Donor relationships are at the heart of a healthy nonprofit. When donors pay your nonprofit, they trust that their sensitive data will be kept secure. Likewise, long-term donors believe their personal details will remain private from prying eyes in your record books.
A data breach can threaten a donor’s identity, personal security, and privacy. It can damage your nonprofit’s reputation, carefully cultivated relationships, and operational capacity. Legal action is also a possibility.
Credit: fauxels via Pexels
Here are a few tips on how nonprofits can protect donor data:
- Use secure donor management software that features encryption and is PIPEDA compliant and HIPAA compliant.
- Protect your networks with VPNs and firewalls.
- Invest in endpoint and antivirus security mechanisms.
- Consider cloud migration.
In addition to these steps, nonprofits should learn about the methods cybercriminals use to breach a nonprofit’s digital defenses.
1. Phishing Attacks
Phishing attacks are the most common way for cybercriminals to breach a nonprofit’s cybersecurity. These are malicious emails sent in mass to trick people into downloading malicious software or sharing confidential information like a password. Phishing attacks are generally easy to spot because they may carry grammatical errors or other red flags.
2. Spear-phishing Attacks
Spear-phishing attacks are more dangerous than regular phishing attacks. These fake emails are carefully designed to deceive a nonprofit employee. For example, a cybercriminal targeting a charity’s accounting officer may examine their social media accounts to craft a more convincing email. A spear-phishing email may appear to be from a co-worker, contractor, or volunteer.
3. Whaling Attacks
Whaling attacks are spear-phishing attacks that focus on high-level targets like nonprofit CEOs. Attackers may study a nonprofit CEO for weeks if not months to pull off a convincing scam. The goal of the scam may be to get access to high-level donor records through a spyware attack, for example.
4. Smishing Attacks
Smishing is a kind of phishing attack where cybercriminals use SMS messages. Smishing attacks are hard to identify because of the simple nature of text messages. A cybercriminal may use a smishing attack to deliver password-stealer Trojans that help steal donor data.
5. Vishing Attacks
A vishing attack is a phishing attack that uses VOIP technology. A scammer may call a nonprofit using VOIP tools to mask their location while pretending to be a donor’s spouse or assistant. The goal is to use the nonprofit to attack a high-profile donor.
6. Ransomware Attacks
A hacker may use one or several phishing attacks to hit a nonprofit with ransomware. Although the aim of a ransomware attack is to usually extort money, attackers may also secretly engage in data exfiltration. Stolen donor data may be sold on the Dark Web or leveraged for other types of attacks.
7. Spyware Attack
Malicious software like spyware can copy confidential information in minutes. The challenge with spyware like keyloggers is that it is hard to detect and may operate for months, if not years, without detection.
In addition to adopting cybersecurity tools, nonprofits should invest in anti-phishing training. Key staff members should identify fraudulent emails, messages, and phone calls that can put their organization at risk.