Email breaches can be costly for an organization. Just knowing an email address allows hackers to use many tools to inflict financial, informational, and reputational harm. Nonprofits are not immune to this threat.

How big is the problem? Last year, WhoIsHostingThis released a report, Uncovering Trends in Email Breaches. They studied a sample of over 200,000 email addresses. They found that over 40 percent of those with ORG extensions had been "pwned" (made public).

This was a smaller percentage than for the extensions COM (80 percent), NET (57 percent), EDU (52 percent), and GOV (42 percent). But it's still substantial cause for concern.

Many people don't think that having their email addresses publicly known is an issue. And in most cases, it isn't. But it can be.

Phishing Scams

When people hear the term "hacker," they normally think of people using technological know-how to get past computer security. But hacking is just as likely to involve tricking humans through everyday communications like email, text messages, or phone calls.

This kind of social engineering usually takes the form of a legitimate-looking email message designed to get the target to provide sensitive information or transfer funds.

In 2017, hackers using a phishing attack got access to a worker's email address at Save the Children Federation. Using various fake documents (including invoices), they stole nearly a million dollars from the charity.

Social Media Hijacking

Wired magazine has tracked the dangers that nonprofits can encounter on Facebook.

After the owner of a popular animal charity had her Facebook account hacked, the intruder quietly established themselves as an administrator on the account.

The hacker then launched a fraudulent GoFundMe fundraiser — all in the name of the non-profit.

A months-long struggle to boot the squatter out of the account ensued.

Reputational Harm: Fallout From Fraud

If your nonprofit is defrauded via hacking, you may wind up having to report the incident to your board or in government filings.

Should the incident become public, it can harm your reputation as a leader or manager and it can damage your nonprofit's ability to fundraise.

Steps to Take Today to Protect Your Online Accounts

It's hard to stay safe online because hackers are constantly developing new ways to scam us. And they use some of our best qualities — like goodwill — against us. Certainly, no one should feel ashamed if they get stung by an attack.

There are many things we can do to reduce our risk. Some of these steps may seem obvious, but failure to follow them can leave you vulnerable.

Consider also that more nonprofits may switch to remote work due to the novel coronavirus. That makes your online security an even higher priority.

The good news is there are some powerful, low-cost, and easy actions you can take today to protect your non-profit.

1. Take this short phishing quiz from Google to learn how phishing works.
2. Don't share personal information with others. If you get an email message from a supervisor asking for a password (or a vendor asking for account changes), call them to verify the request — especially if you are new on the job.
3. Double-check the address of any questionable email you receive. But remember: even if the address is correct, it could be the result of a hacked account. If in doubt, check via a different channel.
4. Use strong passwords and a password manager. There are many options to choose from. Zoho Vault and Dashlane are both worth a try because their base plans are free and they provide special deals for nonprofits.
5. Require that your staff use physical security keys — also called U2F keys — to access online organizational accounts like Gmail and Facebook. Even if someone steals your email address and passwords, they won't be able to access your protected accounts without the physical key. You can purchase keys for less than $15 on Amazon. (We recommend that each user have a backup key for themselves, in case the first one is lost.) U2F keys can protect access to popular software applications like Google Docs, Salesforce, Dropbox, and WordPress. (See a list here). You can even use your key to access your password manager. After Google started using physical keys at their company, phishing attacks were reduced to zero.
6. Don't allow staff to access your online accounts via public wifi. If staff need to access accounts while traveling, ensure that they use a private mifi device to do so. The same holds true for remote workers who may occasionally want to work from a library or other public venue.
7. Create and distribute a written online security policy for your organization, including these (and potentially other) steps

In addition to this, use the tool Have I Been Pwned. It will tell you if your email address has been exposed due to a breach. If it has, don't panic! But use the knowledge to increase your security. Above all: be skeptical. When you receive unusual requests, make sure they are valid. And don't be embarrassed to check. Doing so could save your organization a great deal of money and trouble. It could save your job too!

Frank Moraes is a California-based programmer and technology writer.