The 2 Most Common Cybersecurity Attacks Your Not-for-Profit Will Want to Avoid– July 30, 2019 by Joe DiFranco

Cybersecurity threats, data breaches and email fraud have become part of the daily headlines, impacting businesses and organizations of all sizes and from all industries. During 2018, an estimated 5 billion records were breached world-wide, costing companies an average of $3.86 million per breach. It’s estimated that over the next two years cybercrime will cost companies and organizations a collective $6 trillion!
In addition to the monetary cost of a data breach, cyberattacks can be even more damaging to not-for-profit entities due to the potential loss of donors and stakeholder confidence. This could impact the ability of an organization to carry out its mission and achieve its goals.
With the growing number of cybercriminals, complexity of attacks and speed in which threats adapt, it may no longer be a question of if your organization’s network will be compromised, but rather when. Below takes a brief look at the different types of popular cyberattacks currently and what steps your not-for-profit can take to best protect itself.

1. Phishing (or Spear Phishing) and Whaling (or C-Level Fraud)

These are cyberattacks that have been around for some time but continue to be a very effective form of attacks used by hackers.
Carried out via email, today’s phishing attempts have grown complex and difficult to detect. Often a hacker will impersonate a known stakeholder, such as a vendor, donor or beneficiary. The hacker will ask the unsuspecting employee for confidential information or money, attempting to appeal to the unsuspecting employee’s willingness to help those in need.
Whaling is very similar to phishing; however, whaling impersonates an organization’s C-level executive. In most cases, these attacks are thoughtfully carried out over a longer period of time, in which the hacker researches the executive before attempting to trick an unsuspecting employee.
The best protection against phishing and whaling attacks is to train employees to be vigilant and aware that these types of schemes are out there. Have a policy in place for what employees should do when unusual email requests are made, even if the email’s sender appears to be known to the organization. Run phishing attack simulations to test and train employees to be on-guard against these attacks.

2. Cryptojacking and Ransomware

These types of attacks are carried out through the use of malicious software that has worked its way onto your network through a network breach.
Cryptojacking is when cybercriminals find a way to secretly access your computer to mine cryptocurrency. Cryptojacking can infect your organization’s website, in turn infecting the computers of your website visitors, or your organization’s computers when someone visits an unknowingly infected website. Once a computer is infected, this bug hijacks its processing power to carry out the secret cryptomining activity, slowing down the computer and network.
Ransomware is an even more invasive type of cyberattack in which hackers gain access to an organization’s network and install malicious encryption software to lockdown and hold your organization’s data hostage until a ransom is satisfied.

How to Protect Your Not-for-Profit Against These Attacks

While cryptojacking and ransomware are the two most common forms of cyberattacks occurring today, below are some key steps to help protect your organization against any cyber threats:

  • Have strong password controls,
  • Actively update anti-virus software,
  • Review firewall and server activity logs,
  • Change default passwords on all network connected devices,
  • Ensure systems are all up-to-date with the most recent security patches,
  • Regularly scan your organization’s computer systems and network for unauthorized devices.
  • Make employees aware of common security threats through training and
  • Properly back up critical data.

Please contact a member of your service team, or contact Joe DiFranco at or Marie Brilmyer at for further discussion.
Cohen & Company is not rendering legal, accounting or other professional advice. Information contained in this post is considered accurate as of the date of publishing. Any action taken based on information in this blog should be taken only after a detailed review of the specific facts, circumstances and current law.