May 8, 2019

Addressing the Human Side of Cybersecurity in Nonprofits

There are plenty of technical solutions for monitoring and preventing security attacks, but what’s hardest to control is the human element. Let’s look at some real-life examples of how your well-meaning nonprofit employees could fall victim to clever scams and concrete steps you can take to educate your staff, so they’re less vulnerable to cybersecurity attacks.

It's human nature to want to help, especially people in distress. For nonprofits, it’s part of your DNA, both as individuals and the organization as a whole.

Scammers take advantage of this fact by setting a trap - either by convincing people to give up information or take action without them realizing it, or by making them believe you’re someone else who has rights to this information.

This is called social engineering. What it amounts to is exploiting our natural inclination to trust, especially if the request appears legitimate.

And unfortunately, it works. According to a 2018 State of Philanthropy in Tech survey, 21 percent of respondents have experienced a security breach in the past two years.

However, there are tangible steps you can take to protect your organization. Nonprofits who did not report a breach are more likely to have a security awareness policy and more likely to hold security awareness training during staff meetings.

Before we get into how you can defend against social engineering, let’s begin by describing some classic examples, so you have a better understanding of the everyday risks.

Common Examples of Social Engineering

1. Misdirection. It’s the day of a grant application deadline, and you receive a phone call from someone saying they’re from one of your grantee organizations. They’re panicking because can’t get into the grant application system to submit the application. You’ve spoken with this woman before and know she had access in the past, but she’s not listed as an authorized contact. You instruct her to contact the person listed as the account owner.

She says, “I can’t do that - that person is on vacation and left me in charge of finishing the application. They probably removed my access when I went on maternity leave. I’ll lose my job if I don’t get in before the deadline! Please just add me back in, you know me!”

This is a perfect example of social engineering because it pulls on your heartstrings. As a customer service representative, your goal is to solve the problem. The sense of urgency can make even level-headed employees do the wrong thing.

2. Spoofing. You receive an automated call from the corporate credit card company warning about a possible data breach. You look at the caller ID and it’s the same number as the customer support number on the back of the credit card, although it’s different from the number they gave to call back. When you call, you’re prompted to enter your credit card number and expiration date through the keypad.

This is an example of spoofing, a tactic where a person or program masquerades as someone else. There are free apps that let you call or text anyone and set the number that will show on caller id. These same tactics can be done by text and email.

3. Phishing. You receive an email that appears to be from Dropbox, asking you to view an “important” shared document. This is an example of email phishing. There are a few ways you can tell:

  • Check the sender address domain and make sure it matches the company exactly. For example, it might say instead of
  • Does the email say who shared the document? If not, there’s no one to confirm its legitimacy.
  • Does the email add urgency by saying the document is important? Dropbox itself would not really know the importance of a document.
  • By hovering over the view folder button, you’ll see that you’d be going to a URL outside of the domain name.

Check out Google’s Phishing Quiz to strengthen your email savvy when it comes to suspicious messages. This is a great tool to incorporate into your employee training, which we’ll touch on later.

4. Pretexting. Assuming you work in a large organization (where you don’t know everyone), imagine you get an email seemingly from HR, saying that they are collecting “fun facts” about some employees for an employee spotlight project. Some of the questions include “Where did you meet your spouse?” and “What’s the name of your pet?”

You may have noticed that a lot of these topics are similar to the ones requested as security questions. If someone knows the answers, they can often reset a password without accessing the related email account.

This type of attack is known as pretexting - it comes off as friendly, from someone that you generally trust. It’s not asking for things that you typically consider confidential, but instead asks for little bits of information that can eventually be used to impersonate you and gain access to your accounts.

How to Defend Against Social Engineering

While the examples above aren’t a complete list of social engineering tactics, they should give you a good idea of how easy it is for well-meaning employees to mistakenly provide sensitive information. Let’s focus now on how your organization can defend against these attacks.

Identify Potential Entry Points

Begin by assessing where and how social engineering attempts might occur within your organization. However, this can’t be done in a vacuum, as you won’t have a complete understanding of every role in the organization. You’ll need to work with each type of employee to document their touchpoints in all communication channels.

Create Verification Checklists

Verification checklists are an easy way to help staff when confronted with a potential scam. Every organization will come up with a slightly different process based on the systems they use, which constituents have access, and the kind of data. The important thing is that you have a verification process, your entire staff knows it, and that they use it.

An easy one to start with is our very first example - What do you do if a grantee calls in and says they can’t access their accounts? You might have a checklist that includes:

  • Is the request coming from the user’s known email address?
  • Is it a phone request? Require email.
  • Has the user had access to the system in the last 30 days?
  • Has the user made additional password update or access requests in the past?
  • Is the administrator aware of/OK with granting access?

Use Layered Security

Mistakes can happen. Therefore, you need to have as many layers of security as possible. That begins with using a grant management system with strong data security standards. Other important protections include strong passwords, multifactor authentication, auto-logoff, encryption, and remote wiping should your device fall into the wrong hands.

Create Fun, Interactive Trainings

To make your cybersecurity training relevant and memorable, we recommend short sessions that incorporate participation. For example, at WizeHive, we’ve split up training 30-minute mandatory monthly lunch and learns. (Plus a free lunch!) Here’s how it works:

  • Introduction - The first 10 minutes are an introduction. We cover the key points we want everyone to understand.  
  • Experiment - During the next 10 minutes, a cross-departmental team shares the results of their experiment related to that month’s topic. For example, this past month the team members tried to get into an account owned by another employee. (We made sure the accounts didn’t hold any real data.)
  • Q&A - The last 10 minutes we lead a Q&A and brainstorming session. We talk about possible areas of risk as it relates to WizeHive’s systems and procedures.

Track Training Attendance

We also record our trainings, as it’s not always practical for everyone to attend in person. It’s vital to keep good records of who is attending your training sessions. We store a recording, link to slides, and follow up notes, then assign that to all active employees and contractors who need to attend the training. Employees can then sign off once complete.

Make Reporting Easy and Clear

Lastly, it’s important to not only teach your employees what to watch out for, but also how they should report any suspected breaches or suspicious activity. We recommend having clear points of contact for cybersecurity reports, as well as an anonymous web form that people can use if they aren’t comfortable sharing details directly.


It’s an unfortunate reality that nonprofits are especially vulnerable to social engineering, given their mission to help others. However, by raising awareness of these scams and giving your employees clear direction on how to handle potential threats, you can patch the last hole in your cybersecurity defense.

Subscribe to our Blog