10 Common Cyber Attacks Against Nonprofits (and How to Stop Them)

Attackers target nonprofits for simple reasons. The data you hold is valuable—donor records, payment details, and sometimes health or case information can be sold or used for extortion. Your culture is open and collaborative by design, which means many helpers, partners, logins, and devices—more places an attacker can try a door. Fundraising comes in waves; big campaigns, disasters, or media coverage can drive sudden spikes in website traffic, and criminals follow the crowd. Add tight budgets and limited time, and security can slip behind urgent program work.

 Put together, it’s a sector hit hard by scams and intrusions. For example, in the UK, the government’s Cyber Security Breaches Survey 2025 reports that 30% of charities experienced a cyber breach or attack in the last 12 months. Of charities that experienced a breach or attack in the last 12 months, phishing attacks remain the most prevalent and disruptive type of breach or attack (experienced by 86% of charities). 

The same report estimates the average cost of the most disruptive breach for charities at £3,240 (or £8,690 if you exclude orgs that reported £0 cost). 

Here are some tips to help you lower the risk fast with practical steps you can roll out without a big budget or an IT department.

10 of the Attacks Nonprofits See Most (And What to Do)

1) Phishing

How it works: Deceptive emails, texts, or QR codes try to make someone click, sign in, or open an attachment that installs malware.

What it looks like: A “Microsoft 365 storage full” alert; a “missed delivery” QR code; a donor “invoice” in a ZIP; an event volunteer asking you to “re-enter your password to view the schedule.”

What to do: Train people to pause and verify. Use a password manager so staff don’t type passwords on fake sites. Turn on built-in phishing filters in your email system and report suspicious messages so future ones get blocked.

Related: Phishing Scams: How to Identify and Avoid Them

2) Business Email Compromise (BEC)

How it works: Criminals compromise or convincingly spoof a real mailbox, then change bank details, redirect refunds, or push urgent payments.

What it looks like: A vendor “updates” their IBAN; your ED “can’t talk—please wire €7,900 now”; a hijacked thread that adds new payout instructions.

What to do: Call back on a known number before changing any payout details. Require two approvers for payments above a threshold. Enforce MFA on email and finance tools and review inbox rules/forwarders weekly.

Related:

• How to Prevent or Recover from A Business Email Compromise (BEC) Attack
• Train Your Team to Recognize and Stop BEC Scams

3) Ransomware and data extortion

How it works: Malware encrypts files and steals data first. Attackers demand payment to unlock systems and to stop publishing sensitive records.

What it looks like: Staff can’t open files; shared drives show random extensions. A note demands cryptocurrency, threatening to leak donor lists.

What to do: Keep offline, tested backups of your CRM and shared drives. Patch devices and servers monthly; remove software you no longer use. Limit who can access Finance/HR/Case folders. Keep a one-page incident plan with phone numbers and restore steps.

Related: Ransomware Is Targeting Nonprofits: Why Risk a Disaster When Protection Is Affordable?

4) Donation-page “skimming” and fake checkout forms

How it works: Attackers inject malicious code on your site or payment form to “skim” credit cards and personal data as supporters donate. This is often called digital skimming or Magecart. 

What it looks like: Unexplained code on your site, new scripts, or altered plugins. Donors report fraud shortly after donating.

What to do: Use a reputable hosted payment page (not custom code) and keep your CMS/plugins updated. Restrict who can install plugins or themes; review them quarterly. Enable a Web Application Firewall (WAF) if your site supports it.

Related: Cybersecurity for Nonprofits: Why Hackers Target You and What to Do About It

5) Vendor/CRM “supply-chain” breaches

How it works: You may do security well, but your software vendor might not. Your data is exposed when a third-party provider (CRM, email platform, event tool) is compromised.

What it looks like: A breach notice from your vendor; unusual sign-ins from new locations; supporters receiving spam that references your campaigns.

What to do: Ask vendors for security and breach-notification commitments in contracts. Store less. Delete data you no longer need, or set retention rules. Use unique, strong admin passwords and turn on MFA for your CRM.

Related: How to Vet Suppliers and Avoid Fake Vendor Scams

6) Account takeover via password reuse & MFA fatigue

How it works: Attackers try known email/password pairs from old leaks or spam MFA prompts until someone taps “Approve.”

What it looks like: MFA prompts you didn’t start; sign-in alerts at odd hours; new inbox rules forwarding all mail to an external address.

What to do: Require a password manager and block breached/reused passwords. Prefer passkeys or security keys. If you use push MFA, enable number-matching and limit prompt spam.

Related: How to Check If Your Business Is Affected by a Breach (And What to Do if It Is)

7) DDoS and website defacement (often hacktivism)

How it works: Attackers flood your site with traffic or deface pages to knock fundraising or program info offline—common during high-visibility moments. Nonprofits are vulnerable during disasters and media spikes.

What it looks like: The site is slow or unreachable; your donate page times out; the homepage is replaced with a message or image you didn’t post.

What to do: Put your site behind a DDoS protection service. Many civil-society orgs qualify for free protection from Cloudflare’s Project Galileo or Google’s Project Shield. Apply if you’re eligible. 

8) Social media hijacking & brand impersonation

How it works: Attackers steal a staffer’s account, log in and lock you out, or spin up look-alike pages to collect “donations.”

What it looks like: Recovery emails you didn’t request; posts or ads you didn’t create; supporters messaging about a second “official” page.

What to do: Turn on two-step verification for all org accounts; use role-based access and remove ex-staff immediately. Reserve obvious look-alike names and set up brand monitoring alerts.

Related: How Scammers Use Small Business Names to Send Fake PayPal Invoices

9) Fake domains and look-alike donation sites

How it works: Criminals register a domain that looks like yours (extra letter, different ending) and run ads or send emails to harvest credentials and donations.

What it looks like: Donors say they gave on “your-org.co” instead of “your-org.org”; search ads point to a near-match domain; your outbound email lands in spam more often.

What to do: Register likely look-alike domains for major campaigns. Publish SPF/DKIM and enforce DMARC. Always display a short, trusted URL in campaign materials.

10) Insider and volunteer risks (including accidental sharing)

How it works: Most issues are mistakes—public links for private files, spreadsheets emailed to the wrong list, personal cloud accounts used for work. Rarely, someone seeks access for the wrong reasons.

What it looks like: “Anyone with the link” set on HR folders; a CSV of donors sent to “All Staff”; an ex-volunteer still accessing shared drives.

What to do: Minimum-access by default. Put sensitive content behind group permissions (Finance, HR, Casework). Train volunteers on day one: no personal clouds, no public links for private data, report anything odd immediately. For long-term or high-risk roles, screen and keep access logs.

Related: How Remote Employees Can Cause a Data Breach of Your Small Business Data (And How to Prevent It)

Your 90-Minute Baseline (Do This Today)

Turn on MFA everywhere (email, CRM, finance, storage). Prefer passkeys; otherwise, enable number-matching on push prompts.

Back up your donor database and critical files to a location not permanently online; restore a test file. 

Lock down money moves. Dual approval for bank detail changes and payments above a set threshold.

Update & remove. Patch devices, browsers, and plugins; delete old plugins and unused accounts.

Train people. Talk with your team about this article, then draft a simple response plan together. Decide who does what, how to reach each other, how you’ll keep donations flowing if systems go down, and how to restore files. Here’s some inspiration: Responding to a Cyberattack - What to Do When You Get Hacked

Check your website. Use a hosted donation form, turn on a WAF/CDN if available, and review who can edit the site. 

Protect Your Organization

 If you want one toolset that covers the biggest everyday risks—malware, phishing, web threats, and leaked-credential alerts—Bitdefender Ultimate Small Business Security is built for small teams and charities. 

It gives you advanced protection to stop attacks before they start, email and phishing security that blocks malicious links and fake invoices, digital identity and data protection for sensitive donor and client information, scam detection tools so your staff can spot threats in real time and a simple way to roll out protection to staff and volunteers’ devices without an IT department. 

Plans start at $18.99 for small teams and go up to $79.99 for larger teams of 25 members—a tiny fraction of the millions a ransomware attack could cost.

Your mission is worth protecting. Start your free trial today.