Cyberattacks against nonprofits are on the rise. Many organisations lack the time or resources to prevent breaches. Before we jump into solutions, let’s explore some common attacks nonprofits face in 2025.
Common nonprofit cyberattacks
The 'CEO’ message trap
Imagine this: Lucy, your fundraising manager, receives a message from ‘CEO’ Mark urgently asking her to update her account details right before payday. In a rush, she clicks the link and enters her information, only to later learn it was a hacker. The result? A $2000 loss before she even realises.
The ‘HR’ email
Later, Mark, the CEO, is clearing his inbox late in the evening. He opens an email from ‘HR’ titled “Photos from last week’s team building”. Excited, he clicks the link, and unknowingly downloads malware that compromises the entire nonprofit.
These stories might sound made up, but they're adaptations of real cyberattacks we've seen. So why are nonprofits such tempting targets?
Why nonprofits are targeted for cyberattacks
Nonprofits often have smaller budgets and fewer resources, making them easier targets. Here’s the reality:
- 1 in 4 nonprofits have been hacked
- 68% have no incident response plan
- 60% of small organisations hit by cyberattacks close within six months
The good news? 76% of breaches involve human error, which means the solution is within reach. With the right steps, nonprofits can protect themselves without overspending.
3 Ways to keep your nonprofit safe from cyberattacks
1. Password protection
Strong passwords are the first line of defence. Weak or reused passwords, especially stored in browsers, are a major vulnerability.
Steps to improve password security:
- Ensure passwords are encrypted and not saved in browsers
- Use apps like 1Password to generate and store strong passwords
- Enable multi-factor authentication (MFA)
- Regularly update passwords and remove old accounts
Budget-friendly tips:
Nonprofits can access free or discounted versions of password managers like Dashlane or 1Password.
Important: never share a single account, this defeats the purpose.
2. System security
Think of your system as your office building—doors and windows need locks. Strong security measures prevent breaches.
Steps to secure your system:
- Conduct a cybersecurity audit to identify vulnerabilities
- Keep firewalls and antivirus software up to date
- Use Microsoft Secure Score to assess and improve security
“Microsoft Secure Score is a measurement of an organisation's security posture. A higher score indicates more recommended actions taken. Access it via the Microsoft Defender portal at https://security.microsoft.com/securescore.”
Budget-friendly tips:
Free tools like Microsoft Defender for Cloud provide foundational protection without extra cost.
3. Staff training
With most breaches caused by human error, training your team is critical. Employees should confidently identify suspicious activity and avoid risky behaviour.
Training essentials:
- Recognise suspicious sender names and email addresses
- Watch for spelling errors or odd phrasing
- Be cautious of urgent requests demanding immediate action
- Know how to report potential threats
- Use simulated phishing attacks to reinforce learning
Budget-friendly tips:
Free or low-cost online training is available for nonprofits. Short 30-minute sessions keep staff informed without disrupting operations, and phishing simulations offer a high return on low investment.
Key takeaway:
Cyberattacks on nonprofits often succeed because of human error. The good thing? Protecting your organisation doesn’t have to break the budget. Strong passwords, updated security systems, and basic staff training can go a long way. Small steps = big protection.
About Xtreme Productivity
At Xtreme Productivity, we help nonprofits make the most of technology, including keeping your organisation safe from cyberattacks. Read more about security services here