October is National Cybersecurity Awareness Month, making it the ideal time for nonprofits to review their cybersecurity strategies. In today’s digital landscape, nonprofits are increasingly vulnerable to cyberattacks due to the sensitive information they handle, such as donor data, client records, and financial details. Nonprofits often operate with limited IT resources, making them prime targets for cybercriminals. Here’s how to spot phishing emails and protect your nonprofit from rising cybersecurity threats
The most common nonprofit cybersecurity threats
Understanding the different types of cyberattacks can better educate and prepare your organization. Don’t assume your colleagues are security-savvy.
Let’s review the most prevalent nonprofit cybersecurity threats.
Phishing
An attempt to trick you into revealing sensitive information or exposing your computer and network to malware. Cybercriminals send phishing emails that persuade recipients to open an attachment that downloads malware or click on a link to a website hosting malware.
Examples of phishing include:
Fake email from your bank
A cybercriminal sends an email that appears to be from your bank, warning you that your account has been compromised. The email urges you to click a link to verify your details, but the link leads to a fake website designed to steal your login credentials.
Phony invoice attachment
An email pretending to be from a vendor or supplier claims you have an overdue invoice. The email contains an attachment that, when opened, installs malware on your computer.
Spear phishing targeting a CEO or executive
An attacker impersonates a CEO or high-level executive, sending an urgent email to an employee asking for sensitive financial data or a wire transfer. This often uses personalized details to make the email appear more credible.
You’ve won a prize!
A scam email claims you’ve won a prize or lottery and requires you to click a link or fill out a form to claim it. The link leads to a malicious website that downloads malware onto your device, and the form asks for personal information that can be exploited later.
How to detect and dodge phishing emails
Listen to your gut. If your spidey sense is tingling, pause and look at the email in question. Dend it to your IT department to check out. Keep in mind: banks, utility and service providers, website and domain hosts, and social platforms don’t send emails requesting your account information.
Review the email address, sender, subject line, and text. Look for missing characters, spelling mistakes, incorrect grammar, and awkward syntax. Is the language and style characteristic of the sender? Abrupt and vague language is a giveaway that something’s not right. Is the nature or timing of the email strange?
Here are the most commonly used phrases in phishing subject lines:
- Urgency: act now, action required, and quick review.
- Finance: name of the bank, statement, wire transfer, invoice, payment, remittance, and past due. We’ve received many emails with attached fake, “past due” invoices.
- IT: verify the account, unauthorized login attempts, and unusual login activity.
- Action: copy, memo, document, and we need you to do this.
- Delivery: order, package arrival, receipt, and shipping information. These phishing emails ramp up during the holiday season.
If an email looks phishy, verify its authenticity by:
- Calling the supposed sender.
- Creating a new email to contact them. Don’t reply to the suspicious email.
- Using search to go to the real website. Don’t click on the link in the email, even if it looks legit.
Take this phishing quiz to see how well you can spot a phishing email.
How to spot a spoofed email
Spotting a spoofed email takes more work. The sender’s email address may look correct when you review it, but it could be spoofed.
Here’s how to check. Open the email header. On some email platforms, the header is called “Original.” Look at the “Return-Path” field. The email address should match the one you see in the “From” field. Your email platform may use different terms, so find out how to view headers and verify email addresses on your platform.
Malware
Software created for malicious purposes, such as stealing account credentials so hackers can access data, information, or money.
Examples of malware include:
- Ransomware: A type of malicious software that locks or encrypts data on a system, demanding payment to restore access. Ransomware attacks continue to rise, with 2024 expected to surpass previous records. As of mid-2024, ransomware payments have reached $459.8 million, on track to make this year the worst on record for ransomware. A notable event was a $75 million ransom paid to the Dark Angels ransomware group, marking the largest ransom payment recorded to date.
- Keylogger: A type of malware that secretly records a user’s keystrokes, capturing sensitive data like login credentials and passwords. Keyloggers remain a significant threat, particularly through phishing attacks. They are often used in more targeted attacks to collect sensitive information, such as usernames and passwords.
- Hijacked Sites: Websites that are compromised by attackers to deliver malware to unsuspecting visitors. Hijacked websites are a continuing threat in 2024. Attackers compromise websites to deliver malware to visitors’ devices, often utilizing sophisticated techniques like exploiting vulnerabilities in outdated software.
- Cryptojacking: The unauthorized use of a victim’s computer processing power to mine cryptocurrency. Cryptojacking surged by 43% globally in 2023-2024, particularly affecting industries like retail and finance, which saw increases of 2810% and 352%, respectively. This technique allows attackers to mine cryptocurrency without the user’s knowledge by hijacking their computing resources.
How to avoid hijacked or fake websites
Before clicking on a link, hover your cursor over the URL to view the actual URL. Look carefully at each character. Letters could be disguised as numbers, for example, 1 and l or 0 and O.
Additional text in the domain could be a sign of a bad URL. For example, none of the domains below would lead you to the authentic fionta.com site. Instead, they could lead you to a cybercriminal’s site:
- fiona.com
- info.net.fionta.com
- info-fionta.com
- fionta.info.com
- fionta.com.co
Use a search engine to find and visit the accurate site to be safe.
Immediately leave any web page advising you to download browser, security, Java, Adobe, or other software updates. If you need to update software, go to the provider’s website. Better yet, change your browser and software settings to automatic updates. Software updates are critical because they contain security patches.
Be careful with pop-up boxes, especially ones advising you to update or install software. Don’t click or use the links in pop-up boxes. Don’t provide information. Close the page.
Never download free tools unless your IT department or consultant has approved their use. Many free tools come with unexpected extras.
Although necessary, security software has limits because most data breaches come through the leaky human firewall. A subscription to a simulated phishing email service is a cost-effective way to train staff, especially considering a data breach’s tangible and intangible costs. Ask the service if they have a nonprofit discount.
Regular security awareness training is the best practice. Share helpful articles like this one and stories about data breaches with colleagues. Discuss how the breach occurred and how your organization can prevent the same thing from happening to you.