Donor CRM breaches, grant wire fraud, and donor PII exposure are costing nonprofits millions. One training program can change that — and satisfy IRS Pub 4557 requirements while you're at it.
Recent incidents that defined the nonprofit threat landscape
Nonprofits face a combination of high-value targets, thin security infrastructure, and organizational culture that attackers specifically exploit. Here's where your exposure lives.
Grant payouts involve multiple approval stages, international wires, and tight deadlines — perfect for BEC. Q3 disbursement requests from "program officers" asking for last-minute bank account changes are a documented attack pattern for FEMA NSGP recipients and foundation grantees.
Most nonprofits run on minimal security tooling — if any at all. No dedicated IT staff, no email filtering, no MFA on critical systems. The Blackbaud ransomware event hit 13,000+ organizations because many had no backup communications channel when their CRM went dark.
Nonprofits are mission-driven organizations where staff are conditioned to be helpful and responsive. That culture makes employees more susceptible to social engineering — especially authority-based requests ("This is the ED, we need this done now").
Donor databases contain names, addresses, giving history, credit cards, and sometimes SSNs (for stock donations). This data is gold for identity theft and phishing campaigns. Blackbaud's breach exposed donor information from 13,000+ nonprofits — and attackers know exactly what's in those systems.
$274.5M in FEMA Nonprofit Security Grant Program funds available FY2025. Organizations receiving NSGP grants are in active conversations with government agencies — making them prime targets for impersonation campaigns, fake program officer requests, and grant wire fraud.
13,000+ nonprofit clients. Blackbaud paid the ransom and delayed disclosure. $49.5M+ in multistate settlements (SEC Press Release 2023-48, NJ OAG). The delay meant nonprofits lost weeks of donor communication capability and legal coordination. 80% of the top nonprofits in the US were affected.
13,000+ Nonprofit clients affected · $49.5M+ settlementBEC via compromised employee email. $997,400 wired to Japan via fake invoices for Pakistan solar panel project. ~$112K net loss after insurance recovery. Boston Globe (Dec 2018), AP News confirmed. One of the first high-profile nonprofit BEC cases to receive widespread media coverage.
$997K Wired · ~$112K net loss after insurance$650,000 wired via BEC. $613K unrecovered. Fake bank audit emails delayed discovery for weeks. Single staff member initiated the transfer. SF Chronicle (May 2021) reported the full attack chain. OTI rebuilt its programs over two years to recover from the loss.
$650K Wired · $613K unrecovered$1.75M in church construction payments redirected via BEC (Marous Brothers construction firm vendor compromise). Insurance recovery and legal action recovered some funds over time. Threatpost (2019) confirmed the full amount and attack method. Donor trust in the parish took years to rebuild.
$1.75M Redirected via BEC · multi-year recoveryNonprofits have specific regulatory obligations that extend beyond general data security. Here's what applies and what happens when you don't comply.
501(c)(3) organizations collecting W-9s, processing 1099s, or handling donor PII must implement a Written Information Security Plan. The WISP must include 'periodic security awareness training' for all employees who handle taxpayer information. This is not optional — it's an IRS requirement for any nonprofit processing 1099s.
FTC Safeguards: $46,517/violation/dayThe Nonprofit Security Grant Program funds cybersecurity training and preparedness for eligible nonprofits. Training is an allowable use of NSGP funds. Organizations receiving NSGP should document their training programs as part of grant compliance and reporting requirements.
Grant compliance documentation requiredMost states require charities to register with the state attorney general and comply with data handling requirements as part of registration. A data breach affecting donor information may trigger notification obligations under state charity law in addition to state breach notification statutes.
AG notification · state-specific timelinesNonprofits with California donors or revenue exceeding $20M must comply with CCPA/CPRA obligations for donor PII. This includes the right to opt out of data sales (even if you don't 'sell' data in the traditional sense, some third-party data-sharing arrangements qualify), privacy notice requirements, and data deletion obligations.
CCPA/CPRA: $2,500-$7,500/violationGeneric security training doesn't address the specific attack patterns hitting nonprofits. These three drills are built around the exact workflows — grant disbursements, donor CRM access, and executive impersonation — that make nonprofits vulnerable.
Walk your finance and development staff through the exact BEC pattern targeting grant disbursement wires — "program officer" emails requesting bank account changes for Q3 grant payments, fake FEMA correspondence, and urgency pressure from fake ED communications.
Blackbaud's 2020 breach exposed 13,000+ nonprofit donor databases. This drill covers phishing campaigns impersonating Blackbaud login pages, Salesforce Nonprofit CRM credential requests, and fake donor thank-you emails with malicious links.
Your ED's name and email are public information on your website and 990 filings. Attackers use that to impersonate executives in urgent, high-pressure requests for immediate wire transfers or credential sharing — bypassing normal approval processes.
These free resources cover the specific attack patterns and compliance requirements nonprofits face. Download them and use them to build your security program.
No per-seat licensing. No annual contracts. Book a session, train your team, satisfy IRS Pub 4557.
Yes — IRS Publication 4557 explicitly requires 501(c)(3) organizations that collect W-9s, process 1099s, or handle donor PII to implement a Written Information Security Plan (WISP). The WISP must include 'periodic security awareness training' for employees. Failure to comply can result in FTC Safeguards Rule civil penalties up to $46,517 per violation per day. For a nonprofit that processes thousands of donor records annually, a single breach traced back to inadequate training is a seven-figure liability on top of the breach itself.
Nonprofits face a perfect storm: thin IT budgets mean minimal email security tooling, trust-based organizational culture makes staff more susceptible to authority-based social engineering, and the complexity of grant disbursements with multiple approval stages creates exploitable friction points. Organizations processing FEMA NSGP grants ($274.5M available in FY2025) are especially attractive targets because grant disbursements are large, often involve international wire transfers, and operate under time pressure. The average BEC loss for nonprofits hit $183,000 in 2024 — up 118% from 2023.
Your donor CRM (Blackbaud, Salesforce Nonprofit CRM, Bloomerang) holds some of the highest-value personal data a nonprofit touches — donor names, giving history, addresses, sometimes SSNs for stock donations. Phishing campaigns impersonating Blackbaud login pages are documented. The defense: phishing-resistant MFA for all CRM logins (especially admin accounts), out-of-band verification for any request to change banking details or export large donor segments, email authentication (SPF/DKIM/DMARC) to block spoofed domains, and regular training so staff recognize credential phishing attempts. Blackbaud's own 2020 ransomware breach affected 13,000+ nonprofit clients — the lesson is that your CRM vendor's security is your security.
Yes — the Nonprofit Security Grant Program (NSGP) under FEMA's FY2025 allocation ($274.5M) explicitly lists 'training' as an allowable expenditure. Organizations can use NSGP funds to train staff on threat recognition, incident response, and grant-specific cybersecurity requirements. This creates a funding path for security training that doesn't compete with program budgets. SecurEveryone training qualifies under NSGP's training and preparedness categories. Ask your grant administrator or FEMA's NSGP program office for the current allowable cost guidance.
Three things: donor notification obligations vary by state and may include AG notification even for small breaches, grant compliance requirements may mandate specific notification timelines to funders, and the board of directors for a 501(c)(3) has fiduciary responsibilities around data protection that are distinct from corporate directors. A nonprofit incident response plan must account for donor communication protocols, state charity registration obligations, grant agreement notification requirements, and board liability considerations — none of which appear in a standard corporate IR plan. SecurEveryone's IR Plan Template includes a nonprofit-specific addendum covering these nuances.
Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your specific nonprofit workflows — grant disbursements, donor CRM access, and executive communications.