Guest post for Bearing Tree, by Aaron House, CCS, Inc.
Very recently, my team worked an incident that started with an innocuous email from someone who appeared to be a helpful “representative” of a major accounting software vendor, offering to support a user through a migration to the latest version of the software.
The target was a C-level executive. The attacker posed as a legitimate support contact and did what good social engineers do: they were patient. The initial con took weeks. They built rapport over email, provided what seemed like real assistance, and made every interaction feel routine. The contact was initiated by email but quickly moved to phone calls. Bad actors don’t talk on the phone, right? Surely only legitimate support representatives would do that. By the time they finally made their move, asking to remotely connect to the executive’s computer, trust had already been established. It didn’t feel like a request from a stranger. It felt like the logical next step in having support walk you through a scheduled upgrade.
The attack failed at the last second, and here’s the part worth paying attention to: it wasn’t a person who caught it. The security tools we had deployed at the organization blocked the remote connection the moment the attacker tried to establish it. Once the proverbial alarm bells were ringing and IT began to uncover the plot, the executive said to me, “How could I have been so stupid? This is literally the same thing our security training has covered, and I still fell for it.” I reassured her that if smart people couldn’t fall for this, we wouldn’t spend so much time training for this exact situation.
That’s not a knock on the executive. That’s the whole point. These attacks work on smart, careful people because they’re built to. Nobody clicks a link labeled “malware,” they trust a person who spent weeks earning it. Which is why real security isn’t one thing. It’s trained people and good tools and simple rules, layered so that when one gets beaten (and eventually one will), the next one holds.
Why nonprofits get targeted
I hear this one a lot: “We’re a small nonprofit, why would anyone bother with us?” The hard truth is that attackers bother with you because you’re a small, or even mid-sized nonprofit. Maybe it’s lean staff wearing five hats. Or a culture built on trust and fast responses. Donor data is worth real money, and financial processes that often run through one or two people make you a prime target. An attacker doesn’t need to break through your firewall or your EDR/MDR/XDR or all of those other abbreviations, they just need one person to trust one email, or one friendly voice on the phone at the right moment. And as you just read, they’re willing to invest weeks (or more!) to get there.
The good news? Most of the defenses that matter are habits and policies, not products. Here are five things you can put in place starting this week.
1. Adopt a callback rule for anything involving money
If you take one thing from this article, make it this one. The rule is simple: any request to change payment details, banking info, or wire/ACH instructions gets verified by phone, using a number you already have on file, never a number from the email itself, and never with the person who made the request.
When attackers get into (or impersonate) an email account, they go after payments. Every time. A vendor “updating their banking info.” A director who “urgently” needs a transfer while they’re “in a meeting.” A payroll change from an employee. These are the scams that drain nonprofit bank accounts, and a sixty-second phone call stops nearly all of them. It costs nothing. Put it in writing today.
2. Turn on multi-factor authentication. Everywhere.
If your email, accounting software, or donor database can be opened with just a password, you are one phishing email away from a very bad week. MFA, the extra prompt on your phone when you log in, shuts down the vast majority of account takeovers, even when the attacker has the right password.
Start with email. An attacker sitting inside a staff mailbox can reset passwords for everything else, quietly read conversations for weeks, and pick the perfect moment to strike. Lock that door first.
3. Teach your team what social engineering actually looks like
“Don’t click suspicious links” is useless advice, because good attacks aren’t designed to look suspicious. They’re designed to look like Tuesday. Sometimes they arrive as a single email; sometimes, like the incident above, they arrive as a friendly, patient “helper” who plays the long game. What your team should actually watch for:
- Urgency and pressure: “This needs to happen today.” “Can’t talk, just handle it.”
- Anything involving money, gift cards, passwords, or remote access to your computer: especially from someone you didn’t seek out first
- A sender address that’s almost right: one letter off, or a lookalike domain (this is what tripped up the executive I mentioned earlier)
- Unsolicited “support”: legitimate vendors don’t call out of the blue and work with you for weeks to get on your machine
- Unexpected attachments or login pages: even from people you know, because their account might be the one that’s compromised
This is where real security awareness training earns its keep: short, regular sessions plus simulated phishing tests. And here’s the thing: the executive in our story had the training, recognized the pattern immediately afterward, and still got played in the moment. That’s not a failure of training; it’s the reason training can’t be your only layer. A trained person reports faster, recovers faster, and helps you understand what happened. An untrained one might never mention it at all.
4. Make reporting easy and safe
Your staff will only report suspicious contact if they know exactly where to send them and they’re not afraid of looking dumb. Pick one channel, such as a shared mailbox, a report button, or a designated person, and tell your entire staff from the start.
Then make this your cultural rule: the person who reports right away is the hero, not the problem. If a C-level executive can get taken in by a weeks-long con, anyone can, so nobody at your organization should ever be embarrassed to raise a hand. The incidents that do real damage are the ones nobody mentions until after the damage is done.
5. Have the right tools in place and know who you’ll call
In the incident above, the last line of defense wasn’t a person. It was a security tool that recognized an unauthorized remote-access attempt and shut it down cold. Every organization, no matter the size, should have that kind of backstop: protection on every device that can stop what humans miss.
And decide now, before you need it: Who unplugs the affected computer? Who do you call for technical help? Who calls the bank if money’s involved? Who calls your insurance carrier? Write it down and keep a copy somewhere that isn’t on your network. Let me reiterate that last point: make sure the whole team knows where it lives and what’s inside. A detailed document explaining your next steps is useless if the one or two people who know where it lives are out of office at the time of an attack or so overwhelmed by the situation that they forget to reference it. The whole staff should know exactly what their role is in the event of a cyber incident.
Start this week
If you do nothing else after reading this, do these three things:
- Announce the callback rule for all payment and banking changes today, in writing.
- Turn on MFA for email, starting with leadership and anyone who touches money or sensitive/proprietary company data.
- Tell your team where to report suspicious emails and calls and publicly thank the first person who does it.
A recent post by Bearing Tree on this blog made the point that one compromised device can cripple a nonprofit. True, but the flip side is just as real. One trained employee, one verification call, one well-placed security tool can stop an incident cold, even weeks into a con. No single layer is unbeatable. Stacked together, they’re what stands between a close call and a very bad quarter.
Aaron House is the owner of CCS, Inc., an Illinois-based IT services firm supporting nonprofits, law firms, medical practices, and other high-compliance industries nationwide.
About Our Partnership with CCS, Inc.
At Bearing Tree, we believe that strong nonprofit operations require strong technology partners. That's why we've partnered with CCS, Inc., who serves as Bearing Tree's Managed IT Services and Cybersecurity provider and supports many of our partner organizations as well.
The practical recommendations shared in this article aren't just theory. They reflect the same cybersecurity practices, employee training, monitoring, and IT support that CCS delivers every day to Bearing Tree and many of the nonprofits we serve. We're grateful for their partnership and their commitment to helping organizations stay secure in an increasingly complex technology landscape.
Interested in learning more? We'd be happy to connect you with the CCS team to discuss your organization's IT and cybersecurity needs.
Leave a Reply
Your email address will not be published. Required fields are marked *