The GuideStar Blog retired September 9, 2019. We invite you to visit its replacement, the Candid Blog. You’re also welcome to browse or search the GuideStar Blog archives. Onward!

GuideStar Blog

5 Considerations for Protecting Your Nonprofit From Spear Phishing Attacks

Emily Green Emily Green

Digital phishing scams and identity theft have occupied many headlines in recent years. Scores of books and articles have been written to help people protect themselves, their families, and their assets from the horror of having their identity stolen. Large corporations and businesses generally have safeguards in place; however, if the recent Target debacle taught us anything, it's that the bigger you are, the harder you fall.

For their own part, nonprofits have an awful lot to lose, and they unfortunately make really big targets for hackers and criminals to focus their efforts on infiltrating. Spear phishing attacks involve sending a message posing as a prominent person or department within an organization, with the intent to gather sensitive information.

Here are a few considerations for protecting your nonprofit from spear phishing attacks.

It Starts With Your Organization and Infrastructure

The first line of any company's (nonprofit or otherwise) defense is its own employees and customers. Nonprofit administrators should keep a close watch on their employees' gadget usage and stay aware of the added security risks that email-enabled phones pose to their users. Employees may be more likely to disclose information without thinking about it, which explains the correlation between smartphones and identity theft.

Anti-spear phishing campaigns help spread awareness

A well-planned and executed campaign will increase awareness about the dangers of spear phishing attacks. Start boosting your security defenses by educating the people associated with your organization about your email practices. Make sure that all customers and employees know you'll never send emails asking for personal information, including usernames, passwords, banking information, phone numbers, and contact information.

Certain behavior and habits can make people vulnerable

Even the most digitally astute person can fall victim to spear phishing hackers if they don't know certain details about how spear phishing works. Here are some simple habits consumers should get into to minimize their risk:

  • Pausing before clicking links
  • Hovering over hyperlinks to check where they lead before clicking on them
  • Paying attention to suspicious text and grammar patterns
  • Knowing what to do when receiving a suspicious email or phone call

Conditioning helps familiarize people with the basics

While it's a bit sneaky, many companies find it beneficial to use the services of organizations such as This site works to educate users on the dangers of spear phishing and illustrate just how easy it is to have your information compromised, through the classic psychological theory of conditioning. It does this in three steps:

  1. Phishme sends a typical spear phishing email to users
  2. Any users who follow the phony link in the email are alerted that they may have been victims of spear phishing
  3. These users are promptly led to a training course/exercise designed to inform them about the dangers of spear phishing, which will increase their awareness and ability to spot phony communications

Technology Can Allow or Deter Attacks

Of course, any established organization should have security measures in place. Most nonprofit administrators are doubtlessly already aware of the importance of anti-virus software and other digital solutions that protect you against fraud, as the individuals you work with are generally very trusting people. Nonprofits especially take precautions to keep their email databases secure and prevent any hackers from hijacking their domains.

Unfortunately, anti-virus software doesn't really protect you from spear phishing compromises. Try looking to other solutions that go deeper into the problem. The technology behind Invincia and others like it were designed to quarantine attachments that are opened, and identifies the behavior patterns that follow in order to figure out any patterns or connections that leave the company at risk.

Additionally, email spam filters sideline fraudulent emails before they are presented to users who could potentially open them and release their wrath. Reverse proxy options, black-list subscription services effectively supplement the protection.

Spear phishing attacks are these are highly targeted and specialized, and use a top-down approach to exploit an organization's weaknesses and steal its data. Don't fall victim to this 21st century security problem.

The preceding is a guest post by Emily Green. Emily is a freelance writer with more than six years’ experience in blogging, copywriting, content, SEO, and dissertation, technical and thesis writing.

Topics: Trends