Why Phishing Awareness Matters for Nonprofits
October marks Cybersecurity Awareness Month, a global initiative to promote safer digital practices. For nonprofits, this is a critical opportunity to strengthen defenses against one of the most prevalent and damaging threats: phishing attacks.
Phishing emails are deceptive messages designed to trick recipients into clicking malicious links, downloading malware, or sharing sensitive information. These attacks are increasingly sophisticated and often target nonprofit organizations due to their high-trust environments and limited IT resources.
In this article, we’ll explore how phishing works, break down a real-world example, and share practical strategies to help your team recognize and respond to phishing attempts.
What Is a Phishing Email?
A phishing email is a form of social engineering that impersonates a trusted source–such as a donor platform, financial institution, or internal colleague–to deceive recipients into taking harmful actions. These actions may include:
- Clicking on fake links.
- Downloading infected attachments.
- Entering login credentials into spoofed websites.
- Transferring funds or sensitive data.
Phishing attacks rely on psychological manipulation rather than technical vulnerabilities. They exploit human behavior–curiosity, urgency, trust–to bypass security controls.
Phishing Email Example: Can You Spot the Red Flags?
Here’s a sample phishing email designed to target nonprofit staff:
Subject: URGENT: Your donation account needs verification
Body:
Dear valued member,
Your donation portal has expired. Please click the link below to confirm your details immediately.
[Link: www.nonprofitdonorsupport-help.com]
At first glance, this email may seem legitimate. It references donations, uses formal language, and includes a plausible-looking link. But it’s a phishing attempt–crafted to exploit urgency and familiarity.
Let’s break down the red flags.
6 Common Phishing Email Red Flags
1. Urgent or Alarming Language
Phishing emails often use urgency to pressure recipients into acting quickly. Phrases like “URGENT,” “immediately,” or “your account will be suspended” are designed to provoke anxiety and bypass critical thinking.
Why it’s dangerous:
Urgency creates a false sense of crisis, leading recipients to click without verifying.
Best practice:
Encourage staff to pause and verify before responding to urgent requests. Legitimate organizations rarely demand immediate action via email.
2. Suspicious Links or URLs
Phishing links may look legitimate but contain subtle misspellings, extra characters, or misleading domains.
Example:
www.nonprofitdonorsupport-help.com
This URL mimics a donor support site but includes a hyphenated domain and lacks recognizable branding.
Best practice:
Hover over links before clicking to inspect the full URL. If it looks unfamiliar or slightly off, don’t click. Use bookmarks or direct navigation to trusted sites.
3. Generic Greetings
Phishing emails often use non-personalized greetings like “Dear valued member” or “Dear customer” instead of addressing the recipient by name.
Why it’s dangerous:
Legitimate organizations typically personalize communications. Generic greetings suggest mass targeting.
Best practice:
Treat generic greetings as a warning sign, especially in emails requesting sensitive actions.
4. Sender Address Mismatch
The sender’s email address may not match the organization it claims to represent. It might use a public domain (e.g., Gmail) or a spoofed address that looks similar to a real one.
Example:
donorsupport123@gmail.com instead of support@nonprofit.org
Best practice:
Always check the sender’s domain. If it doesn’t match the organization, it’s likely fraudulent. Train staff to inspect sender details before engaging.
5. Poor Grammar or Formatting
Many phishing emails contain spelling errors, awkward phrasing, or inconsistent formatting. These are signs of hastily written or translated content.
Why it’s dangerous:
While some phishing emails are polished, many still rely on basic templates that lack professional tone or formatting.
Best practice:
Encourage staff to look for inconsistencies in tone, grammar, and formatting. If something feels “off,” it probably is.
6. Requests for Sensitive Information
Phishing emails may ask recipients to provide login credentials, financial details, or personal data via email or through a link.
Why it’s dangerous:
Legitimate organizations rarely request sensitive information via email.
Best practice:
Verify requests through official channels before responding. Never enter credentials into unfamiliar websites.
Advanced Phishing Techniques to Watch For
As phishing evolves, attackers are using more sophisticated tactics:
Spear Phishing
Targeted attacks that use personalized information (e.g., names, job titles) to increase credibility.
Business Email Compromise (BEC)
Attackers impersonate executives or vendors to request wire transfers or sensitive data.
Clone Phishing
A legitimate email is copied and modified with malicious links, then resent to the recipient.
Smishing and Vishing
Phishing via SMS (smishing) or voice calls (vishing), often impersonating banks or service providers.
Why Nonprofits Are Targeted
Nonprofits face unique challenges that make them attractive targets:
- Limited cybersecurity infrastructure.
- High-trust internal culture.
- Valuable donor and beneficiary data.
- Frequent use of third-party platforms.
Attackers know that nonprofits often rely on email for donor communication, volunteer coordination, and service delivery–making phishing an effective entry point.
How to Train Your Team to Spot Phishing Emails
1. Interactive Challenges
Use exercises like the one above to engage staff in identifying phishing attempts. Create fake emails and ask teams to spot the red flags.
2. Simulated Phishing Campaigns
Work with your IT team or a cybersecurity partner to send simulated phishing emails to staff. Track responses and provide feedback.
3. Regular Cybersecurity Training
Offer quarterly or biannual workshops that include phishing awareness, password hygiene, and secure communication practices.
4. Clear Reporting Channels
Ensure staff know how to report suspicious emails. Create a simple process and designate a point of contact.
5. Visual Aids and Reference Materials
Provide posters, checklists, and quick-reference guides that outline phishing red flags. Visual reminders help reinforce training.
What to Do If You Suspect a Phishing Email
If someone receives a suspicious email:
- Do not click any links or download attachments.
- Do not reply to the email.
- Report the email to your IT team or designated contact.
- Delete the email after reporting.
- If clicked, notify IT immediately for further action.
Building a Culture of Cyber Awareness
Phishing attacks are becoming more sophisticated, but with the right training and awareness, nonprofits can protect their data, staff, and mission. Exercises like the “Spot the Phishing Email” challenge are a simple yet effective way to engage teams and reinforce best practices.
At Varsity Technologies, we specialize in helping mission-driven organizations build cybersecurity resilience through tailored training programs. Our approach combines technical expertise with accessible, nonprofit-focused content–empowering teams to stay safe in a rapidly evolving digital landscape.