What scams are circulating and how can you protect yourself and your organization?
Nonprofit Cybersecurity expert and Community IT CTO Matt Eshleman runs through common scams and new tactics that we are seeing at nonprofits and simple steps you and your staff can take at this time of year to be better protected.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Takeaways on Nonprofit Cybersecurity for the Holidays
Common scams
- “Your package couldn’t be delivered” … this email tries to get you to click on a link or respond in some way, using social engineering/helpfulness/urgency to trick you into helping a colleague or sorting out a problem with a package. These emails or texts try to get you to click on the link, give your login, or otherwise interact with the fake package delivery scammer.
- “The Executive Director needs to purchase holiday gift cards for staff” … a variation on the “gift card” scam oriented towards the end of the year, holiday parties, gifts for donors or volunteers… these emails or texts try to get you to click on the link, give your login, or actually purchase the cards. Gift cards are an attractive scam to hackers, because once they have the code, the victim’s money is gone. A quick and immediate scam.
- Pop-up “your computer has been compromised, call this number” scam … often the pop-up can’t be closed (you should shut down and log back in, and alert someone on your actual IT help desk team.) This scam tries to get you to interact with a fake help desk and handing over login credentials, allowing the “help desk” to install monitoring on the system, or handing over payment information. Often the fake help desk will retarget the victim regularly to continue to “help.” This scam can be initiated by clicking on a link in a phishing email, or opening a document with a fake link, or a fake QR code.
New Scams
- Spam bombs… followed by a helpful call from “the IT help desk” ... this scam will inundate your inbox with hundreds to thousands of spam email an hour. Even if you have good inbox protections, they can be overwhelmed with volume. This scam tries to get the victim anxious at the spam attack and relieved when “the help desk” notices an increase in spam and reaches out to help. This scam tricks the victim into interacting with a fake help desk and handing over login credentials, allowing the “help desk” to install monitoring on the system, or handing over payment information.
- AI deep fake voice and video scams… growing in presence as the tools to create deepfakes become more available and affordable. In addition to giving a fake contact number for the “help desk” the scammers may provide AI generated audio or video that matches what the victim expects their regular contact to sound and look like.
Protections Against Holiday Scams
- Stay suspicious, particularly at the end of the day before a holiday break and the week before that break. Take9 has some good training and advice on taking a pause before you respond or click. Scammers use urgency to try to get you to use work-arounds, particularly when you are trying to close your laptop for the day and go do holiday activities!
- Be particularly suspicious of in-bound calls and new contact information at any time of year, but particularly around the holidays. Do not give your log in credentials or other information to someone who called or texted you, claiming to be from IT or your bank. Always check through your previously documented processes, or end the interaction and initiate a new conversation your regular way, using a number on file or going to an official website you have used before.
- Review your incident response plan, particularly your phone tree, before the holidays. Make sure you know who to call to report a suspicion or problem, and make sure that your point of contact has a substitute for when they are out of the office for the holidays. Who is “on call”? Check that you have no single points of failure in your response plan. Now is probably not the time to re-write your response plan, just to review it and remind staff of the process.
- Have strong cybersecurity already in place. Strong passwords, MFA requirements, physical MFA keys for staff who are particularly targeted like your Executive Director and CFO, staff training on the importance of cybersecurity to protect your organization – maybe even a quick training on holiday scams to watch out for … taking proactive steps will give you peace of mind during your holidays.
- Do not be tricked into using a work-around. Someone you usually interact with will understand your process and will not pressure you into just doing a different thing at 5pm on a Friday “because the regular person has gone home.” Always use your established procedures. The regular people you work with can wait until the next business day, even/especially if that is after the holidays.
- Do report something, using your incident response plan. If you did click on something suspicious at 5pm on a Friday, you don’t want to leave it to the hackers for the entire long weekend or holiday break to be in your system. Use your response plan to report it immediately to the person on call for your cybersecurity.
Community IT seeks to provide trusted advice and guidelines for nonprofit cybersecurity safety around the holidays. If you have questions on cybersecurity assessments, staff training, incident response plans, or other cybersecurity topics, reach out and schedule a conversation or assessment with Matt.
Presenters
As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.
Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert
Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
He is available as a speaker on cybersecurity topics affecting nonprofits in addition to nonprofit cybersecurity for the holidays, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this podcast conversation with Matt Eshleman about nonprofit cybersecurity for the holidays.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. We don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about recovering from a cybersecurity incident, you shouldn’t have to worry about understanding your provider.
If you have questions about nonprofit cybersecurity for the holidays, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript
Carolyn Woodard: Welcome everyone to the Community IT Innovators Technology Topics Podcast. I am Carolyn Woodard, the host, and I am happy to welcome today my colleague, Matt Eshleman, who is our CTO at Community IT and our cybersecurity, I don’t know, guru, expert. Matt, would you like to introduce yourself?
Matthew Eshleman: Sure. Good to be with you all today. My name is Matthew Eshleman, and I’m, as Carolyn said, the Chief Technology Officer. I have been with Community IT for quite a while, I started full time all the way back in 2002, and have been doing a lot of different roles over time. And yeah, I spend a lot of my time thinking about and responding to different cybersecurity issues for our clients.
Carolyn Woodard: Yeah, and there’s so much, and I know that whenever I have questions about it, I always turn to you to help understand a little bit better what the new scam is or how it’s worked, or I heard about this other thing or that sort of thing.
Today, I wanted to talk with you. We’re coming up on the end of the year, and I hope all of the nonprofits listening are having galas and doing all of the year-end stuff and having the office parties and having a good time, but there are a lot of scams that circulate around the holidays, any holiday, any long weekend, it seems, but particularly the year-end holidays, because they are longer, people are out of the office, so it can be harder to check.
I wanted to ask you first, what are the typical scams that go around at this time of year? If you could just kind of give us a rundown.
Matthew Eshleman: Sure. So I think a lot of the things that we see at this time of year are really kind of in line with the season. Many of us are getting a lot of things shipped to us, and so there’s lots of shipping confirmation emails that you need to click to track your package. The bad guys know that, and so we certainly do see a lot of those kind of phishing emails that take on those attributes. Click to see your package, your package wasn’t delivered, that really important gift you thought you were getting. Click here to update it.
I think the people on the other side of the keyboard are really in tune with what’s going on from a seasonality perspective, and they take advantage of that in order to create those enticing emails for us to click on. So just be extra cautious about clicking on any of those messages in your inbox. Whether you’re expecting a delivery from UPS or not, just take that extra moment to review it critically before taking that action to click.
Carolyn Woodard: I think it happens a lot in an office where you get the email and there might be somebody else who did get the package. So, there’s that for your own personal life, well, you should be careful for your personal life too, if you get that email that says, oh, we couldn’t deliver your package. But I think for yourself and your family, you know better, well, I didn’t order anything or that isn’t what I was expecting.
But in an office situation, you might think, well, there’s nobody at the front desk for some reason and I don’t know who ordered something. So, I’m going to click on it and see if it’s important.
Matthew Eshleman: I think that’s probably the seasonality item that we see a lot more this time of year.
It’s also a good opportunity, the buying of gift cards, that’s a preferred method. It’s an easy way for hackers to have that financial crime, get the Amazon gift cards or whatever. And so again, in your office, you get an email that says hey, I need to buy some gift cards, I want to hand them out to the staff.
Think, is that something your organization would do? So that is something where gift cards are a preferred way to basically target folks. Because once the codes are revealed, they can just use them right away. There’s not the same hurdle, even that maybe a wire transfer has a little bit of a longer tail to it.
So sharing gift card numbers and activation codes with somebody on the other side, means that that money is basically gone as soon as you hand over that information.
Carolyn Woodard: Are there any other scams that either come up at holidays or that you’ve seen recently, this year?
Matthew Eshleman: In terms of new things for 2026, I think some of the things that we saw that were new were kind of these spam bomb attacks followed by a friendly tech support call.
This happened at a couple of clients that we support, right? Where somebody all of a sudden just got inundated with spam and junk messages. It even kind of overwhelmed their spam filters. They were getting hundreds of messages an hour, thousands.
And then in a couple of cases, that was then followed up by a call to them at their office number, saying, hey, we’re with IT. We detected that you were getting a lot of spam messages. Can we help you figure out what’s going on. Again, thankfully, they didn’t proceed with interacting. But the next step is, okay, let me remotely install this link. Let me download a remote control tool to your computer. Again, all kinds of things that are maybe common in end user support role.
But instead of it being your trusted IT partner, it was somebody that’s basically operating a scam and then socially engineering you into taking actions like installing software on your computer that really shouldn’t be there.
Or maybe they were going to… This happens to you personally, right? Maybe it’s just a request. Hey, give me your credit card. I just need to charge you a setup fee to solve this issue.
So that was a new thing that we saw in a couple of cases this year that is really frustrating to deal with. I think both from the end user because it’s not like there’s one-off, hey, buy this gift card. Okay, you can ignore that.
But it really is a headache whenever you’re getting hundreds or thousands of messages flooding your inbox. And even if you’ve got really good spam filtering, it can be really tricky for those tools to navigate just that sheer volume of email. So that was a new one for us that we responded to in a couple of different cases here in 2025.
Carolyn Woodard: Wow, that is so nefarious.
Matthew Eshleman: Yeah.
Carolyn Woodard: But it does, it reminds me of the scam where you get the pop-up that says that your computer’s been infected and you can’t close it. It’s got the number on it to call.
But I guess in both of those cases, that’s the advice, is if you’re getting an inbound call or you get a new number to call, don’t call it. Call your established method, the person you always talk to, report it to somebody. Call our IT, our help desk or whoever your help desk is, yourself, not this other random person.
Matthew Eshleman: Yeah. I think that’s exactly true.
And I think, as I was reflecting back on, okay, so what are some things that we can do that are to help prevent these attacks from occurring or maybe how can we educate or have better practices to respond? That actually still hasn’t changed.
So there might be new attacks, right? We didn’t even talk about kind of AI, kind of voice phishing or deep, deep fakes between video and audio to emulate other people’s voices, right?
There are lots of really tricky things out there, but some of the oldie but goodie cybersecurity advice is still really relevant, maybe with some updates, right?
So now we’re working with organizations to implement fish-resistant MFA. That may be with a more secure app on your phone or a physical security key. Having that in place is still a really good security control.
Having pre-established contact information or purchasing protocols that are well-communicated and documented is a valuable practice.
It doesn’t matter how tricky the adversary is in terms of presenting you with an invoice that looks really realistic. If your process says, okay, like here’s our procurement process and here’s the number to call with the verified payment information. We don’t verify payment information off of information provided over email. Or the CEO says, hey, sometimes we buy gift cards for our staff. But here’s my number and this is the number you should call instead of responding to the contact information that’s provided in a chat message or WhatsApp or wherever the method might be.
Those pre-established processes really help, regardless of the changing environment or situation or how sophisticated these attackers might be.
You’re not saying, hey, let’s try to figure out the next new thing and how to combat this. It’s no, we have established processes and practices. Just follow those, and that really goes a long way to protecting your organization.
Carolyn Woodard: Yeah, it gives you, I mean, I know you need to be suspicious, but it also, if you know that you have a strong password and you have strong MFA, then you have protection that you should feel fairly confident in. So that is what they’re trying to get around, right? They’re trying to get you to not do your established process or to do a workaround.
And I think that’s also where the holidays becomes that social engineering and that sense of urgency, like we need to do this now. We just changed our number that you need to wire this to, and the person who’s usually here isn’t here. And so they’re trying to give you that sense of urgency that you can help them out by doing a workaround.
And our advice is just ALWAYS follow your established procedures. Don’t let them trick you into working around.
Matthew Eshleman: Yeah, exactly.
Carolyn Woodard: And that happened, well, I guess it wasn’t totally a workaround, but I was working on our website. I maintain our website, and it was the Friday evening, it was five o’clock before the long Christmas holidays. And I couldn’t get into the website. There had been a bot, too many attempts, and I freaked out.
And unfortunately for him, one of our colleagues still had his little green light on in our Teams, so I knew he was still working. And I texted him right away, saying, I don’t know what to do. And he said, well, do you have a strong password? And I said, oh, yeah, you know, and do you have MFA? And I said, yeah. And he said, well, then they’re just trying. They’re not going to be able to get in. Give it 20 minutes, it’ll like calm down and it’ll let you in again, which is exactly what happened.
But they’re trying to get you on those, you know, the end of the day before a long weekend, before the holidays. And it can be really scary, it could give you a lot of anxiety.
Matthew Eshleman: Yeah, that’s true. And I think especially for organizations maybe that are still maintaining some on-premise server infrastructure, you know, we’re already past Thanksgiving. That historically for us had been a time where, you know, the number of security alerts for kind of just mass brute force login attacks, it really ramped up, right?
We could count on it like year after year, because that was often the escalation point over some of those weekends. And you could see it Wednesday at 5 p.m. Eastern before Thanksgiving, these attacks would just start, because the attackers know, right? Hey, this is the US., they have a long weekend, right? A really long weekend, so it gives them a lot of time to test systems that may not be monitored as closely as other times.
You know, that’s shifted a little bit, right? Obviously, with some of the shift of resources to the cloud. But, you know, I think the attackers and adversaries definitely know when the holidays are, when people are away.
And they are combining that knowledge, leveraging AI, right, to create compelling narratives, to get people to click on things or open stuff. You know, this is the time of year, right? We have fundraising appeals, we have shipping information. There’s lower staff, right? Maybe new devices, right? People are maybe getting a new phone for Christmas, right? So, hey, I need to add this new device as my MFA method, right?
There’s lots of different avenues to exploit during this time of year. So just make sure you take a moment, trust your gut, and then, you know, know that you have an established process or pathway to talk to somebody, just to look at this and get another set of eyes on it.
The adversaries really take advantage of that compulsion to act and act quickly, or, you know, you’re looking on your phone, and maybe don’t see the full context of the message. These are all areas to just, hey, take a moment, it’s going to be okay. Literally, think critically. And if you have a question, you already have the number in your phone or on your computer to talk to somebody directly as opposed to just calling them back on whatever number that they provide.
Carolyn Woodard: I think that makes sense.
And so that would be another thing to have people think about is, even if you’re rushing, you want to get out of the office or you want to get out of your home office and get doing what you need to be doing for a holiday. Just keep that suspicion about things that are suspicious, particularly in that those hours, around closing time, basically.
Because it also gives the criminal, if you click on that thing and you don’t realize it until you come back a week later, then they’ve had that whole week to be in your system to do the thing. So just think to yourself, is somebody really going to be emailing me at five o’clock on the Wednesday before Thanksgiving to do something? It’s probably a scam.
And I wonder too, this is making me think about your disaster preparedness guide or your incident response plan. And you did a webinar with us last summer about doing the tabletop exercise and going through, if we had some kind of an incident, are there weaknesses in our plan, that sort of thing.
I wonder if that might be another piece of advice before the holidays or this time period between Thanksgiving and the holidays to really go back over your paper copy of the phone tree. Who do you call if there is a crisis, a problem, when it is the holidays? Because it may happen that somebody clicks on that link at five o’clock because they just want to get out of the office and they wire the money to the wrong place. So then they have to know who do they call, who is on call.
Like you said, sometimes you’re the one who is answering the phones over the weekends. So having that information in front of you, I think maybe something good to review at this time of year. Hopefully, you won’t need it.
Matthew Eshleman: Yeah, exactly. An ounce of prevention is worth a pound of cure. But again, as you identified, this time of year, especially with people being out and traveling and again, maybe having new phones or new devices, it is good before everybody checks out for the end of year break, if there is an issue, know who is around or who is available, somebody might be traveling and not be in your incident response plan.
Who is the backup? Who’s the next person if the person may be primarily responsible for handling the incident is, whatever, in the woods of northern Wisconsin, where there’s no cell phone and no internet, and so they can’t manage the incident response. Who does that fall to?
That’s a good opportunity to review your plan. You probably don’t want to rewrite your incident response plan at this time of year, but you want to make sure that you have those alternate contacts in place, make sure the contact information is all verified and checks out. And the people that know that they’re the backup, they’ve been informed and they’re expecting it as well.
Carolyn Woodard: Yeah, that makes sense.
I think if I want to just quickly review before we end,
We want people to be suspicious, be maybe particularly extra suspicious because of the holidays.
We want people to have the processes in place, right? So have strong passwords, have MFA, have the way that you’re supposed to do things, the way you’re supposed to verify them.
Don’t use workarounds. Don’t let somebody talk you into doing something out of the way you usually do it.
Review that incident response plan in the phone tree of who you call if there is an incident, and just make sure that’s all up to date.
Anything else you would say?
Matthew Eshleman: No, that sounds like a pretty comprehensive list.
And feel free to take time off. It’s okay. The phone and the email will still be there. You know, when you get back, so, you know, it’s okay to take a break.
Carolyn Woodard: Exactly. It’s important. It’s important to take a break and enjoy this time of year. And so, I think you can even relax a little bit more if you’ve taken some of these steps to be as safe as possible.
Matthew Eshleman: Yep, exactly.
Carolyn Woodard: Great. Well, thank you, Matt, for sharing this with us and with our audience. I love that you take time out of your holidays and end of the year stuff that you’re working on to make sure we’re all up to date on all of this.
Matthew Eshleman: Yep, you are welcome. It’s good information to share. And yeah, hopefully this, you know, again, prevents somebody from being victimized by the cyber criminals that are out there.
Carolyn Woodard: Yeah. Thank you.
Matthew Eshleman: Thanks, Carolyn.
Photo by Wicked Monday on Unsplash