For non-profit organizations, these scams can be especially damaging. Let’s break down what social engineering scams are, why NPOs are often targeted, and what you can do to protect your organization.

Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.

What is social engineering and why is it so common?

Social engineering is a cybercrime tactic that targets people rather than technology. Scammers exploit fear, urgency, or appeals to compassion to trick individuals into sharing sensitive information, sending money, or clicking harmful links.

These types of schemes are so common because they work. Scammers understand that manipulating a person is faster, cheaper, and easier than bypassing technical security. And with the rise of AI-generated voices, videos, and messages, these scams are more convincing than ever, making it increasingly difficult for even the most cautious individuals to tell the difference between a scam and a legitimate request.

Why are non-profit organizations specifically targeted?

According to a 2023 report by the Nonprofit Technology Network (NTEN), 27% of non-profit organizations surveyed have experienced at least one cyberattack. It might seem surprising that scammers would target smaller non-profit organizations rather than large, profit-driven companies. But in reality, non-profits can be especially vulnerable to social engineering.

Many operate on limited time and budgets, which means they often lack the same level of cybersecurity protections or formal training programs that larger organizations can afford. At the same time, non-profit staff and volunteers tend to be driven by empathy and compassion—a strength that scammers count on exploiting for profit.

What are the most common types of scams—and how can you avoid them?

As a non-profit, the very information that helps you serve your community also puts you at risk. Donor, volunteer, and beneficiary records often contain sensitive personal and financial details that are highly valuable to criminals. When this data is stolen, the consequences can be devastating, leading to identity theft, fraud, and a costly recovery process that can quickly drain limited resources. These attacks can also paralyze daily operations, delaying programs and services that vulnerable communities depend on.

Beyond the immediate financial and operational impact, the greatest risk lies in reputational damage. Trust is a non-profit’s most valuable currency, and once it’s broken, it can be difficult to regain. Falling victim to a scam can erode donor confidence, reduce volunteer engagement, and weaken community support—all of which can have long-term effects on funding, partnerships, and the ability to carry out your mission.

Here are some of the most common types of social engineering scams, and our top tips to avoid them:

1. Phishing Scams

Phishing scams use emails, text messages, or even your website’s contact form to impersonate trusted partners, banks, lawyers, or vendors. Scammers often create urgency by threatening lawsuits or retribution, such as claiming your nonprofit’s logo infringes on a corporation’s trademark and urging you to click a link to “see the evidence.” Others send fake invoices by email or fax.

PRO Tips:

• Require multiple approvals for invoices and payments, and only pay invoices from known, approved vendors.
• If you get an email notification from a vendor saying that their remittance information has changed, call a known contact at that vendor to verify that the new payment information is legitimate. Do not trust the phone number or contact information in the email.
• When in doubt, remember SLAM:
  • Sender: Check the email address carefully. Look for misspelled domains, or a completely different email address than the name of the sender.
  • Links: Hover before you click, and don’t trust unfamiliar links.
  • Attachments: Don’t open files from anyone that you don’t know, and be suspicious of unexpected attachments—even if it’s from someone you know.
  • Message: Look for suspicious language, poor grammar, or unusual tone.
• If you do click on a suspect link, don’t pretend it didn’t happen—let your IT team or person know, and/or run a malware check on your computer.

RELATED: 16 Essential Cybersecurity Tips For Every SMB

2. Spear Phishing

Spear phishing targets specific individuals, usually by impersonating senior leaders like the executive director or board members. These emails often look legitimate, with correct formatting, signatures, and details. Common ploys include requesting staff to purchase gift cards and send the codes, or asking to change an employee’s payroll information to a fraudulent account.

PRO Tips:

• Always verify unusual requests by phone or in person. Do not process the request until you get a verified response. Conveniently criminals often know when key people are away or on vacation and so try to take advantage of this situation.
• Conduct staff training to recognize signs of spear phishing and other scams.
• Use multi-factor authentication to reduce the risk of email account takeovers.

RELATED: Security Awareness Training: What is it, Best Practices, & More

3. Smishing

Smishing (SMS phishing) uses text messages to trick recipients into clicking malicious links, downloading malware, or sharing personal information. With text open rates near 98% (compared to about 27% for email), this method is especially effective.

PRO Tips:

• Never click on links from unverified sources or unsolicited texts.
• Remind staff that banks, vendors, and CRA will not request sensitive details over SMS.

RELATED: Don’t Be Fooled: How to Spot a Cyber Breach

4. Malware and Ransomware.

Malware scams use links or attachments to install harmful software on your systems. The goal may be to steal sensitive data, divert funds, or paralyze your operations until a ransom is paid.

PRO Tips:

• Keep all software and firmware updated.
• Use reputable antivirus, firewalls, and spam filters.
• Hover over a link to verify its legitimacy before clicking on it.
• Send suspicious attachments to your IT team for safe scanning before opening.
• Consider cybersecurity services for additional protection.

RELATED: Hacking the Hackers: Cyber Scanning 101

5. Cheque Scams

Cheque scams typically involve fake donations. Scammers send a large cheque, then request a partial refund of the “overpaid” amount before the cheque bounces—leaving the nonprofit out-of-pocket.

PRO Tips:

• Verify new or large donors through official channels.
• Never issue refunds until a cheque fully clears.
• Train staff and volunteers to spot suspicious donations.
• Work closely with your bank on verification practices.

RELATED: Stay One Step Ahead: The Top Cybersecurity Mistakes Companies Make

6. ClickFix

First seen in 2024, ClickFix is a scam that uses pop-up messages mimicking system errors to trick users into installing updates or running code that supposedly “fixes” a problem. Once the instructions are followed, malware is installed, compromising the device and potentially the entire network.

Common example messages include: “Unable to display page — install update to refresh browser”, “Error loading document — download plugin to view”, or “Error opening email attachment — click to fix.”

PRO Tips:

• Train staff to ignore suspicious pop-ups.
• Use endpoint protection software that blocks malicious downloads.

No organization can eliminate risk entirely—but non-profits can greatly reduce their chances of falling victim to social engineering attacks through training, strong processes, and the right safeguards. With preparation, you can protect your mission, your data, and the people who rely on you every day.

While prevention is key, it’s equally important to plan for the unexpected. Transferring risk by Investing in Cyber Insurance can provide a critical safety net, helping your nonprofit recover financially and operationally if an attack does succeed.

How can we help you?

Cyber threats are complicated, but safeguarding your organization doesn’t have to be. As a licensed broker with over 40 years of experience, PROLINK is here to guide you through the risks of cybercrime and provide tailored Cyber Insurance designed specifically for non-profits like yours.

Your team works hard to make every dollar and every hour count—don’t let a cyber scam derail that impact. With PROLINK on your side, you can focus on creating impact while we help keep your organization protected. Connect with us today to learn more!