AI is changing the landscape of online security, but nonprofits can stay one step ahead! This guide provides steps to empower your team to recognize sophisticated phishing attempts and protect your organization's critical data and donor information.
Remember when phishing emails were easy to spot because they had terrible grammar and obvious spelling mistakes? Those days are gone. AI tools have enabled scammers to create emails that appear and sound completely legitimate, even professional. For nonprofits handling sensitive donor information and operating on tight budgets, falling for one of these sophisticated scams could be devastating.
The important thing to remember is safeguarding your organization doesn't require deep technical knowledge. A handful of simple habits can empower your entire team to act as your first line of defense!
1. Pause Before You Click
This is your most powerful tool. AI-generated phishing emails often create a sense of urgency: "Your account will be locked in 24 hours!" or "Immediate action required!" These messages want you to panic and click without thinking.
What to do: Take a breath. Legitimate organizations rarely require instant action via email. If something seems urgent, verify it through a different channel like calling the organization directly using a number you look up yourself.
2. Examine the Sender's Email Address Carefully
Modern phishing emails might come from addresses that look almost right, like "support@amaz0n-security.com" instead of the real "amazon.com." AI makes it easier to create convincing fake domains.
What to do: Hover your mouse over the sender's name (don't click!) to see the actual email address. Look for small differences like extra letters, numbers replacing letters, or unusual domain extensions. When in doubt, go directly to the organization's website rather than using links in the email.
3. Watch for "Almost Perfect" Language
The tricky part is that AI can now write emails with perfect grammar and a professional tone. But these emails often have subtle oddities like being overly formal when they should be casual, or using generic greetings like "Dear Valued Member" instead of your name.
What to do: Ask yourself, "Does this sound like how this person or organization normally communicates with me?" Trust your instincts if something feels slightly off, even if you can't quite put your finger on why.
4. Verify Unexpected Requests Independently
Did you just receive an email from your "Executive Director" asking you to purchase gift cards? Or a message from a "vendor" requesting a change to payment details? AI makes it incredibly easy for scammers to impersonate people you know.
What to do: Never act on financial requests, password resets, or sensitive information sharing based solely on an email. Pick up the phone and call the person using a number you already have, or walk to their desk if possible. It might feel awkward, but it's worth it.
5. Be Skeptical of Attachments and Links
Even if an email looks legitimate, attachments and links can contain malware or lead to fake login pages designed to steal your credentials.
What to do: Don't open unexpected attachments, even from known contacts. Instead of clicking links, type the website address directly into your browser. For example, if you get an email about your bank account, go to your bank's website directly rather than clicking the email link.
6. Look for Personalization (or Lack Thereof)
While AI can personalize emails, many phishing campaigns still use generic templates. Real emails from organizations you work with usually reference specific details about your account, recent interactions, or use your actual name.
What to do: Be suspicious of vague emails that could apply to anyone. Legitimate organizations usually have specific information about you in their systems.
Building a culture of security is easier when everyone is learning together. That’s why we created The Best Free One-Hour Cybersecurity Awareness Training Ever!
In Tater & Stache in: Ctrl-Alt-Escape the Training, you or your team will learn how to spot AI-crafted phishing emails, recognize deepfakes, and respond to modern cyber threats. Journey through a fun, engaging, and nonprofit-focused experience built to make you (and your organization) prepared to defeat the hackers!
If you’re looking for a tangible way to reinforce the habits outlined above and empower your staff to be your first line of defense, this FREE webinar is a great next step.
Cyber threats are evolving, but your nonprofit doesn’t have to face them alone. Schedule a brief discovery call to learn how RoundTable can help you strengthen your security posture and protect the data that matters most.