Community IT urges nonprofits to prioritize phishing defenses, phish‑resistant MFA and tested incident response
Get AI-powered insights, summaries, and transcripts
Subscribe
Summary
Community IT presenters told nonprofit attendees that targeted wire fraud and spear‑phishing are the leading financial risks, outlined free Legal Services Corporation training available to grantees, and recommended phish‑resistant MFA, backups and tabletop incident‑response exercises.
Matthew Eshelman, chief technology officer at Community IT, told nonprofit leaders onstage that the sector’s most urgent cyberthreat is targeted financial fraud initiated through spear‑phishing. “The biggest financial risk to nonprofits is… wire fraud specifically,” Eshelman said, summarizing incident data Community IT collects across roughly 200 nonprofit clients representing about 8,000 staff.
Why it matters: Eshelman and co‑presenter Anna Zambrano, a tier 2 cybersecurity analyst at Community IT, framed the guidance as practical steps nonprofits can implement even with limited staff and budgets. They stressed that early reporting to law enforcement and banks improves recovery odds and that simple policies and repeatable training deliver outsized risk reduction for smaller organizations.
At the session, Zambrano reviewed the Legal Services Corporation (LSC) contract benefits for grantees: a free annual 45‑minute security‑awareness module plus monthly phishing tests, with Community IT providing monthly aggregate reports to account administrators. “This is free to all LSC grantee organizations,” Zambrano said, describing the expected cadence and the reporting LSC requests.
On technology and controls, Eshelman recommended a layered approach that begins with strong policy and training, then addresses identity, device and perimeter protections. For identity, he recommended implementing phish‑resistant multi‑factor authentication for high‑risk users (executive directors and finance staff), noting hardware tokens and passkeys as practical options: “Phish‑resistant MFA… can basically block that attack because it connects your computer to the authentication attempt.”
Eshelman also urged organizations to maintain a clear inventory of systems and retention requirements so backup and recovery solutions meet organizational and compliance needs. He warned that default cloud retention windows vary and may not satisfy a nonprofit’s record‑retention obligations.
Zambrano described an operational training program that pairs an annual module with monthly phishing tests (one simulated email per staff member per month), quarterly micro‑trainings, and adaptive remediation for repeat clickers. She outlined an on‑platform ‘fake‑factor’ checklist (freeze, analyze, investigate, know) attendees can use to evaluate suspicious emails and advocated verifying requests over alternate channels rather than clicking embedded links.
On incident handling, Eshelman recommended having and testing an incident‑response policy, and promoted a follow‑up tabletop workshop to practice response plans. He said reporting suspected wire fraud quickly to the FBI’s Internet Crimes Complaint Center (IC3) and the organization’s bank improves the chance of recovering stolen funds — “they’re actually effective about maybe 75% of getting that money back” if reported promptly, he said in the session.
Other practical recommendations included using team/business password managers, enabling Windows Hello or other device‑resident authentication, keeping systems patched and rebooted regularly, deploying cloud‑managed endpoint protection, and implementing email authentication (DMARC set to quarantine, DKIM signing) and business‑email‑compromise protections to reduce spoofing.
The session closed with a reminder that cybersecurity is an ongoing journey, not a one‑time project, and with pointers to Community IT’s downloadable playbook and resources. Eshelman invited attendees to the next morning’s tabletop exercise and to stay after the session for questions and feedback.