Subscribe to our Youtube Channel here
In Part 1, Matt and Carolyn discuss the Community IT framework for cybersecurity strategy, and the basic threat landscape in 2026 and some definitions of threat actors and common scams. In Part 2, they dig into the data from 2025 and what it means for your nonprofit: tools work, staff training is essential, and there are resources out there and communities to join to help your organization become more resilient and secure.
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Learn what trends we are seeing in cybersecurity attacks, how to protect yourself from new scams, and the changes AI tools are creating that you need to know about for protecting your nonprofit, for better staff training, and AI that is creating more realistic phishing. This webinar will help you effectively counter what the bad guys are doing.
As nonprofit organizations increasingly integrate artificial intelligence into their daily operations, the cybersecurity landscape has shifted. While AI offers significant opportunities for efficiency and mission impact, it has also provided attackers with new tools to bypass traditional defenses. For nonprofit executives and staff, understanding these changes is essential to protecting organizational data and maintaining donor trust.
Join Community IT Chief Technology Officer Matt Eshleman for this annual deep dive into the state of nonprofit cybersecurity. Each year, Matt analyzes the security incidents, near-misses, and trends captured from our client base over the previous twelve months. This data-driven approach moves beyond general industry speculation to show exactly what is happening within the nonprofit sector.
In this session, Matt shares his findings from 2025 and discuss the emerging role of AI in cyber threats. The presentation covers:
Whether you are a nonprofit executive, an IT lead, or a staff member, this webinar provides a clear, jargon-free look at the risks you need to manage in the coming year. You will leave with a better understanding of the current threat environment and the practical steps your organization can take to stay secure.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic, and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Nonprofit IT Management Reddit Community
Cybersecurity Playbook for Nonprofits
KnowBe4 Security Awareness Training
Nonprofit AI Governance Tips Webinar — with Senior Consultant Nuradeen Aboki
How to Use AI Tools Safely at Nonprofits — Community IT
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 24 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at the Technology Association of Grantmakers, Jitasa, Nonprofit Learning Lab, NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She is always happy to moderate this webinar and learn more from this 2026 nonprofit cybersecurity incident report with Matt Eshleman.
Carolyn Woodard: Welcome everyone to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for this year with Matt Eshleman, our Chief Technology Officer. This is the eighth year that we have done this, our eighth annual cybersecurity incident report. We’re so glad that you could join us to look back over some of the trends.
This webinar is very popular every year. We study the incidents that were reported. We have thousands of client user endpoints, and Matt looks at all of that data for the course of 2025 and pulls out the different trends and changes and incidents that will matter to you so you can benefit from our experience. He’s going to cover the initial impact of the AI tools that we’re seeing, give some examples of more sophisticated scams so you can be forewarned and forearmed. He’ll discuss our basic cybersecurity best practices that still form the foundation for your protection, and he’ll give us some of those best practices and advice for this year going forward.
My name is Carolyn Woodard. I’m the outreach director for Community IT. I’ll be the moderator today.
I’m happy to hear from our cybersecurity expert, but first I’m going to go over our learning objectives. Today we hope that by the end of this session you will learn the cybersecurity landscape for nonprofits and the general best practices, learn cybersecurity lingo definitions and trending scams, understand the initial impact of AI on cybersecurity. It is assisting the hackers, it’s creating more risks, and it is also, we hope, creating more possible protections that are coming online. And we hope that you will learn how to protect yourself and your nonprofit in 2026.
If you are looking for more information on cybersecurity topics for nonprofits, we have a lot of free resources on our website. We also have a community on Reddit at r/nonprofitITmanagement where you can ask questions or get in touch with Matt through the website as well. Matt will be on our Reddit thread after this webinar answering more questions, so if you’re on Reddit, you can join us over there.
Matt, would you like to introduce yourself?
Matthew Eshleman: Sure. It’s good to join you all today to talk about this topic that I get to do a lot of work on over the year and over the past eight years. My name is Matthew Eshleman and I’m the Chief Technology Officer here at Community IT. Happy to have my new updated background here, celebrating 25 years, and I’ve been here for most of them. I encourage questions as we go along. There’s lots of content to cover, and I want to be able to take questions as they come along, so please feel free to chat those in.
Carolyn Woodard: I’m going to tell you a little bit more about Community IT if you’re not familiar with us. We are a 100% employee-owned managed services provider. We provide outsourced IT support and work exclusively with nonprofit organizations. Our mission is to help nonprofits accomplish their missions through the effective use of technology. We are very big fans of what well-managed IT can do for your nonprofit.
We are experts, we serve nonprofits across the United States. We’ve been doing this for 25 years and we are celebrating our 25th anniversary this year. We are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2025, and we believe that we’re the only MSP on that list serving nonprofits exclusively.
I want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or a benefit from that vendor. We do consider ourselves to be a best-of-breed IT provider, so it’s our job to know the landscape, know what tools are available, reputable, and widely used, and we make recommendations on that basis for our clients based on their business needs, their priorities, and their budget.
We got a lot of good questions at registration, so we’re going to try to answer as many of those as we can. Anything we can’t get to will be over on Reddit after the webinar for about 30 minutes at r/nonprofitITmanagement. I hope you join us over there and take advantage of Matt answering some questions.
We will start with our first poll of the day. This poll asks: does your organization have security awareness training for staff? When we talk about security awareness, we’re really talking about not the once-a-year video that everyone has to scroll through quickly and answer the questions at the end. We hope that you have a vibrant, engaging security awareness training in place.
Matthew Eshleman: I’m really glad to see about 68% of the respondents here today say that they do have a good security awareness training program in place, and I think that’s really fantastic. Organizations have made that a priority over the last couple of years, and we are seeing really good uptake on that.
For those 32% of folks that say they need to start: I would encourage you to use this presentation to build some ammunition for taking those steps to make that a priority and part of your organization’s culture.
Carolyn Woodard: I’m really glad to see so many people have it. I’m seeing a couple of answers in the chat about being very small and having more informal, hopefully frequent conversations about security during staff meetings. That is also very effective and very helpful as long as they’re frequent. It does help if you’re following a plan, but if you can do it informally, that is way better than nothing at all. Congratulations on getting that started.
Matt, we have this graphic which shares a little bit about how we think about cybersecurity layers of protection. Did you want to talk about this a little bit?
Matthew Eshleman: This graphic talks about our approach to cybersecurity and that foundational concept of policy continuing to provide guidance for the technical solutions that are built on top.
You may notice that we don’t have AI mentioned explicitly here, but it certainly is something that influences each one of those layers, whether in policy, helping to generate topics or providing some edits and revisions, the training that folks are doing, and particularly in the technical solutions in that layer. AI can be infused in these tools, helping with both prevention and detection.
Security awareness training is a key element, because most of the attacks that we see in our small to mid-sized nonprofit space are really initiated by people clicking on something they shouldn’t have, updating payment information, or getting tricked into buying gift cards by somebody who’s obfuscating their identity. There’s not enough technology to provide complete coverage, so we do have to trust and engage with our staff to provide that education layer.
In the blue layer, these tend to be a lot of the technology tools that we have in place, and that’s where a lot of AI is getting infused in terms of improving detection, response, or analysis.
The top layer is compliance. If you have a policy but it’s not enforced, or maybe your staff don’t even know about it, you might as well not have that policy. Ownership of that layer, including the training and education of stakeholders and regular revision, is really necessary at an executive level. The IT department can be involved in putting compliance checks on the back end, but without the whole staff being on board, IT measures can be seen as an opposition or a burden rather than a protection.
It’s a helpful way to think about security. The foundation really is policy, making sure people are on the same page, and then training, making sure that your users are engaged and aware of what’s going on.
Carolyn Woodard: I like that when we talk about compliance, you can have the policy, but if no one’s checking that anyone’s following the policy, there is that extra step where someone has to be in charge of making sure that people are complying with it.
Before we get to the analysis from this year, can you talk a little bit about the current cybersecurity landscape?
Matthew Eshleman: There are some new things in the current cybersecurity landscape, but a lot also continues as before. The big thing I want to keep reiterating is that cyber criminals see their work as a job, right? It’s not just a hobby. People are getting paid for this. As a result, most organizations are primarily under threat from financial scams. Hackers are really motivated by that financial benefit, and that is the avenue for the vast majority of attacks that we see in our space, even among nonprofit organizations involved in progressive or potentially contentious topics.
That is something we’re seeing in addition to the financially motivated cyber attacks that impact everyone with an internet connection or an email address, but we’re also recognizing that partisan attacks are increasing online. Those are typically targeted at the individual themselves.
As a result, we are seeing organizations take steps like reconsidering how they identify people on their website to combat the personal attacks that folks at different organizations are experiencing. The new trend that we are seeing is just how fast the use of AI tools is accelerating those attack vectors and attack methods, both from seemingly benign things like more sophisticated spam messages, all the way up to automated, script-based attacks that are a lot more effective and lower the bar for the technical sophistication needed to execute them.
Carolyn Woodard: I shared a couple of resources in the chat and we’ll share them in the transcript as well. We have a downloadable cybersecurity playbook for nonprofits that includes that graphic we showed about the different layers. I also shared the NGO ISAC, a member-based resource you can join as a nonprofit. It’s a community of nonprofit cybersecurity experts and members who need to know more. It’s a great place to share information and learn more about what you need to be doing.
Matt, can you talk a little bit more about AI?
Matthew Eshleman: You can’t have a presentation without talking about this. From the hacker perspective and the trends that we saw in the data supporting about 8,000 nonprofit staff, there’s certainly a more futuristic approach to using AI for sophisticated scripts and exploits. But we’re also seeing that malicious code and viruses are a bigger danger and risk than they’ve been in some time.
When we get to the table, we’ll see that the amount of endpoint malicious activity has really increased pretty dramatically year over year, because AI makes it a lot easier for those threat actors to write new viruses. It also makes it easier for them to create new and convincing ways to get victims to open up a document, scan a QR code, connect over WhatsApp, and then install some other software. There are sophisticated playbooks being developed and tested, and the bar to use those just continues to drop.
You can have pretty good defenses in place but still get overwhelmed by how sharp you need to be in terms of evaluating every message that comes across your screen.
The other thing we’re seeing is an increase in HR scams and longer cons. At the end of the day, even with all of the AI tools and automation, you’re interacting with a person at the other end of the computer screen. Because they’re financially motivated, there is this investment in building a trusted relationship over time. The first ten messages you exchange are just building that trust, and then eventually comes the financial ask. There are lots of really sophisticated and tricky ways to get to that point.
In terms of what we’re seeing that’s new and different in 2025, certainly the use of AI in these longer cons is occurring with a lot more frequency.
Carolyn Woodard: I think it’s interesting, and in some ways it’s encouraging, right? Because the training is working. People know not to click on the link in the email. So then the attackers are like, I’ll send it to you a different way. I’ll send you a document, or a calendar invite, or something you aren’t aware yet not to click on. They’re just finding new workarounds, but it’s good. Training is working.
Matthew Eshleman: Yes, for sure. On the operational side, account compromises carry the biggest risk to the organization. A compromised account can carry into so many things: donor information, insider information about your board members, and more. Protecting accounts is the crown jewel of what we want to protect.
We’re also seeing that cyber liability insurance and auditing requirements continue to drive compliance. Organizations do things because they have to, and insurance and financial audits are some of those levers that get pulled to enforce those standards.
Multi-factor authentication has been a great technology tool that people have adopted. Hackers have continued to find ways of exploiting that, and there’s a big battle in the tech space that’s largely in the background, with vendors like Microsoft going after the underlying hosting infrastructure that is really facilitating those attacks.
That’s why we’ve updated some of our multi-factor guidance to say: yes, MFA is required, but if you are in a trusted role, we need to make sure that you are moving to a passkey or a phish-resistant MFA method as a way to combat some of the increase in technology that these threat actors are using to exploit accounts.
Some other new trends worth shedding some light on are ungoverned account risks and data retention. Ungoverned accounts include organizational accounts being used to interact with free AI tools, and there’s a real risk of data leakage there. We’re also seeing organizations become more aware of the risk from legal attacks and data retention.
Organizational data used to just be seen as an asset. We want as much data as we can get and we’re going to keep it forever because this is our work. There is a growing recognition that if you now have to comply with legal subpoenas and turn over all this data, some of which you do need to retain and some of which is maybe just conversational, data is now evolving into a liability for some organizations.
Being intentional about what data you have, why you need to keep it, and how long you need to keep it for are some of the new things we’re certainly seeing in the nonprofit space in 2025 and continuing into 2026.
Carolyn Woodard: I want to make sure that we have time to get to the information at the end of the presentation. Let’s go through the definitions fairly quickly. We’ll add full definitions for all of these terms in the transcript on our website, so if we don’t mention something that you don’t know, just check back there.
Matthew Eshleman: Threat actor is one I’ve used a couple of times. It refers to the person or entity that’s behind the keyboard. At Community IT, we don’t get too caught up as to whether the threat is attributed to Fancy Bear or Midnight Blizzard. You may hear some of those buzzy terms, but that’s not as important to us. What we’re mostly interested in is identifying and restricting the threat.
Malware, or scareware as I’d call it, is another term worth knowing: the unwanted software or pop-ups that redirect your web searches or collect information or try to trick you into calling a fake number for tech support. That’s a good term to understand so you know how to describe what you’re seeing or experiencing.
Carolyn Woodard: We want to get started with our next poll. We want to know what cybersecurity tool or process you added in 2025. This is multiple choice, so choose all that apply.
The options include phish-resistant MFA, having the physical key or using a passkey; cloud backup; SIEM and SOC tools. Matt, what is a SIEM and SOC?
Matthew Eshleman: Security information and event management tools and a security operations center. Basically putting all your logs and data in one place so that it can be monitored and you can get alerted if there’s something suspicious.
Carolyn Woodard: So like managed security. Somebody is checking on the logs. Got it.
Other options in the poll include new policy, new training, data protection or retention policy, new AI policies and governance, and other. We just wanted to see what people are adding as the cybersecurity landscape is changing and as we’re finding we need new tools, new training, new policies. What have you been able to add last year?
Someone in the chat said they added a phishing campaign with staff for training, teaching staff what a phish might look like and sound like. Someone else added monthly training campaigns to their existing KnowBe4 setup. For anyone who doesn’t know, KnowBe4 is one of the tools that can help you manage small trainings that go out to all staff every quarter or every month. They create the content and then you do these quick quizzes, and it can be really useful, especially when something new comes out. KnowBe4 tends to have training about it very quickly after it becomes something we need to watch out for.
Matthew Eshleman: The big jump in this poll is the number of folks who have added AI policies and governance. That was the biggest number of respondents at 39%, which I think is really fantastic.
Along with that, a lot of folks are addressing their data protection and retention policies, which ties into the idea that data is a liability in addition to being an asset.
I’m really excited to see that about 18% of respondents have implemented phish-resistant MFA in 2025. A handful of folks have added the SIEM or SOC services as well.
There was one person who said they haven’t added anything because what they’re doing is working, and I really want to know more about that. Because from my perspective, security isn’t a destination. You’re not going to get to a point where you say, okay, we’ve done everything we need to do.
Security is a journey. There’s always going to be new things to add, to adjust, to change. The presentation we give next year will probably cover things we haven’t even considered or thought about at this point. So I’m glad to see lots of movement, particularly in the policy area.
AI is one of those areas where there’s so much opportunity and also so much risk in terms of the integrity of your organization’s data.
Carolyn Woodard: As we’re using AI more and more, we’re realizing these different dimensions of risk that it adds. I think that’s just fascinating.
Matthew Eshleman: After many years of basically reporting that everything is the same except more, we did have a couple of things that were different last year.
One was really the big increase in viruses and malware that were largely detected and blocked by our endpoint protection tools, but also reported by clients. I think AI is creating new attack methods from outside the organization. It’s easier for these threat actors to create new and novel attack methods.
We also saw some self-inflicted virus activity: people creating scripts to do things they maybe didn’t fully appreciate or understand, not fully knowing what they were asking for or how the script was actually working. So it wasn’t just bad actors from the outside attacking the organization. It could also be people trying to automate some process, but the way the script was running on their system wasn’t safe or secure.
I think this is only going to increase. Tools like Claude Mythos are so good at identifying vulnerabilities, and maybe not in a virus they’re going to send you directly, but in identifying vulnerabilities in libraries or modules and processes or applications that are part of the enterprise tools that you’ve already deployed. I think that’s the big risk. Just this week there was an example of a vulnerability in the WolfSSL TLS/SSL library that can weaken the security of certificates. Certificates really underpin a lot of the security on the internet, so a weakness in the way you can trust or generate certificates has a whole massive series of cascading effects.
We’ve had a couple of examples of pretty serious supply chain attacks, where a vulnerability in some system you use downstream gets exploited. The fear, I think justifiably, is that these are really going to increase. There’s going to be a lot of patching, updating, and reconfiguring to make sure that we can secure the whole ecosystem of technology tools that we use.
We saw a ton of fake invoices making their way into organizations. We also saw DMCA takedown notifications, formal legal requests claiming you’ve used copyrighted information on your website and need to take it down. That threat of coercion, playing on uncertainty and legal anxiety, was a pretty common attack method.
The attacks are not just against the organization itself either. We saw an increase in HR scams that exploit the organization’s identity. There were a number of cases where people would get lured into applying for jobs that they would get with the organization. Then the attacker would say, hey, I’m from nonprofit.org, we’re really excited for you to become our new development associate, here’s your onboarding form, go ahead and purchase your equipment and send us your bank information and we’ll reimburse you. We saw numerous examples of organizational identity being exploited for that type of scam.
Finally, we saw a lot of calendar phishing where you just get an invitation dropped on your calendar and it creates this sense of urgency to click on it. The calendar invite process itself can create some exemptions in your email security tool that can be exploited. Typically if you do have third-party email security, malicious links will get identified and blocked. But it just creates a lot of chaos when you’re starting to see those things in your calendar, and it’s kind of the first step for these longer-term confidence scams.
Carolyn Woodard: Thank you for sharing all of those. Someone in the chat asked about password changing. How frequently should users change their passwords?
Matthew Eshleman: You should set a good unique password and not change it. That is updated guidance supported by NIST and by Microsoft and essentially all current cybersecurity best practice recommendations. Just creating new passwords doesn’t make you more secure.
You should create a strong, unique password, protect it with phish-resistant MFA, and use a password manager. Those are the things that are good.
As we transition to looking at some of the examples: cybersecurity in general does seem to be really geared toward a lot of fear, uncertainty, and doubt. We’ve got to scare people into compliance or into doing things. But it’s also worth taking a step back and having some perspective.
A lot of these schemes build on your confidence. If somebody walked up to you on the street and said, “Hey, I’m your executive director, can you buy me a gift card?” it’d be pretty easy to tell that’s not your executive director. But in the digital world, particularly in our new AI world, it really is hard to trust what you’re seeing. That trust, or the willingness to trust, is at the root of a lot of the attacks we saw in 2025.
Carolyn Woodard: Now we’re going to get to some of the specific attacks. What do you do when you see this kind of thing?
Matthew Eshleman: This is what I’m going to call scareware. There’s nothing necessarily malicious about it other than a message saying please contact us immediately, your computer has a virus, call us right away, with a phone number.
I actually called one of these numbers. It has since been disconnected, but it would have put you in touch with a very helpful person who would have taken your credit card information, charged you a couple hundred bucks, and basically done nothing.
If this happens to you on a Windows computer, all you need to do is press Alt+F4. It closes the open window and you can go about your day. A little bit of knowledge solves a lot of the problems you’d encounter.
This is something worth telling your friends and family, maybe your parents: don’t call the number if you ever see anything weird. They can call you, turn off the computer, all of those are much better options than calling the number on the screen. Having a pre-verified number to call in case you have any IT support issues is a really good takeaway.
Carolyn Woodard: And making sure that your family members and coworkers know they can talk to you about this. They shouldn’t be embarrassed if they click on it or call that number. That’s the other emotion these scammers try to build on: you’re too afraid to tell someone that you might have made a mistake. So make sure your training is all about openness. It happens to everyone, just tell someone.
Matthew Eshleman: Exactly. And we see a lot of impersonation scams as well. There’s nothing inherently malicious about the message itself. No viruses, no attachment, no QR code, just an ask. Having that internal knowledge is important: is this something your organization would do? Can you determine if this is actually coming from your CEO? Having those education pieces makes it a lot easier to identify it, delete it, and move on. You don’t need to spend a lot of time on that.
Carolyn Woodard: Tell me about the invoices.
Matthew Eshleman: The invoice scams look very official. I think they’re maybe a little bit the wrong target demographic for our clients. I’m not sure how many nonprofits are signing up for $90,000 worth of comprehensive reports and analytics, but they look pretty official. What I noticed, and maybe didn’t appreciate, is that fake details like ACH numbers from real banks like Citibank make them look entirely legitimate. It’s just asking for money. That’s the simplest approach, just asking.
Carolyn Woodard: And I love it: “pay on time so you don’t have any delay fees.” They even gave them a discount. Totally legit!
Matthew Eshleman: These types of attacks are a good illustration of the principle that good cybersecurity controls work best when they combine both policy and technology. It’s possible that an unsolicited invoice gets blocked by your spam folder, great. But it’s also possible that you receive a convincing fake invoice with updated banking information from a trusted sender whose account has been compromised.
In that case, the process your organization follows to update banking payment information is the cybersecurity control. Can just one person change banking information on their own? Is there a threshold? How do you verify new information? Those policy controls support the technical protections and vice versa. We can’t rely entirely on policy and we can’t rely entirely on technical controls to protect these things from making their way into our inbox.
Carolyn Woodard: I love how these scams also use grooming language like “for compliance reasons, make sure you don’t tell anyone,” or “I know you usually use bill.com, but we can’t use that this time, so just send a check.” Watch out for that.
Matthew Eshleman: Yes. Those DMCA takedown notices play on that same insecurity, a vague legal threat that something bad is going to happen. These attacks often prey on uncertainty or a lack of knowledge.
HR tends to be a highly targeted area as well. New staff get targeted a lot because they’re not as familiar with organizational policy and norms, so they’re more susceptible to gift card scams because they don’t have that relationship yet. Emails that appear to come from HR get clicked at a much higher rate than other message types, and people in finance and operations get targeted more simply because of the access they have to resources and information.
Carolyn Woodard: For sure. Let’s look at some of the data.
Matthew Eshleman: So this is eight years of cumulative data. It’s not peer-reviewed or statistically normalized, but it reflects an increase in the number of clients we support and changes in technology controls over time. Not all of our clients have the same tech profile, but the trends are meaningful.
One really interesting finding in the top categories is spam and email. Year over year, we actually had fewer messages reported to our support desk that were considered spam, and also fewer phishing messages. A drop of about 20% year over year in spam messages, and a drop of over 60% in phishing messages.
I want to be clear: I don’t think there was less spam and less phishing in the world in 2025. That number generally increased. We switched email security tools, and I think that had a meaningful impact. The tools you have in place matter, and continuing to reevaluate and redeploy the best-in-class tools does make a difference. We see that in the data we have.
The next class of events is where we see the increase in malware. We had over 100 scareware incidents reported, those pop-up messages that are really disconcerting, sometimes they play sound and music. That’s an increase of over 70% year over year. We also had an increase from 13 to 57 things we would classify as virus or malicious endpoint activity. It was almost entirely identified, killed, and quarantined by our endpoint antivirus protection, but that represents nearly a fivefold increase from virtually none in previous years.
That was really striking to me. We’ve had basically the same endpoint protection scheme, still doing patching, still doing a lot of things well, good endpoint security, but the amount of malicious activity being launched on endpoints really increased dramatically. I think you can see AI tools seeping in and making targeting more sophisticated, where even less experienced users can now do a lot more than they were able to before.
Fortunately, ransomware is still at zero. If you have physical servers and a traditional network, it is still very risky. But for most of the nonprofit organizations we’re supporting, we’re almost entirely cloud, and this ransomware attack vector hasn’t made that leap yet. Maybe it will, but it’s not something we’re as concerned about right now. There are other things we want to prioritize and invest in.
Account compromise confirmed was flat year over year at about 32 incidents, the same as 2024. I think that reflects some combination of better training reducing the number of people clicking, and some organizations starting to switch to passkeys, which are phish-resistant in most cases. Microsoft also partnered with the FBI to take down a big piece of hacking infrastructure that was being used to perpetrate a lot of these attacks, and I think that helped mute the increase.
Account compromise suspected continues to increase. That’s whenever a tool alerts us or someone reports that they think their account might be compromised. If your account is available online, it’s being targeted all the time. Having good tools in place to detect, alert, and block suspicious logins is a really key cybersecurity protection, because the impact of a compromised account is so significant.
We also saw a small relative increase in the number of advanced persistent threat actors, which would be foreign nation states. Wire fraud went down, which is great, but it still represents a pretty significant impact to the organization on the receiving end.
Carolyn Woodard: Can you talk about the decrease in phishing and spam that we saw?
Matthew Eshleman: This is basically the graph form of what we saw in the table. Two different scales: on the left is spoofing and spear phishing, down about 60% year over year, and on the right is spam message volume. We’re seeing a reduction.
Having good email security is really beneficial because it just reduces the noise in your system, from how many junk messages people have to deal with day-to-day to the number of phishing messages, which are the malicious content that can lead to financial fraud or a compromised account. We can really see the difference that having effective tools in place makes, and we see it in the data from the clients we’re supporting.
In terms of summarizing the tools and trends: your tools are important, better monitoring is helping us close and respond to alerts quickly. The big area of risk is that malicious endpoint virus activity is increasing, and investing more in those protections and workflows is going to be really important.
Despite how difficult our current political landscape seems to be, from a purely cybersecurity perspective most attacks are still financial. We’re just adding partisan or ideological attacks on top of that. The biggest risk for the organization still ends up being financial in terms of overall loss.
The new thing I would add is that insecure AI is creating new risks for organizations in terms of data leaks. While nonprofits are slow to write policy, your staff are not slow to adopt tools. We see widespread evidence of free and ungoverned AI tools being used across organizations. Even if your org hasn’t written a policy about how to use AI, your staff are already using it. The impact of that is going to be seen down the road as data you thought was internal is now not.
We’re seeing the continued need for investing in staff training and providing clear policies for data and AI in particular. And all the basics, the things we’ve been talking about for years: what are your baseline configurations, people aren’t local administrators, patch and update regularly. All of those things continue to be foundational to protecting your organization from the threats that are out there.
Carolyn Woodard: We have a couple of other resources I just shared in chat. We did a podcast about doxing that gives some information there, and we just did a webinar a couple of months ago about how to use AI tools more safely at your nonprofit. So how do you protect your organization, Matt?
Matthew Eshleman: I think this goes back to some of our earlier questions, like what’s one new thing you did in 2025? And here’s a chance to think about what’s one new thing you’re going to do in 2026.
Nonprofit organizations continue to be at high risk for cyber attacks of all types. Making sure that you have those foundational controls in place, such as IT acceptable use, a formal security awareness training program, phish-resistant MFA, and cloud identity protection, does provide meaningful protection against the most likely attacks your organization is going to face.
We talk a lot about that in our updated cybersecurity playbook. If you have an ad hoc cybersecurity training program, maybe it’s time to look at something more formal. If you have MFA for everybody, great. Maybe it’s time for your finance and operations folks to upgrade to phish-resistant MFA. If you don’t have any email filtering in place, this is a big win, just to reduce the amount of junk. If you don’t have a system in place to monitor your cloud sign-ins, there’s a lot of value in getting something that can protect, alert, and block potentially suspicious logins.
And finally, patching and updates. Nobody likes to reboot their computer. We send out a reminder the first of every month, but doing the basics is really important. Make sure you’re taking time to update those apps, reboot your computer, install the operating system updates. That is an important way that OS vendors make sure you have the latest protections built into your system.
Carolyn Woodard: I’m sorry that we’re running out of time. I hope that you can maybe stay an extra minute or two, Matt, before you jump over to Reddit. We got a bunch of good questions in the Q&A, and we will put those in our Reddit thread where you can find some answers.
We do have cybersecurity offerings from Community IT. You can find those on our website at communityit.com. There’s also a link where you can get some time with Matt to talk to him more about your questions, so you can grab that time on our website as well.
For our learning objectives: I think we went over them pretty well. We learned the cybersecurity landscape, we learned some general best practices that will protect you against most new scams, we learned some definitions, the initial impact of AI on cybersecurity risks, and some ideas on how to protect ourselves and our nonprofits better.
I want to mention our webinar next month, which will be May 27th. I will be back with Nuradeen Aboki, our Senior Consultant, and he has several mini case studies to share from clients he’s been working with on implementing AI. There are good things that are happening, and some pitfalls that we can help you avoid, especially around governance and policy making.
A lot of people are talking about AI and nonprofits in pretty theoretical terms right now. Having Nura here to give us some really practical experience he’s had with big clients and small clients is going to be a really good webinar. You can register at communityit.com.
Matt, I just want to thank you so much for your time today and for sharing all your expertise, and for all the time that it takes to go into that data and pull out those threads and help us see what our other clients are seeing. We can all get smarter together when we learn from each other. Thank you to everyone who attended. Please remember to take the survey as you leave, and we just appreciate your time so much.
Matthew Eshleman: Thank you all, and I appreciate all the comments in the chat. As Carolyn mentioned, we’ll be answering some of these questions over on our Reddit channel, so go check out the answers there.
Carolyn Woodard: We’ll see you over on Reddit. I hope you have a great rest of your day. Thank you.
As advocates for using technology to work smarter, we’re practicing what we recommend. This transcript was drafted with the assistance of AI, and is not a verbatim transcript. The content was edited for clarity, and was reviewed, edited, and finalized by a human editor to ensure accuracy and relevance.
Photo by Hack Capital on Unsplash
Wednesday June 17th at 3pm Eastern join Steve Longenecker for tips to set up or re-set your Google Workspace for security as you grow.
Fill out the form below to request a quote. We’ll be in touch shortly to discuss your needs and take the first step toward better nonprofit IT.