Why Nonprofits Are Targets of Cybercrime and How They Can Protect Themselves

First Republic Bank
May 16, 2022

A common misconception is that nonprofit organizations are not a target for cybercrime. In truth, nonprofits make a great target for cybercriminals because they offer something of significant value: sensitive information on donors, volunteers and support staff.

Many nonprofits think they are not at risk of being a target because they aren’t large enough, but their small size is one of the factors that makes them more appealing to cybercriminals. Unlike large corporations, nonprofits — including schools — usually have fewer IT staff and resources, making them particularly vulnerable to cyber-attacks. IT staff at nonprofits frequently juggle several responsibilities which means they have less time to focus on security.

Cybercriminals are relentlessly focused on finding their way into computer systems through vulnerabilities, circumventing established safeguards or by social engineering staff members into disclosing sensitive information.

When a cyber incident occurs, it has the power to cause irreparable damage to a nonprofit organization’s systems, information, assets and good reputation, resulting in loss of funds and donor trust. Ultimately, cybercrime negatively impacts the community at large. To keep your nonprofit and your community safe, continue reading to learn about common cybercrime tactics and best defenses. 

Common cybercrime tactics to know

The most common type of fraud cybercriminals commit is financial fraud. This type of fraud is most commonly initiated  by gaining access to the email of a staff member or service provider. Cybercriminals use deceptive emails and malware to steal passwords for email accounts and communications about transactions. They then intercept payment instructions at the most opportune moment to redirect funds to a bank account they control. These low-tech tactics are inexpensive but highly effective.

Fraudsters can also use look-alike domains to initiate financial fraud. The cybercriminal will create a fake domain that looks extremely close to a preexisting one. For example, if a cybercriminal were targeting colleagues or clients of First Republic Bank, they might create a domain like (note the "1" in the domain) and use it to send an email to real colleagues and clients. As the deceptive email appears to be a legitimate communication from First Republic Bank, it could be used to trick staff or clients into various detrimental actions — entering their login credentials into a fake webpage, providing their sensitive information in an email response or processing a fraudulent invoice. 

Best defense to protect your organization

Oftentimes, the weaknesses within an organization are due to human error. With cybercriminals continuing to innovate, it’s critical that nonprofit organizations stay up to date with the most recent scams and cyberfraud trends. The evolving tactics of cybercriminals may seem daunting, but nonprofits can take a proactive approach to protect their organization and the communities they serve by implementing the following recommendations:

  • Train staff regularly. Online security training should be a regular occurrence that includes all staff across the organization, including volunteers with online access.
  • Protect passwords. Instruct staff to change passwords often — or put software in place that requires passwords to be changed — and stress the importance of not recycling passwords across multiple websites and social media platforms.
  • Conduct vendor due diligence. If a nonprofit organization or a school relies on a third-party vendor to handle its technology needs or any critical data, annual due diligence meetings should be held to review the security and maintenance practices of the vendor.
  • Update software regularly. At a minimum, systems should have strong spam email filtering, antivirus software and financial malware detection software. This software should be updated and patched regularly for the best defense.
  • Regularly backup systems. Maintain regular backups of critical data to protect against system failure and ransomware attacks. Disconnect external backup drives from your machine when not in use.
  • Restrict privileges. Limit the number of people who have administrative privileges that allow them to make changes to systems. The more people who have access to this ability, the greater chance of a cybercriminal obtaining these sensitive credentials.
  • Use multi-factor authentication. Require that users enable multifactor authentication when signing into their online accounts. Enabling biometric/facial identification adds an additional layer of security.
  • Institute risk mindset. When receiving an email, phone call, or request for a last-minute change that feels suspicious, pause, question and investigate. Would this executive send this type of request? Is this a new payment? Have the timing of the payments or requests changed? A major way to prevent fraud is to question unusual events.
  • Verbally validate payment instructions. It’s always best to pick up the phone and communicate with the relevant parties to confirm requests. It’s important that senior management reminds staff to call clients directly on a known phone number to confirm a financial transaction or an out-of-pattern data request.
  • Create a documented Incident Response Plan. The actions and corresponding roles to take if systems are compromised should be clearly documented and understood. In the event of a cyberattack, will you have a meeting to discuss the steps to take, or will roles and steps be delineated in advance so people can launch into action? If there is a ransomware attack, who is going to take things offline? This should all be clear well before a cyberattack happens. 

First Republic Bank can help you

For more information on how to protect your organization, email:

This information is governed by our Terms and Conditions of Use.