Why Nonprofits Are Easy Targets for Phishing Attacks

Cybersecurity has historically been low on the list of priorities of nonprofit organizations. Due in part to the lack of prioritization, in recent years, nonprofit organizations have become an easy target for phishing attacks.

In a recent study from a data set of more than 9.5 million users, KnowBe4 found that nonprofit organizations have an average “phish-prone” percentage of 32.3%. Or approximately one in three employees is likely to click on a suspicious link or email or comply with a fraudulent request.

What Is Phishing Attack?

A phishing attack is a type of cyberattack that uses a fraudulent email as a weapon. An email used for a phishing attack often appears to come from a reputable source.

A phishing email may come with a malicious attachment or malicious link. Opening a malicious attachment from a phishing email can install malicious software (malware) into the email receiver’s computer. Clicking a malicious link in a phishing email may lead to a fake website coaxing the receiver to reveal confidential information. Or the scam site is used to download malware into the victim’s computer.

Why Are Nonprofit Organizations Targeted?

Nonprofit organizations are repositories of critical data, including benefactors’ names, addresses, and credit card details, as well as critical data of clients and proprietary information, as in the case of nonprofit research organizations.

Aside from donations from individuals, nonprofits are trusted by governments and institutions with significant financial and social responsibilities. Some local governments’ top contractors are nonprofits with contracts worth millions.

Holding critical information and funds make nonprofit organizations very attractive to cybercriminals.

While nonprofit organizations face the same security risks as for-profit organizations, nonprofits generally lag behind for-profit organizations in implementing policies and practices necessary to secure their IT systems. And cybercriminals rely on nonprofits’ lack of implementing cybersecurity best practices making them easy targets for phishing attacks.

How do Phishing Attacks Impact Nonprofits?

There are two ways by which phishing attacks impact nonprofit organizations:

1. Business Email Compromise (BEC) Attacks

Business Email Compromise (BEC), also known as email account compromise (EAC), is a type of email cybercrime targeting companies with the typical objective of having company funds wired into the attacker’s bank account. BEC attacks will generally fall into one of these five types: bogus invoices, CEO fraud (impersonating a c-level employee to ask coworkers for money), account compromise, attorney impersonation, and data theft.

The nonprofit organization Save the Children told the Boston Globe that attackers deceived the institution into transferring nearly $1 million to a fraudulent organization in Japan by breaking into an email account of an employee of the institution and by creating false invoices and other documents.

The U.S. Federal Bureau of Investigation (FBI) reported that between the period of June 2016 to December 2021, BEC attackers pocketed over $43 billion from 241,206 victims worldwide.

The FBI said the scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets.

Security researchers from Abnormal Security identified a 48% increase in cyberattack attempts targeting email accounts in the first six months of 2022 and 68.5% of those attacks included a credential phishing link.

2. Ransomware Attacks

Ransomware is malware that denies victims access to their computer files until a victim pays a ransom. Ransomware spreads primarily through phishing emails.

In May 2021, New Zealand’s largest volunteer agency in international development, the Volunteer Service Abroad (VSA), was hit by a ransomware attack that encrypted vital information in its data systems, some of which were lost. The VSA refused to pay the ransom and has recovered from the attack.

Recovery is an expensive and time-consuming process. Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021, According to the Sophos State of Ransomware 2021 report.

And if that wasn’t bad enough, SonicWall’s 2022 Cyber Threat Report revealed that Hawai‘i is among the top 10 states most at risk for malware.

How Can Non-profits Prevent Phishing Attacks And Email Compromise?

Here are some cybersecurity measures to protect your organization from phishing attacks:

  • Use multifactor authentication on all systems.
  • Use email authentication technology to minimize the chance of phishing emails reaching your organization’s inboxes.
  • Create detection system rules that flag external emails.
  • Never allow non-IT staff to install software on their work computers to prevent accidental installation of malware, such as ransomware.
  • Scrutinize all emails requesting money transfers or requests for confidential information to determine if the requests are legitimate. If unsure whether an email request is legitimate, verify it by talking to the email sender via phone or in person.
  • Always verify any change in an account number or payment procedures with the person making the request.

And Finally, Alert Your Staff About Known Phishing Attacks

Phishing scammers constantly change their tactics. During your organization’s regular cybersecurity training, include tips on spotting the latest phishing schemes. For instance, one frequent characteristic of a phishing email is that it gives an urgent tone, pressuring the email recipient via the email subject to 'act now', or something negative will happen.

When you need help raising awareness and protecting your digital assets, speak with one of our cybersecurity and IT risk experts. Contact us today and subscribe to our cyber tips to receive weekly cybersecurity tips to help you protect yourself and your organization.