We Really Need to Talk About the Scams Targeting Nonprofits

There’s an increasing number of scams focused on nonprofits. It’s up to you to educate yourself, your nonprofit, and your staff — and not fall victim.

Most insurers, including NIA, simply cannot cover scams involving money that was voluntarily handed over. Here’s five major types of these scams, and some things any nonprofit can do to reduce their chances of falling for them.

By Brian Chernicky Posted
illustration of emails, documents, id's, and credit cards hooked on fishing lines

“Folks keep falling for this…”

For the past several months, NIA has seen an increase in claims from nonprofits that have fallen victim to various scams and phishing schemes perpetrated via email, text message, and phone calls.

On the claims side, NIA is different from most insurers because we look for ways to cover legitimate claims for nonprofits, instead of ways to deny them. But in a situation where a nonprofit staff member has voluntarily given money or assets to another party, most insurers, including NIA, simply cannot cover it. So, when NIA Chief Claims Officer David Gibson signs off on a denial letter to be sent to a nonprofit that has fallen victim to a phishing scam, he’s not happy about it.

“Folks keep falling for this,” said Gibson. “It seems to happen way more than it ever should.”

While NIA has written about phishing scams before, Gibson wanted to continue to educate nonprofits about this topic, and he’s the one that requested this article.

While I’m not an expert on cybersecurity by any means, most people that get sent these scams aren’t experts either. In preparation for this article, I’ve examined many of the claims involving NIA members that fell victim to some sort of phishing scam, which have provided some concrete examples of what went wrong, and what could have helped avoid them.

I share Gibson’s frustration: These are good people, trying to do good things for their communities. The money they lost falling victim to these scams was donated to their nonprofit and could have been used to further their missions.

At first, it seems counterintuitive that scammers would put forth any effort on even the smallest of nonprofits, instead of what I imagined as larger, more lucrative targets in the private sector.

But that distinction is a misunderstanding: It’s likely the scammers are targeting nonprofit organizations precisely because the people at these organizations have empathy and compassion for others. They’re counting on that and preying upon it.

Whatever Works: Emails, Texts, Phone Calls, Faxes

Don’t assume these scams are all about email.

“Lately, a lot of phishing has been done via text messaging,” says Jean-Francois Roy, NIA’s Chief Information Officer and Chief Information Security Officer. “Texts are cheap, and arguably easier to perpetrate. Everyone has a phone on them during the day, so it’s really a scammer’s ideal target.”

“For us, it really has to do with the larger topic of social engineering,” said Fred Rodriguez, NIA’s Senior System Administrator, who has worked for many years to help train NIA staff to stay vigilant and detect email scams. “The people that do this will use any combination of communication types to try to pull off their scam. Whatever works.”

Five Common Types of Scams Focused on Nonprofits

There’s an entire niche of scams that focus specifically on nonprofits, but the most common types are like those you see in any other sector. Where they vary is in the details.

Let’s review five common types, by way of specific example, where possible.

1. Phishing scams

Phishing scams involve emails or text messages that appear to be from partners, lawyers, banks, contractors, common software vendors, or other nonprofit organizations. These communications can be sent directly via email, text message, or commonly via your own website’s contact form.

This year, NIA received a number of variants of a copyright infringement scam. One memorable example at first glance appeared to be from lawyers representing Costco, with an email claiming that NIA was using images from the Kirkland website.

Their hook used some standard techniques: The scammers were employing the fear of a lawsuit to create urgency (you must respond within 10 days). But what made this scam particularly notable were the details, particularly the well-known corporate brands.

There was also relative professionalism in the email’s presentation. There were no direct threats aside from legal action.

However, there were signs that this email was a phishing attempt:

  • First, the accusation fell dead on arrival because NIA only uses images it has rights or licenses for, and keeps records of them.
  • The message contains several grammatical errors.

Finally, the message encouraged the reader to click on a link that purported to offer “evidence” that would allow the reader to “see for yourself.” Upon closer inspection, the link was disguised to appear to use a “.org” domain, but was actually going to a known Russian scammer site with a “.ru” domain.

Another phishing example NIA received this year was an invoice — received by fax! Similar invoices are sent on an almost daily basis via email, and most are caught by email spam filters.

NIA has internal controls in place to prevent paying these fraudulent invoices. No single person can approve and pay an invoice. Even the process of becoming a contractor for NIA requires review and approval by multiple departments. No invoices are even considered unless they are expected and from approved vendors. We recommend that nonprofits consider similar internal controls.

What’s important here is that standard phishing are nonspecific, in messages that come from strangers. There’s a far more personal and specific phishing technique that seems to be more successful when duping nonprofits.

2. Spear phishing scams

Spear phishing is a specific type of phishing where scammers attempt to impersonate someone of influence at your nonprofit — often the executive director or a board member. Their communications most often look legitimate and can contain accurate details, including email formatting, details, footers, and more.

One NIA member fell victim to this scam after receiving an email from someone posing as the executive director of the nonprofit, with instructions to buy a few hundred dollars’ worth of gift cards and send pictures of the redemption codes on them.

Gene Levitre, a Claims Manager at NIA, has seen many of the same types of claims.

“The people sending these emails might already be in your systems,” he said. “They could already be reading your emails. In that case, they know when the ED is going to be out of town and on vacation, and that’s when they are going to send a phishing message like this.”

Another claim involved a scammer that impersonated a nonprofit employee and convinced the nonprofit to change the employee’s payment method to wire transfer. The funds were irrecoverable.

In yet another case, an NIA member fell victim to an email purporting to be from a member of their payroll firm, where the scammer successfully convinced the nonprofit to move from paper checks to ACH (bank payments), losing nearly $9,500 in the process. (For a detailed breakdown of this claim, see From the Claims File: Phishing Scams.)

From a risk management perspective, none of the nonprofits above had instituted policies requiring multiple levels of approval to release funds. This process is discussed at the end of this article, along with other things nonprofits can do to reduce their exposure to these scams.

NIA companies are themselves nonprofits, and in the past few years, we’ve seen numerous emails impersonating NIA CEO Pamela Davis. These emails are sometimes sent to employees at NIA.

“Fake Pamela” is usually in an urgent predicament: She often needs money sent to her right now, or she requires a password. Sometimes she asks for the employee to contact her via her personal email or new mobile phone number — which is, of course, entirely illegitimate.

NIA’s internal risk management processes include regular education, where employees are trained to reach out to staff directly when in doubt about the legitimacy of emails.

Another scam has involved phishing messages from people posing as NIA staff, who send official-looking messages to various parties we work with to demand immediate payment for something.

These messages either want payment details sent over email, or through a link to a fake website. The urgency should be immediately suspect, and those that work with NIA know this is not how we operate.

To be clear: NIA will never ask you to provide payment details directly via email, over the phone, by text message, or any other form of communication. If in doubt, just Google “nonprofits insurance alliance,” and you’ll find the official NIA website, which is full of official phone numbers, mail addresses, and payment methods.

“People should just pick up the phone and confirm it,” said Levitre. “’Hey, did you send me this invoice? Did you tell me to do this?’”

3. Malware scams

Malware scams involve a malicious link or attachment that aims to install harmful software on your computer and systems, with the intent of stealing information or funds.

These programs can also paralyze your systems, holding them hostage in exchange for a ransom. In other words, they’ll purportedly release the chokehold on your systems — if you pay the ransom.

While NIA utilizes spam-filtering software, which eliminates many of these emails, they do occasionally still get through. NIA has invested in regular training, required for all staff, to recognize messages like this – and report them.

All nonprofits can further reduce their exposure to the effects of malware by keeping software and firmware up to date, using reputable antivirus software and firewalls, and by employing cybersecurity services or firms whenever possible.

4. Check scams

Check scams involve scammers that send fake checks and then request a refund of the overpaid amount before the check bounces.

This is rarely something NIA sees, but it potentially affects all of our members. This scam is well explained in this post at Charitable Advisors, in which they provide the following advice to avoid falling victim to the scam:

  • Verify Donors: Before accepting large donations, especially from new or unknown donors, verify their identity and the legitimacy of the donation. Contact the donor directly using official channels, not through the contact information provided in suspicious emails or letters.
  • Wait for Clearance: Do not refund any part of a donation until the check has fully cleared. Bank processing times can vary, and it’s essential to wait until the funds are confirmed as available in your account.
  • Educate Your Team: Ensure that all staff and volunteers are aware of this scam and understand the importance of verifying checks and donations. Providing regular training on recognizing potential fraud can help protect your organization.
  • Consult with Your Bank: Work closely with your bank to identify and mitigate risks. They can offer guidance on how to verify checks and may provide tools to help you spot fraudulent transactions.

5. Fake donation scams

Fake donation scams involve scammers impersonating your nonprofit and emailing or texting out fake donation requests that they collect for themselves.

On the consumer side, the FTC and the IRS advise potential donors to take their time, and do research on if the charity is real, ask for information by mail, and avoid any purported organization that asks for donations by cash, gift card, crypto, or wire transfer. 

Websites like Guidestar and Charity Navigator provide searchable databases of charities.

What can nonprofits do to help verify their own authenticity? Aside from sharing the above information if you can, you’re probably already doing a lot of the right things: Update your website with current financials and annual reports. Provide clear and current contact information on your website. Charity Navigator also produces ratings that can function as an accreditation.

Some things you can do to help protect your nonprofit:

  • Put in a system of controls at your nonprofit. No one person should be able to approve and pay an invoice. Invoices should require the approval of numerous individuals, and invoices should only be paid to a list of approved vendors.
  • Beware of pressure, urgency, and fear. These are probably the most common tools that manipulators use to get you to do something you really don’t want to do.
  • Verify that the email or text is legitimate by contacting the company through their official website. Again, don’t click on links in an email to get to it. Go to the website directly in your web browser, or Google it. You can also pick up the phone and call the person or company, using a number from the official website, and not a phone number provided in the email or text.
  • If you do click on a suspect link, don’t pretend it didn’t happen. If you have an IT team or person, tell them. If you don’t, run a malware check on your computer.
  • Train all employees and volunteers with access to your systems on how to spot these scams.
    • Look into online security training services and consider making it mandatory for all employees to not only pass the initial training — but to stay current in their training every year.
    • Kimberly Spilker, NIA’s Director of Risk Management Services, notes: “Nonprofit staff are the first line of defense, so it is important they are trained and reminded on recognizing scams and empowered to always scrutinize or ask questions.”

To identify potentially malicious emails, Rodriguez recommends the “SLAM” method:

  • Sender: Check the sender closely. Look for misspelled domains, or a completely different email address than the name of the sender. Ultimately, if you don’t recognize the sender, proceed cautiously and don’t open attachments.​
  • Links: Hover over (but don’t click) on any links and avoid clicking on any links that you don’t recognize.
  • Attachments: Don’t open attachments from anyone that you don’t know and be suspicious of attachments from people that you do know, but weren’t expecting.​
  • Message: Check the subject line and body for suspicious language, misspelled words, and bad grammar.

Final thoughts

There is no surefire way to eliminate your nonprofit’s exposure to these scams, but there’s a lot you can do to greatly reduce the risk of falling victim to them.

Don’t assume that the scam messages you receive are directly from scammers themselves. As it turns out, many involved in cyber scamming are victims of human trafficking.

Who knows? The blatant spelling and grammar errors might have been left in these messages on purpose, to help you determine that they are indeed scams.

Related Articles

NIA Member Crisis Map 2025
Current Events

How NIA Members Helped During Recent Natural Disasters

When natural disasters strike, that’s when people of all backgrounds unite, put their differences aside, and work together for the benefit of their community — just like nonprofits do every single day.

March 05, 2025

A woman stands at a crossroads
Current Events

Why Are Nonprofits Experiencing An Insurance Crisis? And What Can the Nonprofit Sector Do About it?

Rising premiums, poor coverage from commercial carriers, and even the loss of coverage make it hard for nonprofits to get the insurance they need. But it doesn’t have to be that way.

March 04, 2025

Collage of images: light bulbs, 2025, man on seesaw, megaphone
Blue Avocado

Blue Avocado Recap: February 2025

When does it mean to be a leader? Nonprofits' goals and priorities for 2025. A new way to show your donors how their money makes a difference.

February 28, 2025

Read More NIA Articles