Protecting Our Mission: A Comprehensive Guide to Nonprofit Scam Prevention

"Our responsibility to our community extends beyond our programs—it includes safeguarding the trust placed in us and protecting the resources that enable our mission. Through vigilance, education, and collective awareness, we ensure that every dollar donated and every volunteer hour contributed goes toward the positive impact we're committed to creating."

Table of Contents

1. Understanding the Threat Landscape

2. Email-Based Scams and Phishing

3. Social Engineering Tactics

4. Phone and Voice Scams

5. Donation and Grant Scams

6. Vendor and Service Provider Fraud

7. Identity Theft and Impersonation

8. Red Flags and Warning Signs

9. Verification Procedures and Best Practices

10. What to Do If You're Targeted

11. Resources and Reporting

1. Understanding the Threat Landscape

For Everyone: Nonprofits are attractive targets for scammers because of their mission-driven nature, often limited cybersecurity resources, and the trusting relationships they build with donors, volunteers, and community partners. Scammers exploit our sector's collaborative spirit and genuine desire to help others.

Important Reality Check: Being targeted by scams doesn't reflect poorly on your organization or intelligence. These schemes are increasingly sophisticated, and even cybersecurity professionals fall victim to well-crafted attacks. The key is learning to recognize the patterns and implementing systems that protect everyone.

Why Nonprofits Are Targeted

• Limited IT Resources: Many nonprofits lack dedicated cybersecurity staff

• High Trust Environment: Staff and volunteers are trained to be helpful and accommodating

• Public Information: Contact details, leadership names, and organizational structure are often publicly available

• Financial Access: Nonprofits handle donations, grants, and vendor payments

• Volunteer Workforce: Mix of technical expertise levels among staff and volunteers

2. Email-Based Scams and Phishing

Understanding Phishing Attacks

For IT Staff: Phishing attacks against nonprofits often use targeted information gathered from websites, social media, and public filings. Attackers may reference specific programs, recent events, or leadership changes to appear legitimate.

For Everyone Else: Phishing emails are designed to trick you into giving away sensitive information or clicking malicious links. They often look like they're from trusted sources—banks, other nonprofits, government agencies, or even your own organization's leadership.

Common Phishing Tactics Targeting Nonprofits

1. Fake Donation Offers

• The Setup: Emails claiming to be from wealthy individuals or foundations offering large donations

• The Hook: Urgency ("limited time offer") or emotional appeal ("inspired by your mission")

• The Ask: Bank account information, tax ID numbers, or personal details of leadership

Real Example from Our Experience: We received an email appearing to be from a major foundation, addressed to our info@ email but greeting specific staff members by name. The sender had researched our website to find staff names, making the email seem more legitimate. They offered a substantial donation but requested our banking information to "process the transfer."

2. Impersonation of Partner Organizations

• The Setup: Emails appearing to be from other nonprofits, government agencies, or service providers

• The Hook: Familiar organizational names and logos, references to real programs or partnerships

• The Ask: Login credentials, financial information, or confidential organizational data

3. Executive Impersonation (CEO Fraud)

• The Setup: Emails appearing to be from your organization's leadership

• The Hook: Urgent requests that bypass normal procedures ("I need this handled discreetly")

• The Ask: Wire transfers, gift card purchases, or sharing of sensitive information

Technical Red Flags for IT Staff

Domain Analysis:

• Hover over sender addresses to reveal the actual sending domain

• Look for subtle misspellings (gmai1.com instead of gmail.com)

• Check for suspicious subdomains (legitimate-nonprofit.malicious-domain.com)

• Verify SPF, DKIM, and DMARC authentication when possible

Email Analysis:

• Check for generic greetings despite having specific recipient information

• Look for urgency combined with requests to bypass normal procedures

• Identify inconsistent formatting, grammar, or organizational language

• Note requests for information that the sender should already have

Practical Tips for Everyone

Before Clicking Anything:

1. Hover Don't Click: Hover your mouse over links to see the actual destination URL

2. Check the Sender: Look at the full email address, not just the display name

3. Verify Independently: If an email claims to be from a known organization, call them directly using a number you look up independently

4. Trust Your Gut: If something feels off, it probably is

Important Note: Some scams are intentionally obvious to filter out savvy targets. Scammers want to engage only with people who are likely to fall for the entire scheme, so they include obvious red flags to discourage skeptical recipients from responding.

3. Social Engineering Tactics

For Executive Leadership: Social engineering attacks target decision-makers by exploiting authority, urgency, and trust. Attackers may spend weeks researching your organization to craft convincing scenarios.

For Everyone: Social engineering is manipulation that tricks people into revealing information or taking actions they normally wouldn't. These attacks often happen over multiple interactions to build trust.

Common Social Engineering Scenarios

1. The Helpful Vendor

• The Setup: Someone calls claiming to be from your IT provider, insurance company, or other service provider

• The Hook: They offer to help with an "urgent issue" or "account verification"

• The Ask: Login credentials, account numbers, or remote access to computers

2. The Urgent Partner Request

• The Setup: Email or call from someone claiming to be from a partner organization

• The Hook: Time-sensitive request related to a grant, event, or shared program

• The Ask: Donor lists, financial information, or staff contact details

3. The New Board Member

• The Setup: Someone claims to be a new board member or major donor

• The Hook: They need access to confidential information to "get up to speed"

• The Ask: Financial reports, strategic plans, or staff evaluations

Protection Strategies

For Staff and Volunteers:

• Verify Identity: Always confirm requests through a second channel (if someone emails, call them back)

• Follow Procedures: Don't bypass normal authorization processes, even for urgent requests

• Ask Questions: Legitimate contacts won't be offended by verification questions

• Report Suspicions: Better to flag a legitimate request than miss a scam

For Leadership:

• Establish Clear Protocols: Create procedures for handling sensitive information requests

• Train Regularly: Ensure all staff understand social engineering tactics

• Create Safe Reporting: Staff should feel comfortable reporting suspicious interactions

4. Phone and Voice Scams

Common Phone Scams Targeting Nonprofits

1. Fake Compliance Calls

• The Setup: Callers claiming to be from IRS, state agencies, or regulatory bodies

• The Hook: Threats of penalties, loss of tax-exempt status, or immediate action required

• The Ask: Payment information, Social Security numbers, or EIN details

2. Utility and Service Scams

• The Setup: Calls about overdue utility bills or service cancellations

• The Hook: Immediate disconnection threats unless payment is made immediately

• The Ask: Credit card information or bank account details

3. Donation Verification Scams

• The Setup: Calls claiming to verify or process donations

• The Hook: Reference to real donors or recent fundraising events

• The Ask: Credit card numbers, donor information, or account access

Voice Scam Red Flags

For Everyone:

• High-pressure tactics and threats of immediate consequences

• Requests for payment via gift cards, wire transfers, or cryptocurrency

• Reluctance to provide callback numbers or written documentation

• Callers who become aggressive when questioned

5. Donation and Grant Scams

Fake Grant Opportunities

For Development Staff: Scammers create fake foundation websites and grant opportunities, sometimes requiring application fees or personal information that can be used for identity theft.

Warning Signs:

• Grants requiring upfront fees or payments

• Opportunities that seem too good to be true

• Limited application periods with immediate deadlines

• Requests for personal information unrelated to grant purposes

Fraudulent Donation Processing

Check Fraud:

• Donors sending checks for amounts larger than pledged, asking for "refunds"

• Checks that initially clear but are later returned as fraudulent

• Requests to deposit checks and wire transfer portions to third parties

Credit Card Fraud:

• Large donations followed by immediate chargeback requests

• Donations made with stolen credit card information

• Multiple small donations testing card validity before larger fraudulent charges

6. Vendor and Service Provider Fraud

Fake Invoice Scams

For Finance Staff: Scammers research your organization's vendor relationships and send fake invoices for services never rendered.

Common Fake Services:

• Website services or domain renewals

• Office supplies or equipment maintenance

• Advertising or directory listings

• Insurance or regulatory compliance services

Vendor Impersonation

Business Email Compromise:

• Legitimate vendor accounts are compromised

• Scammers send payment redirection requests

• Banking information is changed to accounts controlled by criminals

Protection: Always verify payment changes through independent communication channels.

7. Identity Theft and Impersonation

When Scammers Impersonate Your Organization

For Leadership: If scammers impersonate your nonprofit, it can damage your reputation and relationships with donors, partners, and beneficiaries.

Warning Signs Someone Is Impersonating You:

• Reports from community members about suspicious contacts claiming to be from your organization

• Unusual donation inquiries or thank-you messages for donations you didn't receive

• Partners mentioning communications you didn't send

• Social media accounts or websites using your organization's name and imagery

Immediate Response Actions:

1. Document all reports and evidence

2. Alert your immediate network (board, major donors, key partners)

3. Post warnings on your official website and social media

4. Report to relevant authorities and platforms

5. Consider legal action if damages are significant

Protecting Your Organization's Identity

For IT Staff:

• Monitor domain name variations of your organization

• Set up Google Alerts for your organization's name

• Regularly check for unauthorized social media accounts

• Implement email authentication (SPF, DKIM, DMARC)

8. Red Flags and Warning Signs

Universal Red Flags

For Everyone - These should always raise suspicion:

Communication Red Flags:

• Urgent requests that bypass normal procedures

• Threats of immediate negative consequences

• Requests to keep communications confidential or secret

• Poor grammar, spelling, or formatting in professional communications

• Generic greetings despite having specific contact information

• Inconsistencies in organization names, addresses, or contact information

Request Red Flags:

• Requests for sensitive information via insecure channels

• Demands for payment via gift cards, wire transfers, or cryptocurrency

• Requests to provide information the sender should already have

• Instructions to click links or download attachments unexpectedly

• Offers that seem too good to be true

Behavioral Red Flags:

• Resistance to verification questions

• Pressure to make immediate decisions

• Reluctance to provide documentation or references

• Evasiveness when asked for specific details

• Becoming aggressive or threatening when questioned

[YouTube Video Recommendation: Embed "Top 10 Scam Warning Signs" from Better Business Bureau]

9. Verification Procedures and Best Practices

The Two-Channel Rule

For All Staff: Never act on sensitive requests received through just one communication channel. Always verify through a second, independent method.

Examples:

• If someone emails requesting banking information, call them back at a number you look up independently

• If someone calls with urgent requests, ask for their information and call them back

• If you receive a text message, verify through email or phone

• If someone approaches you in person, follow up with documentation

Creating Verification Procedures

For Leadership - Establish These Protocols:

Financial Transactions:

• Dual approval requirements for transactions over specific amounts

• Mandatory waiting periods for banking or payment information changes

• Independent verification of all wire transfer requests

• Regular reconciliation of accounts and donations

Information Sharing:

• Clear policies on who can access different types of organizational information

• Procedures for verifying the identity of individuals requesting sensitive data

• Documentation requirements for information sharing decisions

• Regular review of access permissions and information sharing practices

Vendor and Partner Communications:

• Established contacts for each vendor or partner organization

• Procedures for verifying new contacts or communication channels

• Requirements for written confirmation of verbal agreements

• Regular review of vendor and partner contact information

Training and Awareness

For All Organizations:

Regular Training Should Cover:

• Current scam tactics and trends

• Organization-specific procedures and policies

• How to verify identities and requests

• Proper escalation and reporting procedures

• Real examples from your organization's experience

Create a Culture of Security:

• Make it safe to ask questions and report suspicions

• Regularly remind staff and volunteers about security procedures

• Share updates about new threats and tactics

• Celebrate good security practices and catches

10. What to Do If You're Targeted

Immediate Response Steps

If You Suspect You're Being Scammed:

1. Stop all communication with the suspected scammer

2. Don't provide any additional information

3. Document everything - save emails, record phone numbers, note dates and times

4. Report to your supervisor or designated security contact immediately

5. Don't try to "play along" to gather more information

If You Think You've Been Scammed

Don't Panic - Take Action:

Immediate Actions:

1. Contact your bank or credit card company if financial information was shared

2. Change all potentially compromised passwords

3. Monitor accounts for unauthorized activity

4. Report to appropriate authorities (see resources section)

5. Alert your IT team about potential security breaches

Documentation:

• Save all communications with the scammer

• Keep records of any financial losses

• Document the timeline of events

• Note any information that was shared

• Collect contact information for all relevant parties

Supporting Colleagues Who've Been Targeted

For Everyone: Remember that anyone can fall victim to sophisticated scams. Focus on:

• Offering support, not blame

• Learning from the experience

• Strengthening procedures based on what happened

• Sharing lessons learned appropriately

Being targeted by scammers is unfortunately common and doesn't reflect on someone's intelligence or competence. These schemes are designed by professionals who study psychology and technology to maximize their effectiveness.

11. Resources and Reporting

Who to Contact

If Financial Information Was Compromised:

• Your bank or credit card company - immediately

• Local police - for identity theft reports

• Federal Trade Commission (FTC) - https://reportfraud.ftc.gov

• Internet Crime Complaint Center (IC3) - https://www.ic3.gov

If Your Organization Was Impersonated:

• FBI Internet Crime Complaint Center - https://www.ic3.gov

• Better Business Bureau - to alert other businesses

• Social media platforms - to report fake accounts

• Domain registrars - to report fraudulent websites

For Phishing and Email Scams:

• Anti-Phishing Working Group - reportphishing@apwg.org

• Your email provider - most have fraud reporting mechanisms

• CISA (Cybersecurity & Infrastructure Security Agency) - https://www.cisa.gov

Additional Resources

Educational Resources:

• SANS Security Awareness - Free resources for nonprofits

• National Cyber Security Alliance - Stay Safe Online program

• Federal Trade Commission - Consumer protection resources

• AARP Fraud Watch Network - Scam awareness materials

Nonprofit-Specific Resources:

• National Council of Nonprofits - Risk management resources

• TechSoup - Technology and cybersecurity guidance for nonprofits

• Independent Sector - Nonprofit governance and ethics resources

Creating Your Organization's Response Plan

For Leadership - Document These Elements:

1. Emergency contacts for various types of incidents

2. Step-by-step response procedures for different scenarios

3. Communication protocols for alerting staff, board, and stakeholders

4. Recovery procedures for different types of compromises

5. Regular review and update schedules for security procedures

Conclusion: Protecting Our Mission Through Vigilance

Protecting our organization from scams isn't just about cybersecurity—it's about stewardship. Every dollar lost to fraud is a dollar that can't serve our community. Every hour spent dealing with security incidents is time taken away from our mission.

But security doesn't have to be a burden. By building awareness, establishing clear procedures, and creating a culture where it's safe to ask questions and report concerns, we transform potential vulnerabilities into organizational strengths.

Remember:

• It's okay to be cautious - legitimate contacts will understand verification requests

• It's okay to ask questions - your vigilance protects the entire organization

• It's okay to make mistakes - learning from incidents makes everyone stronger

• It's okay to report concerns - early detection prevents larger problems

Key Takeaways for Everyone:

Verify independently - Use a second communication channel to confirm requests 

Trust your instincts - If something feels wrong, investigate further

Follow procedures - They exist to protect everyone 

Ask for help - No one should handle suspicious communications alone

Stay informed - Scam tactics evolve, and our defenses must too

By working together and staying vigilant, we ensure that our nonprofit can continue to focus on what matters most: serving our community and advancing our mission. The time we invest in security awareness and procedures today protects the impact we'll be able to make tomorrow.

"Our commitment to security is ultimately a commitment to our community, ensuring that the trust they place in us and the resources they provide are protected and used for their intended purpose. Through shared vigilance and mutual support, we safeguard not just our organization, but the vital work we do together."

Document Version: 1.0
Last Updated: 08/2025
 

For questions about this guide or to report security concerns, contact: info@TheCadeMooreFoundation.org