Not-for-profit organizations (NFPs) face growing risks from fraud and cybercrime—like check fraud, ransomware, and data theft—and the financial and operational consequences of these crimes. In 2023, cybercrimes cost organizations $12.5 billion, and the numbers continue to rise.Disclosure 1 For an institution managing limited resources, a fraud event or cyberattack represents a major setback in carrying out its mission.

Unique vulnerabilities of nonprofits

Unfortunately, NFP organizations make especially vulnerable targets due to their tight budgets and limited IT resources. Nonprofits typically have limited resources to direct toward risk-reduction strategies, like internal controls, security policies, and rigorous oversight.

Reliance on volunteers creates additional vulnerability to fraud and cybercrime. It’s often easier for bad actors to manipulate untrained volunteers.

But NFPs aren’t just easy targets—they’re valuable ones. With the data they typically collect and store, nonprofits make rich hunting grounds for criminals seeking opportunities for fraud or accessing a trove of financial and personal information to exploit or sell.

Given the high stakes, it’s crucial for nonprofit leaders to understand the threat landscape for fraud and cyberattacks and learn effective strategies to mitigate the rising risks.

Ransomware attack on Minneapolis Public Schools (MPS) Disclosure 2

  • A February 2023 cyber-attack resulted in MPS systems being encrypted and more than 300,000 files being posted on the dark web.
  • The ransomware group Medusa claimed responsibility for the attack and demanded a $1 million ransom payment to decrypt the MPS systems.
  • MPS did not pay the ransom, so the ransomware group released data on the web, including Social Security numbers, medical records, and student sexual assault case files. 

Blackbaud data breach Disclosure 3

  • Blackbaud provides cloud software services to nonprofits worldwide.
  • In early 2020, cyber criminals gained access to several Blackbaud databases, stealing names, addresses, login credentials, Social Security numbers, driver’s license numbers, personal health information (PHI), and bank account information.
  • Although Blackbaud paid approximately $250,000 in ransom to the attackers, it’s unclear if the attacker destroyed the data.   
  • The extent of the data breach is still unknown, but it’s estimated that hundreds of organizations and millions of people have been affected.
  • Fallout from the attack includes:
    • Blackbaud agreeing to a $49.5 million settlement with 49 states over allegations of violating state consumer protection laws, breach-notification regulations, and the Health Insurance Portability and Accountability Act (HIPAA). 
    • Blackbaud paying a $3 million fine to the SEC for not being forthright about the extent of the attack.
    • In addition, due to its lax security measures, Blackbaud is abiding by an FTC (Federal Trade Commission) order to delete unnecessary personal data and strengthen its cybersecurity safeguards and practices.  

Cyber-attack on International Committee of the Red Cross (ICRC) Disclosure 4

  • In January 2022, a sophisticated cyber-attack compromised personal data of over 500,000 people, including vulnerable individuals and those separated from their families due to conflict, migration, and disaster.
  • Sensitive information was accessed, potentially endangering the lives and wellbeing of individuals in conflict zones.
  • Following the incident, the ICRC worked closely with cybersecurity experts to enhance their security infrastructure and improve their incident response capabilities.

Common fraud schemes targeting NFPs

Check washing fraud has been around for a long time, but it’s becoming increasingly prevalent.Disclosure 5 Often intercepting incoming or outgoing mail, criminals wash away the payee’s name and sometimes the dollar amount on stolen checks, giving them a signed and dated “blank” check.

As more organizations adopt electronic funds transfers, ACH fraud is growing too. Criminals look to change the ACH payment instructions, redirecting the funds to their own accounts.

NFPs can also fall victim to billing fraud schemes where individuals use non-existent vendors or goods to steal funds. Expense reimbursement fraud is a perennial risk. Nonprofit organizations can sometimes rely more on trust than regimented reimbursement procedures—increasing this risk.

Cybercrime threats to nonprofits

Criminals employ a wide array of cyber threats against nonprofits, the most common being business email compromise (BEC). In a typical BEC attack, cybercriminals impersonate an external vendor or internal senior executive to trick accounting and finance personnel into redirecting payments or providing sensitive data. These attacks can be made directly on an email system or through compromised third-party vendors.

Nonprofit organizations should thoroughly vet third-party providers to ensure they adhere to strong cybersecurity practices.

Phishing represents another prevalent method of attack. Aimed at a broader audience, it typically features a large volume of emails that appear to come from trusted sources. When recipients click on links or download attachments, they may unwittingly install malware on their device or arrive at a fake website that the hackers set up to obtain login credentials.

Ransomware attacks have become routine occurrences in 2024. After infiltrating an organization’s network, cybercriminals lock down critical data or systems and demand a ransom for their release. This violation can create major disruptions to nonprofits and can lead to losing sensitive information and creating risk for the organization and its donors.

Ransomware attacks can precipitate a data breach, which may be the criminals’ primary goal as they penetrate systems specifically to steal donor or beneficiary information. Following a data breach, the consequences can escalate to include reputational damage and potential legal ramifications, in addition to the financial impact and disruption they cause.

Strategies for combatting fraud and cybercrime

Education and training. Education is the most powerful tool to prevent fraud and cybercrime. Unfortunately, it’s a tool that doesn’t always get adequate attention in the nonprofit world. The Association of Certified Fraud Examiners reports that among all types of organizations, NFPs are the least likely to implement fraud awareness training programs—despite the elevated risks they face.Disclosure 6

Leaders should prioritize ongoing training and awareness programs to educate staff and volunteers on fraud schemes and cybersecurity best practices, including how to recognize and respond to red flags, such as:

  • Changes to wire instructions
  • Impersonation of parties involved in transactions
  • Communications—emails, phone calls, or texts—that exhibit potential risk signs and arouse suspicion, including those that:
    • Demand immediate action
    • Ask for sensitive information
    • Occur outside of regular business hours
    • Contain spelling or grammatical errors

Educate your staff about verifying changes to payment instructions before acting on them. Ensure that employees use only authenticated phone numbers and contacts to confirm changes and requests that arrive via email, text, or phone call.

Make fraud awareness and prevention a recurring topic of discussion and foster a culture of vigilance with an emphasis on identifying and reporting suspicious activity.

Strong internal controls. Institute the strongest internal controls possible within your organization’s structure. When feasible, segregate duties for financial transactions so a single individual isn’t responsible for approving, making, and recording payments. Make sure that multiple parties regularly review all financial activities and records.

Replace fraud-prone checks. Choose safer, electronic forms of payment like commercial credit cards, ACH, and Real Time Payments (RTP®) when possible.

Cybersecurity best practices. Many small and mid-sized nonprofits have budget and personnel constraints, but there are several effective risk-reduction strategies you can take—even with limited resources:

  • Update technology systems, devices, and software with the most current security protections—apply all patches and updates as soon as they’re available.
  • Back up data regularly, and store the backup in a secure, off-site location.
  • Allow only authorized individuals to access devices and sensitive data.
  • Use single sign-on (SSO) systems.
  • Require strong passwords and two-factor authentication.
  • Prohibit personal use of the organization’s devices and networks.
  • Seek guidance from IT professionals to identify vulnerabilities.
  • Establish a cyberattack response plan.
  • Invest in cyber insurance.

Develop an incident response plan.

Even with a strong defense, cyberattacks can happen. For quick and effective action, every organization needs to create a response plan before an attack happens.

1. Form a cross-functional incident response team, with both internal and external members, to develop and maintain a comprehensive response plan:

  • Internal team members should include representatives from IT, security, and senior leadership.
  • External members could include a cyber incident response firm, data forensics experts, data privacy legal counsel, and your cyber insurance broker.
  • Public relations professionals should be an integral part of your response team to help plan and execute incident-related, internal, and external communications.

2. Test your incident response plan periodically, under various scenarios. Cyberattack drills provide team members with an opportunity to practice their response steps, identify potential problems, and become familiar with how the response unfolds. This kind of “dry run” can reduce stress levels and improve the speed and performance of implementing your plan when an incident occurs. Responding on the fly often results in higher incident costs, excessive legal liability, and added reputational harm.

3. Revisit and update your plan regularly to reflect emerging, real-world threats and evolving best practices, as well as any changes in the organization. Be sure to replace team members who can no longer serve.

4. Make your plan available offline. A cyberattack may lock you out of your systems. 

Learn how to safeguard your enterprise.

Talk to your Truist relationship manager about the risks that fraud and cybercrime pose. Our NFP specialists are here to offer insight and support to help you stay protected and secure, so you can stay focused on pursuing your mission.

Purple PaperSM

Digital Transformation

Learn how you can put advanced technology to work for your business.

Related resources

    {0}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Helpful links



    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option