Cybercriminals do not choose victims randomly. They go where the money is accessible and the defenses are thin. Nonprofits check both boxes.

In the past year, email-based attacks on nonprofits rose 35 percent. Ransomware attacks on nonprofits doubled. More than 60 percent of nonprofits reported a cyberattack within the past two years. These are not edge cases. This is a pattern.

Understanding why nonprofits are targeted is the first step toward doing something about it.

What Makes a Nonprofit Attractive to an Attacker

Nonprofits hold valuable data. Donor databases contain names, addresses, email addresses, phone numbers, and financial information. Beneficiary records contain health information, income data, and Social Security numbers. Grant management systems hold bank routing details and government identifiers.

That data has real market value on criminal forums. A full donor profile, name plus address plus payment history, sells for more than a hacked username and password.

Nonprofits also move money regularly. Donor payments come in. Grants get disbursed. Vendor invoices go out. Each of those transactions is a potential target for business email compromise, where an attacker intercepts or fakes a message to redirect funds to an account they control.

In 2024, OneBlood, a Florida blood donation nonprofit, was hit with ransomware. Attackers stole names and Social Security numbers for 167,400 people before encrypting the organization’s systems. The organization later agreed to pay up to $1 million to resolve the class action lawsuit that followed.

That is one organization. Thousands more face the same exposure every year with far less visibility.

Why Defenses Are Weaker

Most nonprofits operate on tight margins. Cybersecurity is not usually a line item. When it does appear in a budget, it is often underfunded.

Seventy percent of nonprofits have no formal cybersecurity policies. Most have no dedicated IT security staff. The person managing the donor database is often the same person managing the email system, the website, and the Zoom account.

Staff turnover is high. Training is inconsistent. Password hygiene varies. Multi-factor authentication may exist on some systems and not others.

Attackers know this. They do not spend weeks probing an organization’s defenses before acting. They look for weak points, phishing susceptibility, exposed login pages, unpatched software, and they move.

The Trust Model Gets Exploited

Nonprofits operate in high-trust environments. Staff receive emails from donors, volunteers, government agencies, and partner organizations all day. A message asking for a wire transfer or a password reset does not immediately raise flags.

That trust is a vulnerability. Attackers craft messages that look like they come from a board member, a foundation officer, or a payroll vendor. They use real names, reference real programs, and ask for something that seems routine.

Business email compromise works in nonprofits at a higher rate than in most industries for exactly this reason.

What the Risk Looks Like in Practice

An attacker accesses a staff email account through a phished password. They spend days reading conversations, learning names, understanding workflows. They identify an upcoming grant disbursement. They send a message from the compromised account to the finance team, asking to update the bank routing number before the transfer goes out.

The finance team follows the process they know. The money moves. By the time anyone realizes what happened, the funds are gone.

No malware was involved. No system was locked. The only tool used was a convincing email and a stolen credential.

What Nonprofits Should Focus On First

The steps that reduce risk the most do not require a large budget.

Multi-factor authentication on email accounts is the single highest-impact change any organization can make. Most nonprofit email is hosted on Microsoft 365 or Google Workspace, both of which support it at no extra cost.

Staff training does not need to be an all-day event. A fifteen-minute session on how to recognize a phishing email and what to do before clicking a link saves organizations far more than the cost of the training.

A written security policy, even a short one, establishes expectations and creates accountability. Without one, staff have no standard to follow and no reference point when something looks wrong.

Email filtering, backup systems, and credential management tools are all available at low cost or through nonprofit discount programs like TechSoup.

None of these require a dedicated security team. They require a decision to take the risk seriously.

Nonprofits are targeted because they hold valuable data, move real money, and often lack the defenses to stop a determined attacker. The good news is that the most effective protections are within reach. The barrier is not usually budget. It is awareness.

That awareness starts with understanding the threat.

Nigel Roberts, CISSP, is the founder of NexSecure Solutions LLC. He works with nonprofits and small businesses to build practical security programs without enterprise overhead. Schedule a free discovery call at nexsecuresolutions.com.