Nonprofit leaders work with tight budgets and limited resources on a regular basis; as they pour love, sweat, and tears into their causes, making decisions about which costs to prioritize can be incredibly difficult. Many decide to forego extra marketing costs or cut back on office costs when possible, but one cost that should never be deprioritized is cybersecurity—especially when 1 in 3 nonprofits are targeted by cybercriminals every year, and only 20% have a cybersecurity policy in place.
Securing cybersecurity insurance can be pricey, and setting up internal IT infrastructures to safeguard against attacks adds up quickly, but it’s always a worthwhile investment. Hackers will target nonprofits because they are aware of the budget constraints at play, often assuming that these organizations will have relaxed security measures, making them an easy target. Other times, fraudsters maliciously target nonprofits with causes that they don’t agree with.
If you run a nonprofit, fighting for your cause means protecting your organization from cyberattacks. If a cyberattack is successful, it pulls funding and resources away from the nonprofit’s focus, and sometimes, can even result in organizational ruin. There are plenty of examples to showcase the need for robust cybersecurity strategies in the nonprofit space—let’s take a look at a few:
As a nonprofit, Spectrum is committed to supporting and protecting the LGBTQIA+ community. One day, the leadership team received a notice from a scammer posing as an elderly community member whose wife had just passed away. The scammer notified the nonprofit that they were her wife’s beneficiary and would be receiving $25,000 from her estate.
However, when the banknote was sent, the amount was listed as $65,000 instead. This, along with a very unofficial-looking letter from the woman’s “insurance company,” raised red flags and the team did not deposit the funds. If they had, they would have been forced to return the extra $40,000 to the sender, losing funds and falling victim to this sneaky attack.
This Philadelphia-based nonprofit is the region’s largest hunger relief organization. While building a new community kitchen, the organization received what looked to be an invoice from a construction supply company. As it turns out, the invoice was sent from a spoofed email account that wasn’t legitimate. Philabundance paid the invoice and lost out on $923,533.
This classic business email compromise (BEC) scam turned out to be extra detrimental when the nonprofit had to figure out how to come up with another nearly $1 million to pay the legitimate supplier’s invoice down the line. Now more than ever, nonprofits should be investing in employee cybersecurity training, secure payment portals, and additional layers of security to mitigate payment fraud.
In a very similar scheme as the above example, a hacker was able to gain access to the email account of an employee at the Save the Children Federation. From that person’s email, they sent fabricated invoices and documents orchestrating a large payment for health center solar panels in Pakistan.
Since the nonprofit did in fact do a lot of work in Pakistan, no one suspected foul play. Close to $1 million was sent as a result of this attack. Thankfully, because of cybersecurity insurance, all the funds were recovered except $112,000. Shortly after, another attack was thwarted due to the better training and protections that were in place following the first attempt.
After setting up a fake – but convincing – website and a fraudulent email address, bad actors convinced the Red Kite Community Housing team that suppliers were following up on a previous conversation and looking for payment. Unfortunately, the £932,000 sent was money that tenants themselves had paid into the community.
Once the scam was discovered, Red Kite figured out a solution to compensate the tenants for the financial hit and began working with authorities to track down the suspects. Now, the team is focused on bolstering cybersecurity protections and preventing human error from exposing them to a liability like this one in the future.
Planning to send a loan of $650,000 to an affordable housing project, One Treasure Island, a San Francisco-based nonprofit, lost the funds to a cyberattack. The hackers posed as a third-party bookkeeping service, switched around wire information, and sent a fraudulent payment request via email. Since it looked legitimate, One Treasure Island made the payment.
In due time, the scam came to light, but by that time, it was too late to recover the funds. Even more frustrating, law enforcement’s hands were tied, leaving a huge gap in funding for affordable housing in California. Not only did One Treasure Island suffer a massive financial and reputational hit, but the third-party bookkeeping vendor was also negatively impacted.
This multi-year, multi-million-dollar scam shows just how far-reaching BEC scams can be. A Florida man worked with a team of 6 hackers to conduct international bank fraud and money laundering schemes against a publicly traded healthcare company, a major sports organization, a large international nonprofit, and many other businesses.
The scammers created thousands of fake businesses and set up bank accounts in the Dominican Republic to receive the fraudulent funds. When money was received, it was quickly wired to China to stop businesses from getting their money back. By the time this scheme was discovered, it led to $60 million in losses.
In cases like this one, the threat comes from inside the organization. An IT professional at United Way sent payments from the nonprofit to an IT vendor. However, he failed to mention that he owned the external IT company and was sending fraudulent payments for “services” provided.
Over a 5-year period, the employee stole $6.7 million from his employer before being caught in the act. Even with plenty of evidence and a 2019 conviction for wire fraud and money laundering, the conviction was later thrown out by a judge.
Just because your organization is fighting the good fight and doing work that makes a difference, it doesn’t make it immune from payment fraud or related attacks. These types of attacks can come from anywhere; they’re specifically designed to catch nonprofits off-guard.
Fraudsters exploit weak vendor verification processes to take advantage of nonprofits on a daily basis. In order to insulate nonprofit organizations from risk and protect their beneficiaries, nonprofit leaders – especially CFOs – must focus on implementing payment controls, training employees, and improving cybersecurity strategies.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
See how 5 real BEC scams stole millions from healthcare orgs—what finance leaders must know to stop attacks that target payments, data, and operations.
Construction BEC scams are surging—see 6 real cases exposing how attackers target payments and what CFOs, finance teams must do to stop million-dollar losses.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
