Donor PII breaches erode trust permanently. Grant-payment BEC diverts mission-critical funds. Board impersonation attacks target your finance committee. 501(c)(3) data-handling failures invite IRS scrutiny and donor lawsuits. One well-timed training session changes all of that.
Business email compromise targeting finance staff and EDs is the #1 cyber threat to nonprofits. Attackers spoof program officers from foundations or government agencies and redirect grant disbursements mid-process. Average nonprofit BEC loss: $108,000 — often uninsured and unrecoverable.
CRM platforms (Salesforce NPSP, Bloomerang, Little Green Light) store donor names, addresses, employer info, and giving history. A breach exposes PII subject to state data laws and — if recurring card data is stored — PCI liability. The reputational fallout can permanently suppress future fundraising.
Attackers email finance staff impersonating the ED or a board member with urgent wire instructions. Nonprofit finance teams are especially vulnerable because authorization structures are often informal and staff are trained to be responsive to leadership. Losses range from $15,000 to $2.1M in documented cases.
High volunteer and seasonal staff turnover leaves orphaned accounts in cloud systems, donation platforms, and email. Former volunteers with active credentials are the most common source of insider-adjacent breaches at nonprofits — and the easiest to prevent with the right offboarding checklist.
Nonprofits accepting online donations must comply with PCI DSS for payment card data — a breach of your donation page can result in card-brand fines and processor termination. Forty-plus states have charitable solicitation registration requirements that include data-handling obligations for donor records. An IRS Form 990 breach or material cybersecurity incident can trigger donor trust questions and state AG scrutiny. Our training covers the controls that address all three layers: payment security, donor PII protection, and incident documentation.
"We thought cybersecurity training was for corporations. Then our development director clicked a spear-phishing email impersonating our largest foundation funder. No funds were lost — but it was close. SecurEveryone trained our entire team in one session. Now the team knows exactly what to look for."
— Executive Director, Regional Community Foundation
Take our free Phishing IQ Quiz to benchmark your team's awareness in 5 minutes — or book a 15-minute consult with one of our instructors.