Email breaches can be costly for an organization. Just knowing an email address allows hackers to use many tools to inflict financial, informational, and reputational harm. Nonprofits are not immune to this threat.
How big is the problem? Last year, WhoIsHostingThis released a report, Uncovering Trends in Email Breaches. They studied a sample of over 200,000 email addresses. They found that over 40 percent of those with ORG extensions had been "pwned" (made public).
This was a smaller percentage than for the extensions COM (80 percent), NET (57 percent), EDU (52 percent), and GOV (42 percent). But it's still substantial cause for concern.
Many people don't think that having their email addresses publicly known is an issue. And in most cases, it isn't. But it can be.
When people hear the term "hacker," they normally think of people using technological know-how to get past computer security. But hacking is just as likely to involve tricking humans through everyday communications like email, text messages, or phone calls.
This kind of social engineering usually takes the form of a legitimate-looking email message designed to get the target to provide sensitive information or transfer funds.
In 2017, hackers using a phishing attack got access to a worker's email address at Save the Children Federation. Using various fake documents (including invoices), they stole nearly a million dollars from the charity.
Social Media Hijacking
Wired magazine has tracked the dangers that nonprofits can encounter on Facebook.
After the owner of a popular animal charity had her Facebook account hacked, the intruder quietly established themselves as an administrator on the account.
The hacker then launched a fraudulent GoFundMe fundraiser — all in the name of the non-profit.
A months-long struggle to boot the squatter out of the account ensued.
Reputational Harm: Fallout From Fraud
If your nonprofit is defrauded via hacking, you may wind up having to report the incident to your board or in government filings.
Should the incident become public, it can harm your reputation as a leader or manager and it can damage your nonprofit's ability to fundraise.
Steps to Take Today to Protect Your Online Accounts
It's hard to stay safe online because hackers are constantly developing new ways to scam us. And they use some of our best qualities — like goodwill — against us. Certainly, no one should feel ashamed if they get stung by an attack.
There are many things we can do to reduce our risk. Some of these steps may seem obvious, but failure to follow them can leave you vulnerable.
Consider also that more nonprofits may switch to remote work due to the novel coronavirus. That makes your online security an even higher priority.
The good news is there are some powerful, low-cost, and easy actions you can take today to protect your non-profit.
In addition to this, use the tool Have I Been Pwned. It will tell you if your email address has been exposed due to a breach. If it has, don't panic! But use the knowledge to increase your security. Above all: be skeptical. When you receive unusual requests, make sure they are valid. And don't be embarrassed to check. Doing so could save your organization a great deal of money and trouble. It could save your job too!
Frank Moraes is a California-based programmer and technology writer.