2025 Nonprofit Cybersecurity Incident Report:
Keeping Your Nonprofit Secure

View Video

Subscribe to our Youtube Channel here

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on AppleGoogleStitcher, Pandora, and more. Or ask your smart speaker.

In part 1, Matt discusses the landscape and background of cybersecurity attacks nonprofits face now, goes over the lingo and acronyms, and introduces new trends in attacks and protections. In part 2, Matt discusses the data from 2024 and takes questions.

Is your nonprofit prepared?

Community IT CTO and cybersecurity expert Matt Eshleman delivers our annual report on trend lines
and took questions live and online in this popular annual webinar.

Drawn from anonymized data from the calendar year 2024 of cybersecurity incidents across end users in hundreds of our small and mid-sized nonprofit clients, this report shows changes in attacks and emerging threats.

Using this real and timely data, Matt walks through recommendations and outlines the practical steps your organization can take to prevent the most frequent attacks.

He covers new threats and training best practices for your nonprofit staff around evolving cybersecurity issues, including a spike in online and in-person harassment, wire fraud, AI-enabled scams, smishing and vishing, adversary-in-the-middle MFA attacks, and other new and disturbing trends.

You may also be interested in downloading the free Cybersecurity Readiness for Nonprofits Playbook to review a framework for focusing on your cybersecurity fundamentals, or using any of our free cybersecurity webinars and podcasts to learn more about specific protections you can take.

As with all our webinars, this presentation is appropriate for an audience of varied IT experience.

Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.


Presenters:

Matt Eshleman

As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.

Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at the Technology Association of Grantmakers, Jitasa, Nonprofit Learning Lab, NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert.

Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.

He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response.

Contact Matt


Carolyn Woodard


Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She was happy to moderate this webinar and learn more from this 2025 nonprofit cybersecurity incident report with Matt Eshleman.





Transcript

Carolyn Woodard: Welcome, everyone, to the Community IT Innovators Webinar, Nonprofit Cybersecurity Incident Report for 2025 with Matthew Eshleman. This is our seventh annual incident report. And in this popular webinar, Matt has studied the incidents reported at our thousands of client users over the course of 2024 and has determined what trends and changes that matter most to nonprofits we need to hear about today.

He will cover best practices around evolving cybersecurity issues, including increased online and personal threats to nonprofit staff, AI-enabled scams, smishing, adversary in the middle or AitM MFA attacks, and other new and disturbing trends. He’ll also give us some best practices and advice. 

My name is Carolyn Woodard. I’m the Outreach Director for Community IT, and I’ll be the moderator today. I’m very happy to hear from our cybersecurity expert, Matt. 

But first, I’m going to go over our learning objectives. By the end of today, we hope that you will 

And I should say that we’re trying a hybrid situation today for the first time ever. We do have a live studio audience here at our offices in Washington, DC. So, if you were in the area and able to join us, thank you. Welcome, everyone. And for those of you listening at home, we welcome you as well for our usual Zoom webinar. 

So Matt, would you like to introduce yourself?

Matt Eshleman: Welcome. My name is Matthew Eshleman. I’m the Chief Technology Officer here at Community IT. I officially started at Community IT almost 20 years ago, or 25 years ago in the summer of 2000.

I’m really excited to be with you online, and here in person, to talk about the incident report. As Carolyn mentioned, this is the seventh year that we have developed this report and shared the data out.

Carolyn Woodard: Before we begin, if you’re not familiar with Community IT, a little bit more about us. We’re a 100 percent employee-owned managed services provider. We provide outsourced IT support. We work exclusively with nonprofit organizations, and our mission is to help nonprofits accomplish their missions through the effective use of technology. We’re big fans of what well-managed IT can do for your nonprofit.

We serve nonprofits across the United States. We’ve been doing this for over 20 years. We are technology experts and we are consistently given the MSP 501 recognition for being a top MSP, which is an honor we received again in 2024.

And I’m very happy to welcome a couple of our clients here today to our in-person webinar seminar that we’re doing. 

I want to remind everyone that for these presentations, Community IT is vendor agnostic. We only make recommendations to our clients and only based on their specific business needs. We never try to get a client into a product because we get an incentive or benefit from that. But we do consider ourselves a best of breed IT provider. It’s our job to know the landscape, what tools are available, reputable, and widely used. And we make recommendations on that basis for our clients based on their business needs, priorities, and budget.

We’re going to leave as much time as we can for Q&A for Matt. So please submit your questions through the Q&A feature or chat anytime today. I’ll either break in to ask them or I’ll save them for the end. We got a lot of good questions at registration, so we’re going to try and answer as many of those as we can. Anything we can’t get to, I’ll ask Matt to give us some written thoughts and I’ll append those to the transcript, so check back after the webinar if we don’t get to every question.

A little bit more about us. Our mission is to create value for the non-profit sector through well-managed IT. We also identify four key values as employee owners that define our company: trust, knowledge, service, and balance. We seek to always treat people with respect and fairness; to empower our staff, clients, and sector to understand and use technology effectively; to be helpful with our talents; and we recognize that the health of our communities is vital to our well-being, and that work is only a part of our lives. 

Poll 1: Have You Had a Cybersecurity Incident This Year?

We’re going to go ahead and launch a poll, and the people who are in the audience here can answer it as well.

Has your organization had a cyber incident this year? 

And the answers you can choose are no, not that we know, not sure. Yes, but we discovered it with time to mitigate the impact. Yes, but we suffered significant impact, or not applicable, or other. 

There’s no shame. Please go ahead and answer. In the registration responses, many people said that they had not had an incident this year, which, knock on wood, that’s really good to hear. I think Matt’s going to talk a little bit more about that.

We’ve been doing cybersecurity training for years now, and seems like it is having an effect, we hope, that all nonprofits are really aware of it. 

Matt Eshleman: It looks like of the people that have responded, it’s about half and half that people don’t know, or not that they know of, and yes, but they were able to mitigate the impacts. 

Nobody said yes, and they’ve suffered significant impacts. That’s really great to see, and not to give it away, but we are starting to see some changes in the overall data amongst our clients and looks like folks that are attending as well, are maybe seeing some results of the investment that’s been made by a lot of organizations over the last number of years in their cybersecurity protection.

Carolyn Woodard: I think everyone should give themselves a pat on the back for that. And also, I want to shout out to all the people who said yes, but we discovered it with time. That also is quite impressive that we are having the training and being aware. And so even though hacks happen, attacks happen, it’s good to see that people are able to respond in time.

Cybersecurity Approach

Matt Eshleman: Right. If you’ve worked with us or downloaded any of our resources, this graphic will look pretty familiar. Really it is a reflection of how we think about cybersecurity and cybersecurity protection at Community IT that’s rooted in a foundation of policy. 

Building on that, engaging staff through security awareness training. In the blue line, that’s really a list of the technical controls and protections that organizations can add in on top.

And then the final layer, I think we’re seeing a lot of movement in this area, particularly in the last year or so, is around compliance. We mean formal compliance standards that are being imposed upon organizations by funders, by the board, or by other entities that are actually saying, we need to have these controls in place in order for us to receive funding or receive grants or whatever the case may be. 

The takeaway here is that we want to root these protections in policy so that organization has a good foundation to build on, to make decisions about, and articulate what they believe, in terms of how best to protect themselves and how to operate as an organization.

Nonprofit Cybersecurity Landscape

Carolyn Woodard: Before we get to the analysis from this year, Matt, can you tell us a little bit more about the bigger picture we’re seeing in cybersecurity in the landscape?

Matt Eshleman: I think this is something that does evolve and change year after year. I think while this cybersecurity incident report is really focused on data that we collected during 2024, we’re already here in the middle of April, so we also see a lot of stuff that’s happening in 2025. 

Chaos Creates Opportunity for Threat Actors

One of the things that’s particularly apparent is that an overall chaotic environment presents an opportunity for threat actors. I think we saw a lot of this at the start of COVID, where there’s lots of chaos and uncertainty around just what’s going on. Threat actors capitalized on that to send phishing emails that preyed upon people’s sensitivity around COVID. “Hey, here’s this policy, here’s this link, here’s this information,” (but it was not a real email.) 

In the same way, we’re seeing that uncertainty being used by threat actors now. Uncertainty around federal employment, uncertainty around social security, all these things are in play because the threat actors, again, they’re seeing it work. 

This is financially motivated in the vast majority of cases.

That’s just one more opportunity that they have to create some uncertainty, create some risk, encourage people to click on things that they may not otherwise. The chaotic environment really presents an opportunity for those threat actors. 

Compliance Requirements are Driving Cybersecurity Investments

The other piece here that we’ve seen really building over the last number of years, and I think it’s continued to get stronger, is around insurance, compliance, and funder mandates.

I think we still have very few cases where organizations are coming to us and saying, hey, we just want to be as secure as we can, because we think it’s important, and we want to do it. We  see organizations coming to us and saying, hey, our cyberliability insurance says that we need to do X, Y, or Z controls, and so we need to spend this money. Or, our board says that we need to meet this compliance standard. Or, our funder says, hey, you need to meet the NIST standard or CIS standard in order for you to continue funding. 

I think that’s what we’re really seeing organizations use to adopt these changes. They’re not just doing it because they want to. They’re doing it because of some external pressure to make those changes. 

Loss of Reliable Official Cybersecurity Resources

I think the other new thing on here is some of the centralized resources that we have relied on, from FBI, from CISA, industry partners, if you’re following the news, the CVE, the Common Vulnerabilities and Exploits, that whole database and system is at risk from loss of federal funding. Some of that fractured, chaotic nature that we have at the federal space is really having meaningful impact in the tools and resources that MSPs rely on, that other cybersecurity providers rely on.

That’s shaking some of the foundation of incident response that that we rely on. 

Attacks on Personal Accounts and Devices Are Growing

The other piece I would say, just to wrap up, is that we’re certainly seeing that attacks are going beyond your work email, or your office phone, and into personal accounts, personal devices. While a year or so ago, you maybe got a fake phishing text message on your phone once a month, now I get them multiple times a day. Including WhatsApp messages. We see that as part of the attack chain that a lot of threat actors are doing, because the work environment is pretty well protected, while personal phones, even work phones, text messaging, WhatsApp, those communication channels just don’t have the same degree of controls around. Threat actors are attacking personal accounts to exploit and initiate campaigns to install malware or do other financial fraud transactions.

Carolyn Woodard: I think with AI also, we’re seeing that they can figure out who you are on Facebook, who you are on LinkedIn, and put that together with who you are at your nonprofit. And so, they’re triangulating that and going after you personally.

Matt Eshleman: I think that is one thing we are seeing at organizations, particularly in targeted sectors. Those that work in reproductive rights, immigration, even democracy and good governance, are taking some steps to pull down resources about their staff on the website, to make that change because threat actors are using that information to launch personally directed attacks against those individuals in a way that wasn’t happening a year or so ago.

What Kind of Scams Are Targeting Nonprofits? 

In terms of the overall landscape, though, I think we are still seeing, and I think this is probably something that we’ve echoed year after year, is that these generic automated attacks, viruses, malware, all that generalized stuff really is being blocked pretty effectively by the tools, even native tools, that are provided by Google or Microsoft. But they’re getting more sophisticated.

I think nonprofits especially remain at risk for targeted scams and cons for financial gain, and being used as targets to pivot to attack other organizations, like board members, partner organizations, funders, that kind of thing.

Nonprofits tend to be a soft target because they haven’t had the resources to invest in the cybersecurity protections that larger, more well-resourced organizations have. We’ll see in the data, but still the compromised emails, the spoofing, the phishing, that is the most common form of attack that we see amongst our clients. And we work with about 200 organizations. We support about 8,000 nonprofit staff, and the vast majority of attacks are really email-driven. That’s where all the volume is really coming from.

MFA Attacks

I’ve noted here that MFA protections are something that we’ve talked about for years and years and years. Last year, we saw the effectiveness of MFA fall because of these new attacker-in-the-middle attacks. Attacker in the middle is a way for attackers to steal not just your password, but your authentication token. MFA was kind of subverted. 

The good thing is that we are seeing some new and more sophisticated MFA methods start to be more easily deployed, so that is actually protecting organizations in a more comprehensive way. 

And then, as we talked about in the previous slide, hackers are taking advantage of this chaotic environment to have more effective and more successful attacks. While we are still seeing maybe a small increase in mission or hacktivist type attacks against individuals and organizations, the vast majority of attacks are still broadly distributed, and financially motivated. It’s not because of you and the organization that you work at, but it’s simply that you’ve got money, or maybe you have access to money, and that’s really driving the vast majority of attacks against organizations even to this day. 

I think on the operational side, we talked about cyber liability insurance. There are also some additional controls that are coming in the audit requirement SAS 145 which is now including IT risk assessments. Our CEO, Johan, talked a little bit about this a few months ago about those new dimensions of the financial audit that is including IT risk as part of the financial control. 

AI and Cybersecurity at Nonprofits

I don’t think you can have a presentation where you don’t talk about AI. And in terms of its impact in cybersecurity, I think it’s enabling both new attacks and automations, but it’s also enabling new protections as well.

We’ve kind of got this arms race of new attack vectors and options and sophistication, but then also improved protections as well. 

Wire Fraud

One of the things we’ll see in the data is that in general, wire fraud is what we are most concerned about because of the financial impact that it represents. And talking about protecting against wire fraud, there are some technical protections that we have in place. 

You can have all the technology in the world, but if we don’t have supporting processes and training, then they can be easily circumvented.

IT Governance as a Foundational Strategy

The operational trend here we are seeing a lot of emphasis on is IT governance. We’ve talked about this for many, many years, but the policy foundation is crucial. I think organizations in particular are becoming attuned to developing AI policies. And we’re starting to see that a lot.

We see a lot of traction there. I think that’s a really important thing to not only talk about as an organization from the policy side, but then connect that to technical controls, training for staff, so that you’ve got not just the policy foundation, but you also have a way to support and implement that as well.

Carolyn Woodard: I did put in the chat a whole bunch of resources, links to our site, and on communityit.com, you’ll find a whole bunch of the resources that I put in there.

Definitions and Jargon: Know the Lingo

I think we wanted to do a few definitions, Matt, just to make sure that we’re on the same page of what all of these acronyms are about. We always say you should be able to understand what your MSP is talking about. So go ahead and help us with some of these definitions.

Matt Eshleman: Sure. So this is kind of a laundry list of some of the things that we see and talk about. I think I’ve said a couple of these already.

We kind of generically define the person that’s kind of attacking you as the threat actor. That’s the person on the other side of the keyboard. It’s also helpful to understand that that is what’s happening, right? It’s not just anonymous or faceless. There is a person on the other side. 

Multi-factor authentication, MFA, something you know, which is your password, along with something you have, like an authenticator app, or increasingly a physical security key. We see that you intersect with MFA fatigue attacks or push attacks, where the threat actors will, if they have your password, they’ll just keep logging in, and logging in. You might get a couple of unprompted or unexpected MFA notifications on your phone, and they rely on somebody just being like, all right, fine. IT is always bugging me. I’m just going to hit OK. And then that can let them into your account. 

Smishing would be a term about cell phone or SMS phishing. So all those text messages that you get, that your EZPass is overdue or your FedEx delivery was not was not made, or maybe you’re getting recruiting e-mails. All of that stuff is smishing, which is compared to spear phishing, which is really targeted email-based attacks that are obfuscating the sender, maybe combining some unique information about you into an attack. So, the executive director is saying, hey, can you do this for me real quick? You know, I know we’re all getting those messages. So that’s kind of an example of spear phishing combining with spoofing, right? Faking who a message appears to be from in order to lend some sort of legitimacy. 

QR code malware is something that we have kind of seen, I think, conceptually, but we haven’t – we see it kind of in some special cases. 

What we see a lot of and probably the most annoying variety of attacks is like the malware, the browser pop-up. And so that’s when you maybe go to a new website and all of a sudden your screen fills up with a very scary message that says, your computer has been compromised, please call this number. It’s a virus. But there’s nothing at all. It’s just they’ve been able to create a pop up that creates this sense of uncertainty. You call, but it ends up just being a scammer. That is very helpful to take your credit card, charge you $300, close out the browser, and then move on.

And then we’ll talk a little bit about pastejacking. I have an example of what that looks like. Basically, tricking people into running code on their computers.

And then doxxing is an attack where you’re really targeting an individual where they live, usually involving law enforcement or having some other sort of physical response in the real world at somebody’s house.

Carolyn Woodard: Luckily, I have not clicked on any QR code tricking malware, but I have started to see messages from your bank, and in the message, it’s the legitimate email that says, we will never ask you to verify something through a QR code. They’re seeing this scam and reacting to it as well. 

Poll 2: What Kind of Cybersecurity Incident Did You Have in the Past Year?

All right, I’m going to go ahead and launch this poll. This one is a multiple choice. What kind of cybersecurity incident did you have in the past year?

And you can choose as many as apply. 

There was a question about this. Is this just we were attacked, or it was successful? 

So, this is you were attacked. If you had an attack but you fought it off, you can go ahead and still put that in. And then I’m going to end the poll and share it.

And Matt, you can see the results again. Building on our success, we have a lot of people who said none. And then it looks like the compromised accounts is runner up.

Matt Eshleman: Yeah. I mean, the question is interesting, right? Security incident means something happened, which we differentiate from a breach, which is we have a confirmation that something was lost, or stolen, or unauthorized access was gained, right?

They are kind of two different things – related, but different. 

I would say I would expect 100% of respondents to say, we’ve had spoofing emails that we’ve received, right? That’s something that everybody should be experiencing, unless you’re maybe communicating only by letter, I don’t know – but something everybody experiences. 

The actual breach, like the confirmed compromise, is probably going to be less likely. About 10% of folks said they had some kind of virus or malware, a very small number of respondents said ransomware, either ransom was demanded and or paid. So beyond just the initial email saying, hey, give me some money, maybe a website or other access was compromised.

Compromised credentials is about a third of the respondents said that they experienced that. That’s something, probably wire fraud is the most serious incident that we see. 

Compromised accounts usually precede that in some form. And so that’s why we put a lot of emphasis on protected against compromised accounts. 

A good chunk had business email compromise. 

A small percentage would say advanced persistent threat. And I’d probably be even a little bit more precise, typically advanced persistent threat actors are state sponsored. Think Russia, North Korea, China, and those are typically targeting organizations that are doing policy work that are government adjacent. So, if you’re not in that sector, it’s very unlikely that you’re going to attract that attention. But on the flip side, if you are in a policy world or you have government staff or you have staff on your organization that have worked in the government previously, you’re very likely targeted by these sophisticated threat actors.

And then 13% of folks said that they had personal attacks outside of work on devices and emails. I think that’s an area I’m interested in to kind of track and understand how that changes over time. 

2025 Nonprofit Cybersecurity Incident Report Data

Talking a little bit about the attacks that we are seeing, as was mentioned, this is the seventh year we’ve done this report, and it’s interesting to see the data over time. We’ll see a little bit on a chart over that. 

You know, AI-powered phishing attacks, I think a lot of the things that we used to rely on to identify messages that were not sent by the person they say they were, that’s all really gone out the window because it’s very easy now to go to any of the AI tools, get a well-crafted message in whatever language you want, to create enticing content for people to click upon.

That works if you’re a hacker, it works if you’re in the development department. The tools are out there. The stakes have really gone up in terms of how to detect that kind of thing.

Last year, or I would say in 2023 was the first year that we saw these attacker-in-the-middle attacks that really circumvented multi-factor authentication. The flip side is that in the past year, we’ve really had an emphasis on improving MFA methods using what are called phish-resistant MFA methods or passkeys, physical tokens, as a way to prevent those attacks. Maybe not everybody in the organization needs to do it, but maybe your IT and your finance folks need to take that step.

Pastejacking, so we’ll have an example of that, but basically tricking people into running malicious PowerShell code on their computers. So instead of writing a sophisticated virus, you just ask somebody to run some suspicious code. And again, it’s a way to create uncertainty and use that to leverage access.

That is tied into compromised accounts. We’re also seeing once an account is compromised, the threat actors will then leverage the ability that Microsoft provides to install other applications into your environment. Through the cloud, you can authorize applications. If you are using Calendly or Otter AI as an add-in, you all get that little pop-up saying, hey, I want to authorize this app to read my email or do whatever.

The threat actors are doing that as well. If your account is compromised, they will often register additional applications under your profile so that they can maintain persistence. So even if you reset your password, reset your MFA, that access still exists.

Now it’s part of our incident response process. It’s gotten a lot more complex because now, instead of just resetting your password and then resetting your MFA, now we have to go through and look at all the actions that that threat actor may have taken to maintain persistence once they’ve been kicked out. 

Shadow IT as a Risk Not Just an Annoyance

And then I added this on here as a cybersecurity attack because I think it is interesting how shadow IT has maybe made the transition from being an annoyance that exists at organizations for example we’re a Microsoft shop, we use Microsoft, but somebody uses Google.

That has, I think, shifted from being, oh, that’s an annoyance and we wish our data was in one place – to now being a real risk to the organization because that data exists in other systems. It’s maybe unnumbered, it’s not protected, it doesn’t have the same set of controls that the primary system does. 

I think it’s particularly apparent in the use of AI and the use of AI tools and policies. I think organizations have done a good job of adopting or starting to write AI policies. There’s lots of great tools and templates. I think we have a great tool and template. There’s just a ton of resources out there to write great AI policies.

But the real work is not in the writing of the policy, it’s in the implementation and the training and the ongoing support and governance of it. What I see often is that organizations have written good AI policies, but then whenever we look and analyze the traffic of where folks are going in the organization, they are going to all kinds of other sites that aren’t on the official AI policy template. Even if those solutions maybe are safe, so to speak, data is potentially leaving the organization. That represents a risk. It’s not just the bad guy threat actors that are targeting us, but now we have a situation where we’re actually putting data out into ungoverned systems, and we lose control of that. I think that is an area where we’ve made the shift from these ungoverned shadow IT systems are just an annoyance or an ungoverned IT asset to now, they actually present a cybersecurity risk to the organization.

That ties into tools and solutions that are adopted without IT input or cybersecurity protections. Those things all kind of fit together. 

Data Mapping

Organizations really do need to make that investment in their own governance, particularly with a data map.

Where does the data live in the organization, which systems, who has rights to it? Make sure that we’ve got good protections around that data.

Staff On- and Off-Boarding

And then finally, just the perpetual issue that I know organizations face is just on staff offboarding. I think staff onboarding has gotten pretty good. I know organizations have good processes for that.

But whenever we do assessments, we often see that the staff offboarding process hasn’t lived up to those same standards. We have lots of accounts that exist for staff that haven’t logged in for quite a while. 

Attacker-in-the-Middle Attack Example

I just want to walk through the attacker-in-the-middle example. This is done using what’s now a commercially available framework, right? Hackers can buy these frameworks. 

What occurs is that an individual would receive a message, and often it’s going to be an email from a trusted partner, somebody that you already work with, but their account has been compromised. You have a partner organization that you work with. All of a sudden, you get a message from them. That’s maybe not unusual. But it’s a shared document link. 

In this case, the example is a PDF, and it’s from somebody you trust, right? So it goes straight through the spam filters. No issues. 

Whenever you click on the link though, if you’re paying attention, you will notice that the first link that it takes you to, will look a little strange. This random string of characters, maybe a CAPTCHA built into it.

It’s routing your authentication traffic through a proxy, and then that proxy is able to steal your authentication token. Once you end up, you will actually get to your sign-in page or the sign-in page for the organization, which is legitimate. But whenever you enter in your credentials at next, the threat actor is able to steal the authentication token.

It’s not your password, but it’s able to steal your access. And then they can, for all intents and purposes, appear as you. So that means that they have access to everything that your cloud account does.

And through that approach of using this attacker-in-the-middle example, even if you had MFA on your phone, or text messaging or the Authenticator app, you can be susceptible to this sort of attack because the attacker is able to steal this token. 

Microsoft has ways to help protect against this. They call it phish-resistant MFAThat would be through the use of a physical security key called a FIDO key. Or enabling passkey support in Microsoft Authenticator is a way to do this. Google has a similar methodology as well.

The attacker-in-the-middle attack, we saw that be very effective against multi-factor authentication, particularly in 2023, a little bit less so in 2024. It’s a significant security risk for individuals and organizations.

Pastejacking

The pastejacking attack starts in a very similar way. You may receive a message from a trusted partner, somebody that you work with. Again, simply a message with an attachment.

But then, in the message itself, you’re going to get some prompts. We’ve seen cases where this is combined, where maybe you’re having a conversation with an individual, where they want to send you this other link. For example. “I’m going to send you instructions for how to access our secure video call or secure communication channel.” 

All they’re doing is basically prompting people to open up the command prompt, and then they will copy and paste a whole bunch of PowerShell code and execute it. And then they’re able to gain access and gain persistence to that individual’s computer.

They could write sophisticated malware, try to get it through your email filters, make sure that you click on it, maybe make sure that the antivirus is not working, right? But in these pastejacking attacks, they’re working through a confidence scheme, or basically tricking you into running and subverting the technical controls that may be in place at your organization, in order to gain access to the system. 

On the one hand, it’s not that sophisticated because all they’re doing is asking you to run malicious software. At the same time, it takes a certain amount of gall and time to outright ask you hey, can you go ahead and click on this for me? So that’s a pastejacking attack, something we saw in 2024 with some frequency.

Incident Report: The Data

We support about 200 organizations, about 8,000 staff. We’ve categorized these threats in a couple of different categories, from high risk to medium and low risk threats. 

In the high-risk threat category, we have something called brute force attacks. That’s something we really see with organizations that still have on-premises server infrastructure. That number of servers we support continues to really plummet, but organizations still have it. 

If a server is connected to some cloud resources or has any exposure to the internet at all, we see these types of attacks initiated, particularly for us whenever we onboard new organizations. This is one of our specific threat monitors that we turn on. Whenever we onboard a new organization, often we’ll see these monitors trip, because maybe a previous provider had a port open to the internet. They weren’t really looking for it. But if anything is open to the internet, it does get targeted. Brute force attacks focus on physical server infrastructure. 

Compromised accounts, we had 32 of those last year. 

And then in the single digits, advanced persistent threats.

And we did have a couple of cases of wire fraud. 

Ransomware was zero again. 

I think the other thing I’ll just call your attention to is just the number of compromised accounts suspected that we responded to. It was almost 500. This reflects Community IT adding more tooling to help identify these. But we’re also getting a lot of noise.

And I think that’s one thing we’ll flag here in some of the later slides. When there’s an increase in attacks, there’s an increase in the noise as well.

Whenever we compare this year over year, I think this is the thing that gives me a little bit of hope is that there’s actually some red, right? We actually saw a reduction in a number of the attacks year over year. Most notably, I would say, in the confirmed account compromise, right? We went down from a high of 44 in 2023 down to 32. About a quarter, a 20 percent reduction there. We did have more suspected account compromises. Again, a reflection, I think, of more security tools that we had in place to monitor logs and alert us to that.

We saw a reduction in the advanced persistent threats that we were responding to. And a reduction in wire fraud again. So even going from six to three, I think that’s a mark of success. It’s still a relatively low number overall, when you put it in perspective. But those three wire fraud incidents were significant to the organizations that were victims. 

And again, we had kind of nominal numbers in terms of viruses, malware is kind of in low, relatively low amount as well. I think part of that is the sample size, right? For our customers, we’re managing updates, we’re deploying antivirus, doing third-party patching, right? We’re investing a lot.

For organizations that are making those investments, the endpoint protection is relatively low risk area.

Advanced Persistent Threat Techniques

Carolyn Woodard: Without naming names, can you give an example of the Advanced Persistent Threat?

Matt Eshleman: Yes. I mean, there’s lots of the Chinese and North Korean state actors. So, they target our clients that do policy work.

We’ve had a couple of cases where that example that I shared about setting up an interview through Zoom, but then the Zoom interview doesn’t really work. They’ll say, give me your WhatsApp information. I need to send you my WhatsApp. And then they move it out of corporately controlled resources into something else. That’s something that we see quite a lot of, that kind of attack vector. 

The other thing we see with Advanced Persistent Threat Actors is that they will take names of trusted analysts at other organizations and then create very sophisticated spoofed accounts of those individuals and then initiate those conversations. They don’t start off with, hey, can you click on this? But it’s often, hey, I want your input on this paper. We’re convening a meeting. We’re talking about this resource.

And so there will be a steady buildup of communication with the ultimate goal of, yes, having that Zoom meeting, having that interaction where they can get you to click on a link, to open up some software, to do something else to circumvent those controls. 

Spam, spoofing, spearfishing, all of the junk email just continues to increase year over year. I mean, this is one thing that we do train our clients like, hey, if you have something suspicious, send it our way. This is just stuff that clients have sent to us. This doesn’t even represent the things that the spam tools are blocking, right? There wouldn’t be a chart big enough scale to show how much stuff we’re already blocking. This is just the stuff that’s getting through. 

Here we’ve got two different scales. The left scale would be the spoofing. So again, 400 or so message of those are reported. And then the spam, the stuff that people, you can unsubscribe, you can block on your own. You don’t want it; you can get rid of it. But that number does continue to climb year after year. 

Trends for 2025

What can we see? I don’t know, maybe the peak is over in terms of cyber threats.

When I was looking at the data, kind of reflecting back on it over the year, some of the stuff that we are talking about in terms of phish-resistant MFA and maybe the maniacal focus on security awareness training, I think just how effective I think that is. I think it’s paying dividends. 

And I think the other piece around that is I think the staff are aware of wire fraud. I think a lot of organizations, particularly those that do microfinance or that kind of granting have been stung in the past. I think organizations have improved their financial controls internally. They have built not only improved technical protections, but also process improvements to say, if we’re going to make a wire change in wire payment information, we call the person from a number we already have. We have to have a Zoom meeting with a person to confirm this. We don’t just do stuff over email as the only way. 

I think the other piece is that, and we saw it a little bit in the data, right? The new tools are in place that require additional monitoring capabilities. For a lot of those account compromises, we were able to respond to those because we have tools in place that alert us when something suspicious is happening, but they still have a pretty high false positive rate. One of the things that we’re struggling with is managing the volume of alerts, right?

We had almost 500 alerts for suspicious logins, but there were only 30 true account compromises. I’m glad we knew about it because we can respond quickly, but it doesn’t mean that there isn’t a lot of noise that we have to filter out. 

I think organizations are taking that step to invest in their protection. And there’s a lot, I think a lot of great tools, right? So even a couple of years ago, I would say that area was pretty immature. But now I feel like we’ve got really great cybersecurity protection tools available to help guard against the most common threats like spam and email-based attacks. There are  really good tools that we can implement to help protect against that. And the same thing with cloud identity protection. There are really good tools now to help identify, monitor, even proactively block whenever something suspicious seems to be happening. And then I think there is an opportunity. 

Protection needs to expand beyond the boundaries of work. I think we had a blog post to talk a little bit about some things that you can do to protect your own personal digital identity, because that does seem to be at risk more and more, you know, particularly in those kind of focused organization sectors.

Nonprofit Organization Protections

So, it’s not all necessarily doom and gloom, and I always like to talk about, well, what can we do to protect your organization? 

Policy Foundation/IT Governance

And, you know, it really comes back to that policy foundation. If organizations have not taken that step already, or maybe have a policy that was adopted a while ago and hasn’t been updated, that’s a good opportunity to start.

IT acceptable use, just kind of that general framework, right? Incident response. And I think this is one, it’s important for organizations to have. If Community IT is your IT partner, we have our incident response policy, right? That’s what we do. Whenever you tell us you have an incident.

But organizations need to have that for themselves as well. You know, what do we do? Calling your IT provider is part of that, but there’s probably other things that you need to do as an organization beyond just talking to your IT partner.

AI acceptable use. Again, there’s lots of great AI policies. I think the challenge for them is not the policy itself, but it’s the implementation, governance and ongoing support.

Having that disaster recovery, disaster response plan, and then data retention policy. I will just say that this is something we’re seeing organizations be more attentive to, particularly in the last couple of months. Just how much data are we retaining, particularly on email, and making sure that if we say, hey, we’re going to keep data for a year or 18 months or two years, that those policies are then followed up with the mechanism to actually purge out data after those times.

Security Awareness Training

Again, security awareness training, we’re big fans of that. It doesn’t need to take up a lot of time, but it needs to be part of the culture of the organization. It also gives you an opportunity to talk about security at your staff meetings, results, phish tests, all those things that I think are important and just help to build a culture of security.

For organizations, I think phish-resistant MFA is a big thing to focus on. It doesn’t necessarily need to be everybody in the organization. It’s a little bit of a higher lift than the MFA that we all have in our pockets, but it’s an important step, particularly for folks in the finance, IT, maybe HR, people that maybe have access to more sensitive information.

As we’ve seen, spam and spoofing like that is the biggest threat organizations face. It’s where a lot of the attacks start. There’s clickjacking, all that stuff really starts in e-mail. If we can reduce that, I think that reduces the surface area for attack. A third-party e-mail filtering tool is really important to help protect against that. The same is Cloud Identity Protection. This is a new solution area that has really matured in the last year or so. Now, there’s really good tools that are worth leveraging that have a much lower false positive rate that can help identify, like, hey, this suspicious Cloud account doesn’t look right, like we’re going to lock it automatically or have built-in alerting rules to help protect against those account compromises. 

Then finally, the basics, patching, updating your computer. It’s all boring. Restarting your computer once a week, that’s actually a great security thing that you can do. Doesn’t take much time, but it’s important because it helps all those security updates get applied and keep your device secure.

Carolyn Woodard: We do have our Community IT Cyber Offerings. That’s at communityit.com/cybersecurity. You can find how we think about it and what we offer, and also a bunch of free resources as well that I’ve been sharing here in chat and I’ll put in the transcript.

And of course, they’re on our site. You’ll also find the link to schedule some time with Matt there to grab some time and talk to him about your cybersecurity questions or if you need an assessment. 

We do have a monthly webinar series. Next month, it’s going to be May 28th. We are going to be talking with Nuradeen Aboki about IT essentials for your nonprofit in these challenging times. He’s going to talk with us about making the hard choices in our current climate and facing challenges with your essential IT intact. We’ll talk about governance that helps you manage risks and how to budget wisely. We’ll also talk about in-house versus outsourcing IT and where you can find some value there, especially if you’re facing staffing cuts or major disruptions in your programs or your funding. We’ll talk about how you keep your IT lights on in the midst of changes to your nonprofit, and also how do you maintain a healthy workplace with all of this mounting stress as we’re continuing to deal with all these challenges.

That’ll be at 3 PM Eastern, Noon Pacific on Wednesday, May 28th. I’m going to share the link for that as well. You can register for it right now. It’s just going to be on Zoom. We really appreciate you joining us for these monthly webinars. We love sharing our information and resources with the community.

And I just love that the chat today was really active. People were sharing ideas and information. So Matt, if you can stay on for a minute or two, and if the people in the Zoom can stay on, we have a couple of questions for you.

I do want to go back over our learning objectives. We were going to learn about a basic approach to cybersecurity, the trends in the attacks and the organization protections that we saw in 2024 and beginning in 2025 as everything is changing, we wanted to understand evolving security best practices and learn the role of governance policy and training in protecting your nonprofit from these common scams and from new scams that are coming up. 

We’re hoping that you’ll hear about it here, be able to train your staff on it before they see it in the wild and they see the pastejacking or the other types of new scams that are coming through. I hope that was helpful. 

Q&A

Now we’ll go to Q&A and I want to make sure that if we have Q&A questions in the room as well, we can ask those. But there were a couple in the chat. One is,

Do you have any advice for communicating these threats and individual responsibility against cyber-attacks with staff, especially if you’re not getting responses, folks aren’t reading their e-mails, et cetera?

Matt Eshleman: Yeah. I mean, I think it’s a challenge. And I think it’s something that really starts from the top.

When we talk about security awareness training, it’s something that whenever we kick it off, we ask for time at a staff meeting and we ask to be introduced by the executive director. It’s something that really starts at the top and is something that everybody needs to be involved in. And so, if your organization, if you’re an executive director or your operation staff are like, ah, security awareness training is something for everybody else, but we’re not going to participate in it, you’re probably not going to be successful.

I think fortunately, with our clients, we are really seeing executive directors and leadership understand the risks that it presents to their organization. And so, they are in favor of it. I think communication does need to be multi-channel. You can’t just rely on email alone. And again, that’s why whenever we kick off our Security Awareness Training, it’s a meeting that we do. It’s part of a staff meeting. So, there’s an in-person element, there’s email follow-up. 

And then something that we do is whenever clients report phishing messages to us, from time to time, we want to report back and provide some feedback. So again, I think it needs to be a multi-channel approach, so that they’re not just hearing it one time once a year, but Security Awareness Training and Security Education needs to be something that is really infused to the organization on a regular basis just as part of the ongoing conversation that’s happening at your organization.

Carolyn Woodard: Yeah, I think sometimes when you get the employee handbook on the first day or two that you’re at your organization and then you never hear about it again, that’s not a good situation. You want to make sure that it’s ongoing. But then yeah, you do have to be careful about it becoming all the time.

And try to enlist your staff as part of your army. They’re protecting your organization and they care about it enough to work for your organization. So hopefully, they can take that to heart.

We have another question. 

Do you have any thoughts on Microsoft saying that pass keys are the future of authentication and they’re going to be eliminating passwords and two-factor authentication?

Matt Eshleman: Yeah, I think it’s great. I think Microsoft is doing it because they have the data that they can see, just how many account compromises are occurring. I think they’ve been exploited in that attacker in the middle methodology. I think they are working to provide more secure ways to provide access to information. 

I think as organizations can make that switch into passkeys, that combines a more physical connection to that authentication. In the attacker in the middle example, the problem is that authentication token can be moved. It works on this device, but then somebody halfway across the world can still use it to authenticate. Passkeys are tied to physical devices, and so in the same scenario in the attacker in the middle, if you would click on that, you had a passkey, that authentication is bound to the device that you are on, and it cannot be moved and used somewhere else. 

I think they’re doing a lot of innovation. They’re dragging some people kicking and screaming into that, but I do think it’s a good step to take, and it’s needed. We can see it from the data, even with MFA, there’s a lot of account compromises that are still occurring and that we can actually prevent through some of the improved technology controls. 

The next question is, 

Should we remove staff information from your website?

I would say it depends on your organization’s risk tolerance and the sector that you’re in. I think in general, bad guys are using it to know more about your organization. Threat actors are saying, oh, here’s the people on the board, here’s the executive leadership, here’s the accounts payable person. I’m going to use that information to create a compelling email to say, oh, the board member needs this access or here’s the invoice for these executive services for this person.

I think in general, publicly available information is used by threat actors for primarily financial schemes. 

I think the organizations that we have seen take the steps to remove personal information from websites have been those that are getting like those, like just vitriolic personal attacks. That’s more like targeted at those nonprofits specifically. Immigration is something that we’ve seen a lot, you know, refugee asylum, LGBTQIA. So those people are targeted more for those direct personal attacks, in addition to just the financial fraud stuff that just kind of occurs.

I think that’s something that organizations need to be aware of, and it’s probably a risk tolerance conversation that needs to happen.

Carolyn Woodard: Do you have more questions? Any other questions? No? All right. Well, in that case, Matt, I think we will finish up. I want to thank you so much for your time today. In person, we got to ask you our questions. And thank you everyone who joined us through Zoom. We really appreciate it. We love doing these monthly webinar series. I’m going to let you get back to your day. Thanks for staying over a minute or two with us if you were able to.

And I hope to see you next month for that webinar on Essential IT in Challenging Times. And so we’ll come back, and join us, and we’ll talk about how we’re all going to get through this together. Thank you again and have a great rest of your day.

Photo by Debby Hudson on Unsplash