With more than a trillion dollars flowing in 2017 from donors and government agencies to grantees in the United States alone, online thieves have discovered fertile hunting ground. Cyberattacks have only gotten more clever, and the stakes higher.
To thwart hackers, organizations in the philanthropy space need to focus on both common security practices and their special vulnerabilities, from the bottom to the top of the organization.
Foundations and nonprofits have the same security concerns as any business, but they also have particular needs based on their mission-driven orientation compared to, say, a retailer or bank. “You often have part-time or volunteer employees, and they like to be helpful,” says Mark Walker, knowledge management and technology officer at the Jessie Ball duPont Fund. “And many philanthropic workers wear multiple hats, which means the person responsible for watching over security may not have time to be as thorough as they’d like.”
Philanthropy often involves large transfers of money between organizations or people who don’t interact daily. That gives hackers an opportunity to trick inexperienced employees who are unfamiliar with how cyber-crooks operate. “They’ll contact you with a sense of urgency to act,” says John Mohr, chief information officer at the MacArthur Foundation. “If the president of your foundation asks you to wire money quickly, you might not stop to wonder if it’s really her.”
The most common type of attack seen by foundations is phishing — sending employees forged emails with links to look-alike sites mimicking Gmail, a financial website, or a social media site, in hopes that an unsuspecting employee will try to log in, thereby disclosing her username and passwords to a Web server that looks like the real thing. Once a cyber-burglar gets into one account, he can use it to pry information from other members of the team, or even donors or grantees.
Nonprofits, with employees who are generally accepting, are prime targets for the advanced version of phishing known as spear phishing — a phishing attack customized for a specific person. The spear fisher may break into an employee’s email and read messages for weeks, learning to mimic a trusted correspondent until a promising moment arises.
These tricks aren’t only used to steal money. Oxfam America’s chief operations officer warned last year that politically sensitive material is another target.
How can a company fight back if it can’t afford full-time senior security expert? Read Dan Schoenfeld’s blog for useful tips and help.