Security Awareness Training for Non-Profit
Interactive simulations for non-profit staff, volunteers, and distributed teams. Donor-fund BEC, gift-card fraud, ransomware on small NGOs, and phishing for donor-database credentials, calibrated for budget-constrained workforces that carry outsized donor trust.
Why Non-Profits Carry Donor Trust That Attackers Target
Non-profits hold something attackers want and something funders watch closely: donor trust. The 2020 Blackbaud ransomware incident exposed donor records at thousands of charities, museums, and universities, and the reputational fallout reached every annual report and grant application that followed. Attackers continue to target the year-end giving rush, disaster-response drives, and any moment when donations spike and staff are stretched thin.
Most non-profits operate as PCI Level 4 merchants for online donations, hold international donor data subject to GDPR, and sit under state charity registration rules that increasingly require breach notification. Major foundations such as Gates and Ford explicitly include donor-data confidentiality clauses in grant agreements. The training expectation is real even when the budget is not.
RansomLeak delivers training that fits the realities of distributed, volunteer-supported, often-underfunded teams. Interactive 3D simulations rehearse the decisions that protect donor trust: refusing a gift-card request from a "CEO," verifying a vendor invoice change before redirecting funds, recognizing a phishing email targeting your CRM credentials, and reporting a suspected breach within state notification windows.
Non-Profit-Specific Threat Patterns
Donor-fund BEC and wire redirection
Attackers monitor public foundation directories and impersonate executive directors during year-end giving and disaster drives. A single redirected wire can wipe out a quarterly fundraising goal. Finance and development staff need scenario practice, not generic anti-phishing reminders.
Gift-card scams against junior staff and volunteers
A "quick favor" text from the executive director asking for Amazon or Apple gift cards is one of the highest-volume frauds against non-profits. Junior staff and volunteers who rarely interact with leadership are common targets and need explicit refusal patterns.
Vendor invoice fraud against thin AP teams
Many non-profits run accounts payable with one or two staff and limited segregation of duties. Attackers compromise vendor mailboxes and submit changed banking details. Training rehearses out-of-band verification before any banking change.
Phishing for donor-database credentials
Blackbaud, Salesforce NPSP, Bloomerang, and Donor Perfect logins are high-value targets. A compromised CRM session can exfiltrate donor records, payment instruments, and pledge schedules. Development staff need MFA discipline and phishing literacy.
Ransomware on small NGOs with thin backups
Small non-profits frequently run unmaintained backups on the same network as production. Ransomware that encrypts both ends grant cycles and donor outreach for weeks. Workforce reporting culture is often the only early warning.
Compliance Frameworks This Page Covers
Mapping to the regulations that drive most non-profit buying decisions.
PCI DSS for online donations
Most non-profits accepting online donations qualify as PCI Level 4 merchants. PCI DSS Requirement 12.6 calls for a formal security awareness program with documented training for all staff with access to cardholder data.
Read the articleGDPR for international donor data
Non-profits with EU donors are GDPR controllers. Article 32 (security of processing) and Article 39 (DPO duties) flow into staff training expectations, especially around DSAR handling and breach notification.
Read the articleState breach-notification laws
All 50 US states have breach-notification statutes, and non-profits are not exempt. Several states layer charity-registration data privacy expectations on top. Training drives correct, timely incident reporting.
Funder and grant data clauses
Major foundations such as Gates, Ford, and MacArthur include donor-data confidentiality and breach-notification clauses in grant agreements. Funders increasingly request training evidence at renewal.
IRS rules for fundraising data
IRS Form 990 and related guidance push non-profits toward documented data-handling practices. Workforce awareness training is the foundation that makes those practices stick.
Featured Exercises for Non-Profit
Pulled from the 100+ exercise catalogue, prioritized for this industry.
Business Email Compromise
Donor-fund redirection and vendor invoice fraud are the highest-impact frauds against non-profits. Tailored for finance, development, and operations staff.
Read the guidePhishing Email Detection
Donor-database credentials (Blackbaud, Salesforce NPSP, Bloomerang) are high-value targets. This is the foundational exercise for every staff member and active volunteer.
Read the guideVishing (Voice Phishing)
Distributed and volunteer-heavy teams take more cold calls. Practice covers vendor impersonation, urgency pressure, and refusal patterns.
Read the guideSocial Engineering Defense
Gift-card scams and "quick favor" pretexts target junior staff and volunteers. Scenario practice gives them the language to refuse.
Read the guideMFA Setup and Push Fatigue
CRM and donor-database accounts need strong second-factor discipline. Many non-profits roll MFA inconsistently and need workforce buy-in.
Read the guideRansomware First-Hour Response
Small NGOs with thin backups suffer disproportionately from ransomware. The exercise rehearses early reporting and containment decisions that buy recovery time.
Read the guideThreats this program covers
Read the pillar guide for each attack type and the exercises that train against it.
Frequently Asked Questions
Do you offer non-profit pricing?
How does this help during year-end giving?
Can volunteers complete the training?
How does this satisfy grant-agreement training clauses?
What about international donor data and GDPR?
Does it integrate with our LMS?
How often should non-profit staff and volunteers run training?
References
Primary sources cited above.
- Nonprofit Tech for Good Report (Annual Tech Survey) — NTEN (Nonprofit Technology Network)
- Cybersecurity Working Group — NetHope
- Cybersecurity Resources for Nonprofit Organizations — CISA
- Cybersecurity for Small Organizations and Nonprofits — National Cybersecurity Alliance (StaySafeOnline)
- Security Tools and Resources for Nonprofits — Microsoft Philanthropies / Microsoft for Nonprofits
- 2024 Data Breach Investigations Report (Public Administration and Other Services) — Verizon
- TechSoup Cybersecurity Resources for Nonprofits — TechSoup
Related Reading
See RansomLeak in Action
Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.