How to Recognize a Phishing Attack Against Your Nonprofit

By Amanda Farmer, Chair, Impact Austin Technology Committee

Phishing attacks are on the rise across sectors, including the nonprofit space. Last year, one security firm tracked a 1,265% increase in malicious phishing emails after the release of Chat GPT made it easier for attackers to launch sophisticated attacks quickly.

“Sophisticated” phishing can refer to a number of different approaches wherein an attacker researches an organization and impersonates someone trusted by that organization in order to extort money, login credentials, financial information or other sensitive data they can use or sell.

As Impact Austin, our grant recipients, and other Austin-area nonprofits become increasingly targeted by this type of sophisticated phishing attack, it is vital that we work as a community to thwart these attackers.

Sophisticated attacks may not be caught by cybersecurity software or spam filters, leaving the intended victims as the last line of defense. Here are a few basics that will help you recognize a modern phishing attack.

3 Misconceptions about Phishing Scams

First, it’s important to understand that modern phishing attacks may not look like you expect them to. Holding any of these common misconceptions can make it harder for a victim to recognize and stop a phishing attack.

1. Cyber attackers only target big businesses. (False)

   The truth is cyber attackers target organizations of all sizes — including small non-profits. In fact, sometimes non-profits and smaller organizations make enticing targets because of the perception that they are “target-rich, cyber-poor,” meaning they have access to valuable financial and personal data but limited IT resources to devote to cybersecurity.

   
   

   If you think your organization cannot or will not be the target of a sophisticated phishing attack, it may make you less likely to recognize one when it happens.

   
   

2. Phishing scams are always easy to spot. (False)

   In the early days of email, phishing scams were typically launched as massive, impersonal campaigns targeting thousands of recipients with the same message — frequently rife with telltale grammatical and spelling errors thanks to the rudimentary translation engines available at the time. As such, these emails were easier for spam filters and the average person to detect. Today, attackers often use more sophisticated methods.

   
   

   They may research your organization in order to impersonate a real board member and make plausible requests for funds or sensitive information. They may spoof or compromise a director or vendor’s email account to lend their message more credibility. And with the advent of generative AI engines like Chat GPT, they can now develop these messages with perfect grammar and spelling in any language they choose.

   
   

   All of these factors make modern phishing attacks much harder to spot.

   
   

3. It’s embarrassing to fall victim to a cyber attack. (False)

   If you or one of your employees has fallen victim to a cyber attack, it’s important to remove shame from the equation. It is not naïve to fall victim to a cyber attack, especially as attacks grow more more sophisticated and difficult to spot. Remember that you have been targeted by an attack that was purposely engineered to deceive not only you, but advanced cybersecurity software and professionals. If this happens to you, do not be silent. Come forward and report the attack to the authorities.

Modern phishing attacks may be harder to recognize, but there are still a few ways you can spot them.

5 Signs You’re Being Targeted by a Phishing Attempt

1. Asks for money, login credentials, personal information or other sensitive information to be submitted to the requester or a third-party recipient or filled in on a web form. When money is requested, the message may claim the funder will be reimbursed at a later time. Cyber criminals have a number of intentions for launching a phishing attack, but the goal is most often either to steal something — money, data, or credentials — or infect something with malware. Understanding these goals can make it easier to recognize when you’re being targeted.

   
   

2. Demands a sense of urgency in completing the request (e.g. today, in the next hour, by end of day, etc.). If the requestor is pushy and insistent in tone, it’s a clear indicator they’re a threat actor.

   
   

3. Seems abnormal for the purported sender. If the message purports to be from someone you know (e.g. a fellow employee, member, or board member) but seems out of keeping with their usual voice or the types of requests they would typically make, stop and question whether the message may be fraudulent.

   
   

4. Contains misleading links that point to a suspicious or unexpected website. Before clicking a link in a suspicious email, hover over it with your cursor (on desktop/laptop) or long press the link (on mobile) to reveal the URL to which the link is pointing.

   
   

5. Comes from a suspicious email address. Occasionally, an attacker will gain access to the email credentials of the person they plan to impersonate, enabling them to send phishing emails from the victim’s real account. However more often, phishing emails come from an address that does not belong to the purported sender. Be sure to check the sender’s email address — not just the display name — by either clicking “Show details” (Gmail), hovering over the sender’s name (Outlook), or clicking the sender’s name (Apple Mail).

Trust your gut. If something feels wrong, it probably is.

What to do if you’re targeted

There are three steps you can take once you have determined the message you received seems fraudulent.

1. If you’re unsure whether a message is a scam, use a different communication channel to contact the purported sender.

   
   

2. Use the Report Spam button in your email client, phone app, or social media site, and block the sender’s email address, phone number, or social profile.

   
   

3. Report the attack to the authorities as follows.

If no money exchanged hands, report the attack to:

• FTC: https://reportfraud.ftc.gov/    

• APWG: https://apwg.org/reportphishing/ 

If money exchanged hands or if you are concerned about your safety, then in addition to

the two entities above, report it to:

• Texas Attorney General https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/

• Austin Police Department: https://www.austintexas.gov/department/financial-crimes

• FBI - The Internet Crime Complaint Center: https://www.ic3.gov/

  
  

Again, if you have fallen victim to a phishing scam, do not be ashamed to come forward. Scams are growing increasingly difficult to detect, even for cybersecurity professionals.

We Are Strongest Together

The biggest advantage nonprofits have in defending against phishing attacks is the tightness and strength of our communities. Cyber criminals thrive in places where communication and interconnectedness are low.

By staying vigilant, informed, and close with your community, you’re already helping Impact Austin and our nonprofit colleagues stay safer. When we work together, we win.