide insight into their modus operandi. Their primary tactic is to send spam to as many targets as possible and engage with anyone who is naive enough to respond. The best way to protect against ransom attacks is establishing awareness at every level of the organization, encrypting and password protecting sensitive data and ensuring data is backed up to an offline storage system.  

Both financial fraud and ransom attacks are most often perpetrated through the use of look-alike domains. This is where the cybercriminal will create a fake domain name ( that looks very similar to the real name ( and send email that appear to come from a legitimate employee, vendor or client. The email is used to trick an employee into unwittingly entering passwords into a fake webpage, responding to the email with sensitive information or processing a fraudulent invoice. It is crucial to ensure all employees at every level are aware of look-alike internet names and to call the sender of the suspicious or unexpected email, even if it is a colleague, to verify its authenticity. Email related to financial transactions should always be verbally verified. Yes, the process can be cumbersome, but it is more trouble down the line when funds are lost and cannot be recovered.

Additional steps to protect your organization

While the constantly evolving tactics of cybercriminals can seem daunting, nonprofits can take proactive steps to protect themselves.

Update software. At a minimum, systems should have aggressive spam email filtering, antivirus software and financial malware detection software. Software should be updated and patched regularly. If a school or nonprofit relies on a third-party vendor to handle its IT, the vendor should be quizzed on its security and maintenance practices.

Create a documented Incident Response Plan. The actions to take if systems are compromised — who will do what and when — should be clearly documented and understood. For example, in the event of a cyberattack, will you have a meeting to discuss the steps to take, or will roles and steps be delineated in advance so people can launch into action? More specifically, if there is a ransomware attack, who is going to take things offline? This should all be clear well before a cyberattack happens.

Restrict privileges. Limit the number of people who have administrative privileges that allow them to make changes to systems. Only a few people need this ability, and you don’t want a cyber thief to obtain the password of someone who has administrative privileges.

Protect passwords. Train employees to change passwords often — or put software in place that requires passwords to be changed — and stress the importance of not using the same passwords on social media and other personal and business accounts.

Pause and investigate. Would this executive send this type of request? Is this a new payment? Has the timing of the payments or requests changed? A major way to prevent fraud is to question unusual requests, last-minute changes to payments or instructions. When in doubt, pick up the phone and communicate with the relevant parties. It’s important for senior management to make it clear to all staff that it is okay to call them directly to confirm a financial transaction or an out-of-pattern data request (an example might be, “email me all W-2s of our employees”).

You don’t have to go it alone

Cyber breaches continue to make headlines and the reports only capture a percentage of the crimes.

Fortunately, First Republic offers several cybersecurity services for clients that can help fortify their defense.

Internet Security Health Check. An Information Security Specialist will personally visit your office or home to evaluate your computers to ensure they are optimally configured for online protection. We are also used to partnering with nonprofit organizations’ IT staff to share our best practices.

Security Awareness Training. An Information Security Specialist can also conduct on-site security awareness training for your organization, which will include recent fraud tactics and trends with real-world examples. Many organizations may invite their board members, donors and volunteers to these events.

To receive information about these services for First Republic clients, or if you have any questions or concerns about cybersecurity, please contact First Republic's Information Security Team.

The information contained in this article is provided to you as is, does not constitute legal advice and is governed by our Terms and Conditions of Use, and we are not acting as your attorney. We make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained in or linked to this website and its associated sites.