Phishing Alert for Nonprofits

by

How to Spot and Stop Scam Emails

Cybercriminals increasingly target nonprofits because our missions, public contact info, and collaborative nature make us approachable—and, at times, hurried. A single mistaken click can expose contacts, compromise accounts, or waste precious staff time. Here’s what to know and what to do.

Current Alert: Phishing Emails Targeting Nonprofits

Phishing Alert for Nonprofits

We want to make you aware of phishing emails currently circulating within our nonprofit community. These messages often arrive with subject lines such as:

  • “Invitation to Bid”
  • “Bid Submission from [NAME] Available for Review”
  • “RFP Proposal from [NAME] Available for Review”

These emails are fraudulent and should be deleted immediately.

If you ever need to confirm whether an email is legitimate, the best practice is to contact the sender using a new, separate email (do not reply directly) to verify.

Several nonprofits have already been affected. While this scam is primarily an inconvenience, it serves as an important reminder to stay vigilant. Taking a moment to double-check helps protect your organization and our broader nonprofit network.

Thank you for helping safeguard our shared community.

How to Recognize a Phishing Email (Quick Checklist)

  • Sender mismatch: The “From” name looks familiar, but the email address is off (extra letters, wrong domain, or free email service).
  • Unexpected attachments/links: PDFs, ZIPs, or “View Document” buttons you weren’t expecting.
  • Urgency or pressure: “Act now,” “final notice,” or “your account will be closed.”
  • Generic greetings: “Hello user/member” instead of your name or organization.
  • Spelling/formatting oddities: Slight misspellings of brands, awkward grammar, logo look-alikes.
  • Link mismatch: Hover over links (without clicking) to preview the URL—if it doesn’t match the stated destination, it’s unsafe.
  • Unusual requests: Gift cards, wire transfers, invoices for things you didn’t order, or requests for passwords/multi-factor codes.
  • Reply-To tricks: The reply address changes to a different domain once you hit “Reply.”
  • Impersonation of leaders/partners: Looks like it’s from your ED, board chair, or a known vendor—but the address is wrong.

Safe Habits That Prevent Compromise

  • Verify out of band: Start a new email or call a known number to confirm anything that seems off. Do not reply to the suspicious message.
  • Pause before you click: Hover to check URLs; when in doubt, visit the site directly by typing it into your browser.
  • Never share credentials: No legitimate sender will ask for your password or MFA code via email.
  • Use MFA on key accounts: Email, donor CRM, banking, and file storage should all have multi-factor authentication enabled.
  • Keep devices updated: Apply security updates for your operating system, browser, and antivirus.
  • Segment duties: Require a second approver for payments or vendor changes to catch fraud before money moves.

If You Clicked or Replied—Do This Now

  1. Disconnect risk: If you opened an attachment that seemed malicious, close it and disconnect from Wi-Fi until scanned by IT.
  2. Change your email password immediately (and any accounts using the same or similar password).
  3. Turn on/refresh MFA for your email and other critical systems.
  4. Run a full malware scan on your device.
  5. Alert your team or IT provider so they can watch for look-alike emails from your account and update filters.
  6. Review recent account activity (sent mail, inbox rules/forwarders, login history) and remove anything you didn’t set up.

How to Report and Help Protect Others

  • Delete the message from your inbox and Trash.
  • Forward the email as an attachment (.eml) to your organization’s IT support or internal contact so they can block similar attempts.
  • Notify peers if needed (briefly, no sensitive details) so they can warn their teams.
  • Sample Internal Note You Can Share With Staff