Insights · Security

The phishing email your staff will click — and the 15-minute habit that stops it

Modern phishing doesn't look like a Nigerian prince. What today's attacks look like in a nonprofit inbox, and how to build resistance without shaming anyone.

By Andrew · NextGen Strategy PartnersJune 9, 20264 min read

The phishing email that gets clicked at a nonprofit doesn't promise money. It looks like the executive director asking for gift cards before a board meeting, a vendor "updating banking details," or a voicemail notification from your own phone system. It works because it's boring, plausible, and arrives on a busy Tuesday.

Attackers do their homework. Your leadership team is on your website; your vendors and partners are in your newsletters. A convincing impersonation takes minutes to build — which is why mission-driven organizations, with small teams and helpful cultures, get targeted more than their size suggests they should.

What the modern lure actually looks like

Training that shames clickers teaches staff to hide mistakes. Training that rewards reporting teaches them to raise their hand fast — and speed is what limits damage.

The 15-minute habit

Annual training alone fades in weeks. What works is little and often: fifteen minutes a month, as a standing agenda item. Show two or three real examples from your own industry, let people spot the tells together, and celebrate the person who reported something — even a false alarm. Especially a false alarm. You're not building experts; you're building the reflex to pause and verify money or credential requests through a second channel.

The safety net behind the habit

People will still click — that's a design constraint of humans, not a training failure. Layered email filtering, MFA everywhere, and 24/7 detection turn an inevitable click from a crisis into a contained incident.

The practical takeaway

Add fifteen minutes of security talk to next month's staff meeting, and make "forward anything suspicious, no judgment" official policy. For our clients, staff training and the safety net behind it are part of the flat rate — because a trained team is a security control.

Andrew, founder of NextGen Strategy Partners

Andrew — Founder, NextGen Strategy Partners

Veteran-owned managed IT for the nonprofits, schools, behavioral health providers, and medical & dental practices of McHenry & Lake Counties. Request a free security assessment →

Find out where you stand — before someone else does.

Our free IT security assessment gives your leadership a plain-English report on your risks, your compliance gaps, and exactly what it would cost to fix them. No obligation, no jargon.

Request the free assessment