How to spot phishing emails & other nonprofit cybersecurity threats

Since we’re amidst National Cybersecurity Awareness Month, it’s a good time to discuss nonprofit and association cybersecurity threats. You can’t take security for granted with all the personal data entrusted to your organization’s care. But it’s awfully easy to make a mistake when rushing through your inbox.

Phishing is the leading cause of security breaches. Since 46 percent of US workers have fallen for a phishing attack, these tips for spotting cybersecurity threats will help keep your organization out of trouble—and out of the news.

The most common nonprofit cybersecurity threats

You can better educate and prepare your organization by understanding the different types of cyberattacks. Don’t assume your colleagues are security-savvy. 64 percent of working adults don’t know what ransomware is.

Let’s review the most prevalent nonprofit cybersecurity threats.

Phishing: An attempt to trick you into revealing sensitive information or exposing your computer and network to malware. Cybercriminals send phishing emails that persuade recipients to open an attachment that downloads malware or click on a link to a website hosting malware.

Malware: Software created for malicious purposes, for example, to steal account credentials so hackers can access data, information, or money.

Examples of malware include:

  • Ransomware: A program that holds a computer and network hostage until you pay ransom to unlock the files. (“Ransomware Attacks are Spiking. Is Your Company Prepared?” – Harvard Business Review, May 2021)
  • Keylogger: Program that surreptitiously collects a user’s keystrokes to use that information to access accounts. (“The Fight Against Keylogger Attacks” – Techerati, August 2021)
  • Hijacked site: Hijacked website that downloads malware to website visitors’ computers. (“The Curious Case of the Website Hijack” – SECJuice, Nonprofit Cyber Goodness, February 2021)
  • Cryptojacking: Hijacking a computer’s processing power to mine cryptocurrency surreptitiously. In the first half of this year, cryptojacking accounted for 35 percent of security threats. (“Cryptojacking Now Added to List of Crytocurrency Threats” – ZDNet, June 2021)
  • Email spoofing: Emails created intentionally to impersonate a known sender in the hopes of tricking you into clicking a link or opening an attachment.

How cybercriminals use social engineering

Cybercriminals buy affordable phishing software on the black market to send blast emails, but many of them have become more discriminating. They intentionally choose their victims and use public information to create well-crafted campaigns.

A report from Menlo Security explains why they succeed:

“Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email”

This summer’s “sextortion” phishing scam relied on emotional manipulation strengthened by personal information. The email subject line included the recipient’s old password (purloined from a massive database breach). The sender said they hacked your computer and recorded you visiting an NSFW website. They’d release compromising evidence to your contacts if you didn’t pay up. This phishing email was alarming even if you’d never visited an X-rated site.

How to detect and dodge phishing emails

Listen to your gut. If your spidey sense is tingling, pause and look at the email in question. Or, send it to your IT department to check out. Keep in mind: banks, utility and service providers, website and domain hosts, and social platforms don’t send emails requesting your account information.

A favorite tactic is credential phishing. Cybercriminals try to steal user credentials by tricking you into logging in with your username and password on a bad site, either a site they hijacked or created to mimic the authentic site.

Review the email address, sender, subject line, and text. Look for missing characters, spelling mistakes, incorrect grammar, and awkward syntax. Is the language and style characteristic of the sender? Abrupt and vague language is a giveaway that something’s not right. Is the nature or timing of the email strange?

Don’t take action until you’ve investigated further. Many people have fallen victim to phishing emails that appear to be sent by a colleague or supervisor, usually an executive, board member, or IT or HR staff. The “sender” requests sensitive information like a donor, member roster, money transfer, or payment. Or they ask the recipient to log into an account or reset their password.

Here are the most commonly used phrases in phishing subject lines:

  • Urgency: act now, action required, and quick review.
  • Finance: name of the bank, statement, wire transfer, invoice, payment, remittance, and past due. We’ve received many emails with attached fake, “past due” invoices.
  • IT: verify the account, unauthorized login attempts, and unusual login activity.
  • Action: copy, memo, document, and we need you to do this.
  • Delivery: order, package arrival, receipt, and shipping information. These phishing emails ramp up during the holiday season.

If an email looks phishy, verify its authenticity by:

  • Calling the supposed sender.
  • Creating a new email to contact them. Don’t reply to the suspicious email.
  • Using search to go to the real website. Don’t click on the link in the email, even if it looks legit.

Take this phishing quiz to see how well you can spot a phishing email.

How to spot a spoofed email

Spotting a spoofed email takes more work. The sender’s email address may look correct when you review it, but it could be spoofed.

Here’s how to check. Open the email header. On some email platforms, the header is called “Original.” Look at the “Return-Path” field. The email address should match the one you see in the “From” field. Your email platform may use different terms, so find out how to view headers and verify email addresses on your platform.

How to avoid hijacked or fake websites

Before clicking on a link, hover your cursor over the URL to view the actual URL. Look carefully at each character. Letters could be disguised as numbers, for example, 1 and l or 0 and O.

Additional text in the domain could be a sign of a bad URL. For example, none of the domains below would lead you to the authentic site. Instead, they could lead you to a cybercriminal’s site:


Use a search engine to find and visit the accurate site to be safe.

Immediately leave any web page advising you to download browser, security, Java, Adobe, or other software updates. If you need to update software, go to the provider’s website. Better yet, change your browser and software settings to automatic updates. Software updates are critical because they contain security patches.

Be careful with pop-up boxes, especially the ones advising you to update or install software. Don’t click or use the links in pop-up boxes. Don’t provide information. Close the page.

Never download free tools unless your IT department or consultant has approved their use. Many free tools come with unexpected extras.

Although necessary, security software has limits because most data breaches come through the leaky human firewall. A subscription to a simulated phishing email service is a cost-effective way to train staff, especially considering a data breach’s tangible and intangible costs. Ask the service if they have a nonprofit discount.

Regular security awareness training is the best practice. Share helpful articles like this one and stories about data breaches with colleagues. Discuss how the breach occurred and how your organization can prevent the same thing from happening to you.