Modern phishing doesn't look like a Nigerian prince. What today's attacks look like in a nonprofit inbox, and how to build resistance without shaming anyone.
The phishing email that gets clicked at a nonprofit doesn't promise money. It looks like the executive director asking for gift cards before a board meeting, a vendor "updating banking details," or a voicemail notification from your own phone system. It works because it's boring, plausible, and arrives on a busy Tuesday.
Attackers do their homework. Your leadership team is on your website; your vendors and partners are in your newsletters. A convincing impersonation takes minutes to build — which is why mission-driven organizations, with small teams and helpful cultures, get targeted more than their size suggests they should.
Annual training alone fades in weeks. What works is little and often: fifteen minutes a month, as a standing agenda item. Show two or three real examples from your own industry, let people spot the tells together, and celebrate the person who reported something — even a false alarm. Especially a false alarm. You're not building experts; you're building the reflex to pause and verify money or credential requests through a second channel.
People will still click — that's a design constraint of humans, not a training failure. Layered email filtering, MFA everywhere, and 24/7 detection turn an inevitable click from a crisis into a contained incident.
Add fifteen minutes of security talk to next month's staff meeting, and make "forward anything suspicious, no judgment" official policy. For our clients, staff training and the safety net behind it are part of the flat rate — because a trained team is a security control.
Our free IT security assessment gives your leadership a plain-English report on your risks, your compliance gaps, and exactly what it would cost to fix them. No obligation, no jargon.