Subscribe

Industry expertise | August 2024 Not-for-profit organizations brace for fraud and cyber-attacks

Learn strategies that nonprofits can use to combat rising fraud and cybercrime threats

Not-for-profit organizations (NFPs) face growing risks from fraud and cybercrime—like check fraud, ransomware, and data theft—and the financial and operational consequences of these crimes. In 2023, cybercrimes cost organizations $12.5 billion, and the numbers continue to rise.Disclosure 1 For an institution managing limited resources, a fraud event or cyberattack represents a major setback in carrying out its mission.

Unique vulnerabilities of nonprofits

Unfortunately, NFP organizations make especially vulnerable targets due to their tight budgets and limited IT resources. Nonprofits typically have limited resources to direct toward risk-reduction strategies, like internal controls, security policies, and rigorous oversight.

Reliance on volunteers creates additional vulnerability to fraud and cybercrime. It’s often easier for bad actors to manipulate untrained volunteers.

But NFPs aren’t just easy targets—they’re valuable ones. With the data they typically collect and store, nonprofits make rich hunting grounds for criminals seeking opportunities for fraud or accessing a trove of financial and personal information to exploit or sell.

Given the high stakes, it’s crucial for nonprofit leaders to understand the threat landscape for fraud and cyberattacks and learn effective strategies to mitigate the rising risks.

Ransomware attack on Minneapolis Public Schools (MPS) Disclosure 2

  • A February 2023 cyber-attack resulted in MPS systems being encrypted and more than 300,000 files being posted on the dark web.
  • The ransomware group Medusa claimed responsibility for the attack and demanded a $1 million ransom payment to decrypt the MPS systems.
  • MPS did not pay the ransom, so the ransomware group released data on the web, including Social Security numbers, medical records, and student sexual assault case files. 

Blackbaud data breach Disclosure 3

  • Blackbaud provides cloud software services to nonprofits worldwide.
  • In early 2020, cyber criminals gained access to several Blackbaud databases, stealing names, addresses, login credentials, Social Security numbers, driver’s license numbers, personal health information (PHI), and bank account information.
  • Although Blackbaud paid approximately $250,000 in ransom to the attackers, it’s unclear if the attacker destroyed the data.   
  • The extent of the data breach is still unknown, but it’s estimated that hundreds of organizations and millions of people have been affected.
  • Fallout from the attack includes:
    • Blackbaud agreeing to a $49.5 million settlement with 49 states over allegations of violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). 
    • Blackbaud paying a $3 million fine to the SEC for not being forthright about the extent of the attack.
    • In addition, due to its lax security measures, Blackbaud is abiding by an FTC (Federal Trade Commission) order to delete unnecessary personal data and strengthen its cybersecurity safeguards and practices.  

Cyber-attack on International Committee of the Red Cross (ICRC) Disclosure 4

  • In January 2022, a sophisticated cyber-attack compromised personal data of over 500,000 people, including vulnerable individuals and those separated from their families due to conflict, migration, and disaster.
  • Sensitive information was accessed, potentially endangering the lives and wellbeing of individuals in conflict zones.
  • Following the incident, the ICRC worked closely with cybersecurity experts to enhance their security infrastructure and improve their incident response capabilities.

Common fraud schemes targeting NFPs

Check washing fraud has been around for a long time, but it’s becoming increasingly prevalent.Disclosure 5 Often intercepting incoming or outgoing mail, criminals wash away the payee’s name and sometimes the dollar amount on stolen checks, giving them a signed and dated “blank” check.

As more organizations adopt electronic funds transfers, ACH fraud is growing too. Criminals look to change the ACH payment instructions, redirecting the funds to their own accounts.

NFPs can also fall victim to billing fraud schemes where individuals use non-existent vendors or goods to steal funds. Expense reimbursement fraud is a perennial risk. Nonprofit organizations can sometimes rely more on trust than regimented reimbursement procedures—increasing this risk.

Cybercrime threats to nonprofits

Criminals employ a wide array of cyber threats against nonprofits, the most common being business email compromise (BEC). In a typical BEC attack, cybercriminals impersonate an external vendor or internal senior executive to trick accounting and finance personnel into redirecting payments or providing sensitive data. These attacks can be made directly on an email system or through compromised third-party vendors.

Nonprofit organizations should thoroughly vet third-party providers to ensure they adhere to strong cybersecurity practices.

Phishing represents another prevalent method of attack. Aimed at a broader audience, it typically features a large volume of emails that appear to come from trusted sources. When recipients click on links or download attachments, they may unwittingly install malware on their device or arrive at a fake website that the hackers set up to obtain login credentials.

Ransomware attacks have become routine occurrences in 2024. After infiltrating an organization’s network, cybercriminals lock down critical data or systems and demand a ransom for their release. This violation can create major disruptions to nonprofits and can lead to losing sensitive information and creating risk for the organization and its donors.

Ransomware attacks can precipitate a data breach, which may be the criminals’ primary goal as they penetrate systems specifically to steal donor or beneficiary information. Following a data breach, the consequences can escalate to include reputational damage and potential legal ramifications, in addition to the financial impact and disruption they cause.

Strategies for combatting fraud and cybercrime

Education and training. Education is the most powerful tool to prevent fraud and cybercrime. Unfortunately, it’s a tool that doesn’t always get adequate attention in the nonprofit world. The Association of Certified Fraud Examiners reports that among all types of organizations, NFPs are the least likely to implement fraud awareness training programs—despite the elevated risks they face.Disclosure 6

Leaders should prioritize ongoing training and awareness programs to educate staff and volunteers on fraud schemes and cybersecurity best practices, including how to recognize and respond to red flags, such as:

  • Changes to wire instructions
  • Impersonation of parties involved in transactions
  • Communications—emails, phone calls, or texts—that exhibit potential risk signs and arouse suspicion, including those that:
    • Demand immediate action
    • Ask for sensitive information
    • Occur outside of regular business hours
    • Contain spelling or grammatical errors

Educate your staff about verifying changes to payment instructions before acting on them. Ensure that employees use only authenticated phone numbers and contacts to confirm changes and requests that arrive via email, text, or phone call.

Make fraud awareness and prevention a recurring topic of discussion and foster a culture of vigilance with an emphasis on identifying and reporting suspicious activity.

Strong internal controls. Institute the strongest internal controls possible within your organization’s structure. When feasible, segregate duties for financial transactions so a single individual isn’t responsible for approving, making, and recording payments. Make sure that multiple parties regularly review all financial activities and records.

Replace fraud-prone checks. Choose safer, electronic forms of payment like commercial credit cards, ACH, and Real Time Payments (RTP®) when possible.

Cybersecurity best practices. Many small and mid-sized nonprofits have budget and personnel constraints, but there are several effective risk-reduction strategies you can take—even with limited resources:

  • Update technology systems, devices, and software with the most current security protections—apply all patches and updates as soon as they’re available.
  • Back up data regularly, and store the backup in a secure, off-site location.
  • Allow only authorized individuals to access devices and sensitive data.
  • Use single sign-on (SSO) systems.
  • Require strong passwords and two-factor authentication.
  • Prohibit personal use of the organization’s devices and networks.
  • Seek guidance from IT professionals to identify vulnerabilities.
  • Establish a cyberattack response plan.
  • Invest in cyber insurance.

Develop an incident response plan.

Even with a strong defense, cyberattacks can happen. For quick and effective action, every organization needs to create a response plan before an attack happens.

1. Form a cross-functional incident response team, with both internal and external members, to develop and maintain a comprehensive response plan:

  • Internal team members should include representatives from IT, security, and senior leadership.
  • External members could include a cyber incident response firm, data forensics experts, data privacy legal counsel, and your cyber insurance broker.
  • Public relations professionals should be an integral part of your response team to help plan and execute incident-related, internal, and external communications.

2. Test your incident response plan periodically, under various scenarios. Cyberattack drills provide team members with an opportunity to practice their response steps, identify potential problems, and become familiar with how the response unfolds. This kind of “dry run” can reduce stress levels and improve the speed and performance of implementing your plan when an incident occurs. Responding on the fly often results in higher incident costs, excessive legal liability, and added reputational harm.

3. Revisit and update your plan regularly to reflect emerging, real-world threats and evolving best practices, as well as any changes in the organization. Be sure to replace team members who can no longer serve.

4. Make your plan available offline. A cyberattack may lock you out of your systems. 

Learn how to safeguard your enterprise.

Talk to your Truist relationship manager about the risks that fraud and cybercrime pose. Our NFP specialists are here to offer insight and support to help you stay protected and secure, so you can stay focused on pursuing your mission.

Purple PaperSM

The power of partnership

Uncover the value of Truist Business Lifecycle Advisory.

Download the Purple Paper (PDF)
Client Success Stories

Healthy-aging pioneer accelerates growth into new markets

Cable network doubles revenue and staff with significant acquisition

A health system expands to serve 50% more HIV/AIDS patients

See all Client Stories

Related resources

    {0}

    {0}

    {2}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {6}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}
    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Contact us

    Helpful links

    Business Insights
    Truist Business Lifecycle Advisory
    Business Resource Center
    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option
    Component ID : "accordionGridLayout-1396148670"
    Model : "disclaimer"
    Position : "left"

    Disclosure 1 Internet Crime Report 2023, Federal Bureau of Investigation, 2024.

    Disclosure 2 Ransomware criminals are dumping kids’ private files online after school hacks, Associated Press, July 5, 2023; Minneapolis school district says data breach affected more than 100,000 people, The Record, September 6, 2023.

    Disclosure 3 Blackbaud Data Breach Leaves Lasting Impact on U.S. and International Nonprofits, Identity Theft Resource Center, August 15, 2020;U.S. Securities and Exchange Commission press release, March 9, 2023; Blackbaud FTC settlement finalized, Paubox, May 27, 2024.

    Disclosure 4 Cyber-attack on ICRC: What we know, International Committee of the Red Cross, February 16, 2022.

    Disclosure 5 Mike Timoney, Why is check fraud suddenly rampant?, Federal Reserve Bank of Boston, August 23, 2023.

    Disclosure 6 Occupational Fraud 2024: A Report to the Nations, Association of Certified Fraud Examiners, 2024.

    Disclosures

    Truist Bank, Member FDIC. © 2024 Truist Financial Corporation. Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.

    Equal Housing Lender

    Investment and Insurance Products:

    • Are Not FDIC or any other Government Agency Insured
    • Are Not Bank Guaranteed
    • May Lose Value

    TRUIST is a service mark of Truist Financial Corporation (Truist) and its affiliates.

    Services provided by Truist Financial Corporation (Truist) affiliates: Banking products and services, including loans and deposit accounts, provided by Truist Bank, Member FDIC. Trust and investment management services provided by Truist Bank. Securities, brokerage accounts and /or annuities offered by Truist Investment Services, Inc., an SEC registered broker-dealer, and member FINRA and SIPC, and a licensed insurance agency. Investment advisory services offered by Truist Advisory Services, Inc. and GFO Advisory Services, LLC, SEC registered investment advisers. Some insurance products offered by Truist Investment Services, Inc. Other insurance products offered by McGriff Insurance Services, LLC (McGriff), Kensington Vanguard National Land Services, LLC (Kensington Vanguard) and Crump Life Insurance Services, LLC (Crump). Truist Life Insurance Services (TLIS) is a division of Crump, Arkansas License #100103477. Variable insurance material is for broker-dealer or registered representative use only. Variable products distributed by P.J. Robb Variable (PJRV), LLC, Arkansas License #100110185. Member FINRA.

    McGriff, Kensington Vanguard, Crump, TLIS, and PJRV are not affiliated with Truist Financial Corporation or any of its subsidiaries.

    Truist Securities is a trademark of Truist Financial Corporation. Truist Securities is a trade name for the corporate and investment banking services of Truist and its subsidiaries. All rights reserved. Securities and strategic advisory services are provided by Truist Securities, Inc., member FINRA and SIPC. Lending, financial risk management, and treasury management and payment services are offered by Truist Bank.

    Mortgage products and services are offered through Truist Bank. All Truist mortgage professionals are registered on the Nationwide Mortgage Licensing System & Registry (NMLS), which promotes uniformity and transparency throughout the residential real estate industry. Search the NMLS Registry.

    Comments regarding tax implications are informational only. Truist and its representatives do not provide tax or legal advice. You should consult your individual tax or legal professional before taking any action that may have tax or legal consequences.

    "Truist Advisors" may be officers and/or associated persons of the following affiliates of Truist, Truist Investment Services, Inc., and/or Truist Advisory Services, Inc. Truist Wealth, International Wealth, Center for Family Legacy, Business Owner Specialty Group, Sports and Entertainment Group, and Legal and Medical Specialty Groups are trade names used by Truist Bank, Truist Investment Services, Inc., and Truist Advisory Services, Inc.

    Applications, agreements, disclosures, and other servicing communications provided by Truist Bank and its subsidiary businesses will be provided in English. As a result, it will be necessary for customers to speak, read and understand English or to have an appropriate translator assisting them. Truist offers the following resources for consumers that have Limited English Proficiency:

    • Multilingual teammates available at our Multicultural Banking Centers
    • Materials for some products and services are available in Spanish, Korean, Vietnamese, Mandarin, and other languages spoken in the communities we serve.
    • Phone assistance in Spanish at 844-4TRUIST (844-487-8478), option 9. For assistance in other languages please speak to a representative directly.

    New York City residents:

    Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at http://www.nyc.gov/dca.

    • Limited English Proficiency Support
    • New York City residents

    Borrowers with Limited English Proficiency (LEP) needing information can use the following resources:

    Site footer

    Footer Navigation

    Banking products
    About Truist
    Resources
    Support

    © 2024, Truist. All Rights Reserved.