Skip to main content

Security Basics for Small Charities

Criminals target small nonprofits becausethey’re small: one shared password, no IT staff, and a bank account that donors trust. A hacked charity can lose its email, its website, its donor list, and its reputation in one afternoon. The good news: four unglamorous habits prevent almost all of it.

1. Turn on multi-factor authentication (MFA) — everywhere, today

MFA (a code from your phone in addition to your password) stops the vast majority of account-takeover attacks, including ones where your password has already leaked. Priority order:

  1. Email accounts (Microsoft 365 / Google) — the keys to everything else
  2. Bank and payment accounts (including Zeffy/PayPal)
  3. Social media accounts
  4. Anything holding donor data

In Microsoft 365, “Security defaults” turns MFA on tenant-wide — if FFC set up your M365 email, ask us to confirm it’s enabled.

2. Use a password manager — and stop sharing passwords by text

  • One strong, unique password per site, generated and remembered by the manager (Bitwarden has a free tier that fits most charities; 1Password offers nonprofit discounts).
  • Shared accounts (the info@ mailbox, social media) go in a shared vault — not in a spreadsheet, not in a group text.
  • When a volunteer or staff member leaves, change the shared passwords they had. The vault makes this a ten-minute chore instead of a forgotten risk.

3. Recognize the two frauds aimed at charities

  • Impersonation/BEC:an email that looks like your director asking the treasurer to “quickly pay this invoice” or buy gift cards. Rule: any money request gets verified by voice on a known number — no exceptions, including (especially) urgent ones.
  • Overpayment “donations”:a stranger donates by check, then asks for a partial refund. The check bounces after you’ve refunded. Never refund unclear payments; let your processor handle disputes.

4. Keep your domain and website out of hostage situations

Expired domains and lone-admin DNS accounts are how charities lose their web presence permanently. FFC’s model removes this class of risk for supported charities: we keep registrations renewed, DNS locked down in Cloudflare, and sites on static hosting with no server to hack (see who controls the domain). If your domain is notwith us yet and renewals depend on one person’s memory and credit card, fix that this week.

If you think you’ve been compromised — the first hour

  1. Change the password + revoke sessions on the affected account from a known-clean device (in M365: admin center → user → sign out of all sessions).
  2. Check forwarding rules in the mailbox — attackers add silent forwards to keep reading your mail after you change the password.
  3. Tell your bank immediately if any payment info or invoice could have been touched.
  4. Tell FFC (contact page) — we can lock DNS, check the website, and help you assess what was reached.
  5. Tell the people affectedhonestly once you know the scope — donors forgive breaches; they don’t forgive cover-ups.

Want a volunteer to walk your org through this checklist? Ask us — a one-hour security session is one of the highest-value things we do with charities.