Yes, Nonprofits Get Scammed, Too

Security is serious business for nonprofits. Not only do they need to protect themselves from attacks, but they have a responsibility to protect sensitive client and donor data. There are many protocols you can establish to protect your organization, but the first step starts with individual people.

While the technology we depend on has changed over the years, people’s social behavior hasn’t. This leaves us at risk of having our goodwill exploited. In security circles we call this scheming activity “social engineering.” It’s an attempt to acquire sensitive information for malicious reasons through deception.

An act of social engineering starts with a lie. The lie doesn’t have to be outright; often it’s easier if the lie has a grain of truth. The best social engineering attempts will frame a thread of misinformation within a jumble of truth. It’s not a matter of if, but when a fraudster will target you or your organization. There are a variety of tactics, so I will focus on three of the most common; phishing, pretexting, and baiting.


In a March 2016 article in SC Magazine, a payroll employee at Pivotal Software received an email from CEO Rob Mee asking them for tax information on employees. Not realizing something was wrong, the employee replied with the W-2 information for an unknown number of employees. As you might guess from the title of this article, it was not, in fact, Rob Mee that sent the email.

Phishing (pronounced “fishing”) seeks sensitive information through a deceptive email that masquerades as a trustworthy source. Typically, this is a wide-net activity: the more people an attacker approaches, the more likely they are to find a victim. If the net is wide enough, even a .01% response rate can be productive. A great example is the common “Nigerian Prince” emails. These scams, known as Advance Fee or 419 scams, have been around in one form or another since the 1920s. They work by convincing their target that they will receive a large payoff in return for providing the would-be fraudster with a “small” amount of funds, sometimes several payments. The fraudster will then make up excuse after excuse and draw out the interaction until the target refuses to give any further money—at which point the fraudster will disappear along with the money, never to be heard from again.

We now see these same tactics employed to convince users to download files or attachments which contain malware (in the best case) or Ransomware that encrypts your files, and demands payment in the form of bitcoins before it will decrypt the files again. For those who do not backup their systems to an external device on a regular basis, this can be devastating.

The events at Pivotal are an example of a more targeted attack called spear phishing. This type of attack is characterized as a more personalized attack directed at specific individuals, groups, or companies. Whaling is another form of phishing directed at executives and other high-value targets. These attacks often appear in the form of a legal subpoena, customer complaint, or executive issue. In both spear phishing and whaling, the attacker will often spend a great amount of time doing research on their target in order to craft a believable attack that is harder to identify.


“I’m really sorry to bother you, but I’m running really late for my appointment with the Head of Marketing, and I managed to leave my laptop at home with the client list! He’s really counting on me here—can you forward me a copy?”

Pretexting is creating an invented scenario which engages a target to act in a way they otherwise wouldn’t. To make their scenario more believable, an attacker will often play on their target’s sympathy by crying down the phone, admitting something embarrassing, or telling someone about just how terrible their day has been. The attacks involve a lot of prior research so the attacker sounds as natural as possible and can think on their feet while interacting with their target. Smaller acts of pretexting are often used to gather information as part of a larger attack and are favored by identity thieves.

Other examples include the “Microsoft phone scam” where the attacker calls claiming to be from Microsoft, saying that your PC has a virus, and that they can help you over the phone. These calls often end with the attacker asking their target to download malicious software onto their computer. Similarly, in the “Grandparent scam” the attacker calls claiming to be a grandchild or other relative stranded abroad and in need of money. Because these attacks play on victims’ fears and ask for immediate action, they are often believable to those who are less tech savvy.


“Aw sweet, free USB drive!”

The modern day Trojan horse. Have you ever found a USB on the ground and wondered what treasures it might hold? Or more likely, you’ve needed to access your email urgently and connected to a Wi-Fi hotspot you didn’t verify first. This attack is all about putting a carrot out and waiting for someone to take it. The USB is infected or a hacker is snooping your web traffic on their Wi-Fi. This is often seen online in the form of free music or movie download advertisements. These adverts will often ask that the victim create an account asking for personal information or the file itself is malware. Baiting is also being seen with phones via cell tower spoofing, meaning a third party could be looking at your call, text, and mobile data in real time without your being aware.

Protecting yourself

While these attacks seem complex and distinct, they all have commonalities based in simple deception. Awareness and vigilance will go a long way towards protecting yourself.

Phishing attacks can be combatted in a variety of ways:

  • Verify the source. If you receive a weird email, call the person who supposedly sent it and confirm it was them.
  • Did your bank email you to ask for updated details? Don’t click on the link in the email, use a search engine to navigate to the website yourself and login through secure means. Hovering your mouse over a link will often display the link address (at the bottom of your browser), which makes it easier to confirm its validity.
  • Look for spelling errors or strange grammar. Attackers often purposely include such mistakes to weed out less gullible targets, and make things a little easier for themselves.
  • Distrust emails which demand immediate action. If it’s important, it’s likely you would have been contacted by phone or text.
  • A company who deals with you should know your name. Emails addressed to Dear Customer, Valued Client, etc. are likely fraudulent.

Pretexting is often difficult to spot right away, due to the creative nature of the act:

  • Being polite but suspicious will help. If something seems off, or someone seems too nosey, don’t be afraid to ask questions.
  • If a deal seems too good to be true, it probably is.
  • Whenever possible, verify odd requests from a third source. If your bank calls you to discuss your account but requires you to confirm personal information first, call them back with a known good number or visit in person at a local branch.  

Avoiding baiting attacks is relatively easy:

  • If you wouldn’t pick something up and put it in your mouth, don’t pick it up and put it in your computer!
  • Remember that nothing in life is free. If you are not paying for the product, then you are the product.

Lastly, while it won’t directly protect you, talk to your friends, family, and coworkers about the dangers of social engineering. Social engineering education doesn’t have to be formal to be effective.

With social engineering, you can’t avoid being a target, but you can avoid being a victim. Awareness and personal vigilance make all the difference.


Photo credit: Damien Jeanmaire

Tiberius Hefflin
Tibbs recently graduated from the University of West of Scotland with a degree in computer security. She has relocated to Portland, Oregon, where she evangelizes for privacy and security while doing security assurance work for Portland General Electric. She is passionate about encouraging small children to take the plunge into STEM and about laughing at cats on the internet.