When it comes to cybersecurity, associations and nonprofits often think theyâre flying under the radar. But the truth isâtheyâre not. Hackers love organizations that rely heavily on email, store sensitive member or donor data, and donât always have big IT budgets. Thatâs why attacks like Business Email Compromise (BEC), Account Takeover (ATO), and ransomware are increasingly hitting mission-driven organizations.
In this Vortacity (Cyber for Associations) blog post we break down what these threats are, how theyâre connected, and why associations and nonprofits should be paying close attention.
BEC is when a cybercriminal tricks someone into doing something harmfulâlike wiring money or sharing sensitive dataâby pretending to be someone trustworthy (like your CEO, a vendor, or a board member). Itâs social engineering with a professional twist, and itâs incredibly effective.
Think of it as a scam that looks legit because it lands in your real inbox, sometimes even from a real person in your organization. The FBI tracks these cases closely: Business Email Compromise | FBI
ATO happens when attackers get access to a real userâs email accountâusually through stolen passwords, phishing, or credential stuffing. Once inside, they can snoop, steal data, and impersonate that person to trick others (cue the BEC).
These attacks are sneaky because theyâre not just spoofed emailsâtheyâre coming from real accounts. That means they often bypass spam filters and donât raise red flags.
Varonis breaks it down well: How to Identify and Investigate BEC Scams
Hereâs where things really escalate. Once a bad actor gains access to someoneâs email (ATO), they can use that to launch a BEC scam. But thatâs not always where it ends. Increasingly, attackers use that access to move deeper into the networkâsometimes planting ransomware along the way.
According to the 2024 Microsoft Digital Defense Report, ransomware is still a top threatâespecially when tied to email-based access. And unmanaged devices? Theyâre often the point of entry.
âIncreases in human-operated ransomware and initial access activity underscore the importance of monitoring identity and endpoint posture.â â Microsoft Digital Defense Report 2024
You might be thinking: âWeâre a membership org, not a big corporation. Why would they target us?â
Hereâs why:
And yes, this is happening in our space.
In 2023, a data breach hit a company called Evide, which managed sensitive data for about 140 nonprofits across the UK and Ireland. Multiple charitiesâlike One in Four, which supports survivors of abuseâwere affected, and thousands of personal records were exposed.
Check it out here: Evide Data Breach (Wikipedia)
This kind of ripple effect shows why even indirect email compromises can have devastating impacts across the association and nonprofit ecosystem.
The good news? There are affordable, manageable steps associations and nonprofits can take right now:
â
Turn on MFA (Multi-Factor Authentication) â For every user, especially on email and cloud tools.
â
Use strong, unique passwords â And encourage the use of password managers.
â
Train your team â Make sure staff and volunteers know how to spot phishing and fraud.
â
Lock down email authentication â SPF, DKIM, and DMARC make it harder for attackers to spoof your domain.
â
Have an incident response plan â Know what youâll do if something goes wrong.
If you want a deeper dive, Varonis has a great resource on securing your domain: Stop Email Spoofing with DMARC, SPF, and DKIM
At Vortacity, we work with associations and nonprofits every day to shore up defenses before these kinds of attacks happen. Whether itâs email security audits, recommending training tools, relationships with the top MSPâs, deploying MFA, attack path mapping or monitoring for account compromise, weâve got your back.
Letâs keep your mission safe from cybercriminalsâbecause your cause deserves nothing less.
Want to see how your org stacks up? Letâs chat.
A quick security check could save your association from major headaches down the road.