RiskBits: Scammers Hope to Hook You with Phishing — Don’t Take the Bait

Cyberattacks are on the rise, and nonprofits aren’t immune.

Prepare to shield your nonprofit from a cyber event more than 2,000 times today — because that’s how often hackers attack.

By Nonprofits Insurance Alliance (NIA) Posted
An illustration of a hooded man in shadows sitting at a laptop with a background of computer data

Elliot, is that you?

Prepare to shield your nonprofit from a cyber event more than 2,000 times today — because that’s how often hackers attack.

According to a study by the University of Maryland, a hacker tries to gain access to sensitive information every 39 seconds. Phishing is one of the most common types of attacks — it’s easy for a hacker and the consequences can be severe on the victim.

What is Phishing?

If you’re new to cyber lingo, “phishing” refers to the practice of posing as a trusted source in order to induce individuals to reveal personal information, such as passwords and credit card numbers, using fraudulent emails. This is just one of the many ways hackers try to get access to your information.

Hackers find the weakest link (spoiler alert — this is a person in your nonprofit) to gain access to sensitive information and infiltrate your organization. Being unaware or inattentive to something “phishy” can have costly consequences.

Cyberattacks Can Happen to Anyone

Take, for instance, the case of one nonprofit who recently fell victim to a phishing attack that was so simple, yet sophisticated enough to threaten an employee’s livelihood and threaten the entire nonprofit’s systems on multiple fronts.

A nonprofit’s employee received an email. It came from what seemed to be a trusted source, and everything appeared legitimate.

The email asked the employee for their username and password, and since the sender appeared to be a trusted source, they shared that information.

What the employee didn’t know, however, was that the trusted email account had been hacked and was actively sending out phishing emails.

Using the employee’s information, the hacker wasted no time creating havoc — gaining access to the employee’s email system, setting up private folders, changing preferences to hide password reset requests for various sites, and accessing the employee’s online banking and payroll information.

You can imagine how fear set in when the employee realized their paycheck was not deposited to their account. Thankfully, the employee immediately alerted their IT team, who quickly jumped in to investigate and help prevent further attack.

Luck was also on the side of the employee — this time — in getting the payroll reversed in time to go back to the employee’s account. These results are not likely in most situations.

A Compromised Network is a Major Problem

Potential consequences from phishing attacks don’t usually stop with affecting just one individual — others include, but are not limited to:

  • Disruption to operations
  • Costs to release your files from ransomware (being held hostage)
  • Fees for IT forensic specialists
  • Credit monitoring expenses
  • Frozen accounts and loss of money
  • Negative reputation and loss of trust from funders and community members
  • Damage to or loss of assets and business-critical information

Protect Your People and Property from Cyberthreats

It’s your turn — prioritize cyber safety for your nonprofit and system users and talk to your broker about a cyber policy.

Be sure to also ask about NIA’s NONPROFITS OWN® enhancement endorsement to your general commercial liability policy, which may cover some expenses due to a cyber event.

Your people are your first line of defense — and the more prepared they are, the more effective they can be against cyberthreats.

Be Vigilant and Aware with Every Email

  • Do not click links or download attached files
  • Verify requests by email and phone
  • Have an IT professional verify the safety

Practice Safe Cyber Hygiene

  • Do not use the password(s) you use for work for any other site
  • Use complex passwords and multi-factor authentication
  • Report any suspicious emails or texts you receive, even if it might be legitimate
  • Never give your username, password, or any other credentials to any source, even if the person asking for it is someone you connect with regularly

Create a Culture of Safety

  • Provide routine training and education to all users of your nonprofit’s systems on how to identify and report scams
  • Promote a culture to encourage reporting anything suspicious
  • Only provide emails or other technology and system access to employees (you can monitor and control activity, allowing a response to potential and actual threats)
  • Frequently remind users to never give their credentials to any source, even a reliable one
  • Send reminders routinely on cybersecurity and safe practices
  • Train your organization to never ask for login credentials — or provide them if someone asks
  • Limit access to employees only — you have less control and ability to check the activity of volunteers

Talk to NIA about Risk Management Services

Your NIA membership includes access to multiple resources to help you manage risks.

Related Articles

collage of illustrated people on multicolored backgrounds
Blue Avocado

Blue Avocado Recap: April 2024

What your nonprofit's budget says about your priorities. Creating cultures of safety. Budgeting challenges and solutions. New paths to self-awareness.

April 26, 2024

a person tripping on an electrical cord
BLOG

From the Claims Files: Slip-and-Fall Incidents 

What are you going to do when someone slips and falls at your nonprofit, then sues you?

April 24, 2024

A person installing solar panels.
Sustainability & Equity

Nonprofits May Begin Claiming Renewable Energy Tax Credits

Nonprofit organizations can now begin claiming renewable energy tax credits enacted as part of the Inflation Reduction Act.

April 11, 2024

Read More NIA Articles