Non-profits and charitable organizations operate under constrained budgets and typically minimal internal IT capacity, while holding donor PII, payment card data on recurring donations, grant funding flows, and beneficiary data. The combination produces a threat surface that is well-known to attackers and poorly resourced by defenders. Charity impersonation scams (attackers posing as legitimate charities to divert donations) and grant funding wire fraud are documented sub-categories of BEC loss.
This is a summary of what LeakTrace consistently observes when scanning small and mid-sized non-profits and charitable organizations in Canada and the United States, written for executive directors, boards, and the commercial insurance brokers and pro-bono cyber consultants supporting the sector.
The typical non-profit cyber breach carries similar downside to a for-profit SMB breach (donor notification obligations, payment card breach costs, potential state attorney general involvement for charitable regulator authority) but with materially less operational capacity to absorb it. A single ransomware incident or wire fraud loss can materially impair mission delivery for years.
Where the exposure concentrates
Email authentication is almost never configured properly
DMARC configuration on the organization's business domain is the exception. The organization's domain can be spoofed to send fake donation requests, fake grant status communications to funders, or fake internal instructions to accounts payable staff.
Donor management platforms hold sensitive data
CRM and donor management platforms (Blackbaud, Salesforce Nonprofit Cloud, Bloomerang, DonorPerfect, Little Green Light) hold donor PII, payment card data, and giving history. Platform compromise cascades to every organization using the platform.
Grant funding wire fraud is a documented BEC vector
Foundation grant disbursements, government grant funding, and major-donor wire gifts create a documented vector for BEC attacks impersonating the funder or the executive director to redirect funds. Loss recovery once wired abroad is rare.
Board member public exposure is unusually high
Non-profit board members are typically discoverable across public disclosure documents (T3010 in Canada, IRS Form 990 in the US), corporate registry filings, and data broker sources. This aggregation is used to construct plausible impersonation attacks against executive directors or accounts payable staff.
What this means, by role
For executive directors and boards
The controls that close the majority of common exposures are boring, cheap, and well-documented. The gap is not knowledge. It is capacity. A forensic audit surfaces the picture. A structured remediation sprint closes it. Continuous monitoring keeps it closed. The cost is materially less than the direct cost of a single wire fraud incident or a donor data breach.
For commercial insurance brokers writing non-profit lines
Underwriters writing non-profit D&O, cyber, and general liability are increasingly requiring email authentication posture and donor platform documentation before quoting. Brokers who surface these gaps before renewal win deeper relationships.
For funders and foundation program officers
Grantors increasingly ask about grantee cyber posture as part of due diligence, particularly for grants above $100K. Program officers who help grantees surface exposure before an incident perform a preventive function for both the grantee and the funder.
The path forward
Small and mid-sized non-profits sit at an inflection. Attacker sophistication targeting charities is rising, cyber insurance underwriting rigor is rising, and funder expectations around cyber posture are rising. Organizations that address exposure early protect their donor trust, their grant capacity, their insurability, and their mission delivery.