Not-for-profit (NFP) organizations face rising levels of cyber and financial fraud. According to Integrity360, cyberattacks against not-for-profits rose by 30% in 2024. Despite serving vital missions, these organizations are often perceived as easier targets due to limited resources, reliance on volunteers, outdated systems, and minimal cybersecurity infrastructure.
Fraud doesn't just compromise sensitive data or weaken donor trust – it threatens the very mission NFPs exist to fulfill. That's why NFPs need to empower their organization with strong internal controls, proactive cybersecurity strategies, and a culture of vigilance that protects their operations from the inside out.

Understanding the threat: Occupational, cyber, and third-party fraud

Fraud is an intentional deception to secure unlawful gain through dishonesty, misrepresentation, or manipulation. In the not-for-profit space, fraud generally falls into three categories:

• Occupational fraud: While often believed to be perpetrated by employees, including fake vendors, payroll fraud, and asset misappropriation, the introduction of cyber has opened up occupational fraud to anyone with access to the internet.
• Cyber fraud: Encompasses hacking, phishing, ransomware, and business email compromise.
• Third-party fraud: Involves compromised vendors or external contacts manipulating payment processes.

According to the Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations, organizations lose an estimated 5% of their annual revenue to fraud. For not-for-profits, the median loss per incident is $76,000 – about half the median loss experienced by for-profit entities – with 32% of fraud cases attributed to poor internal controls and 19% occurred due to overrides of existing controls

Why not-for-profits are high-risk targets

Many not-for-profits are cyber poor and target rich. They often store sensitive donor and beneficiary data but lack their for-profit peers' budget, staffing, or technology infrastructure.

Common vulnerabilities include:

• Outdated systems and software
• Infrequent or nonexistent fraud awareness training
• Unmanaged remote access
• Poor vendor verification protocols
• No formal or tested incident response plan

According to IBM Security Cost of a Data Breach Report 2024, 55% of data breaches are caused by malicious actors, not accidents, and nonprofits are increasingly caught in the crossfire.

The real-world cost of cybercrime

IBM’s report also found the following:

• $9.36 million: Average cost of a data breach in the U.S.
• 194 days: Average time it takes to detect a breach (dwell time)
• 264 days: Average time to evict a threat actor after detection
• $143–$543 per record: Cost for organizations that manage sensitive health or consumer data. 

These statistics highlight just how long and costly a breach can be. One not-for-profit health center lost $2.4 million in fraudulent wire transfers due to a business email compromise before discovering the issue.

Internal controls that make a difference

To effectively mitigate fraud risk, not-for-profits must implement a strong internal control environment, including:

• Segregation of duties
• Verified dual authorization (never through email)
• Formal policies for vendor and payee changes
• Frequent testing of those controls

What is positive pay?

Positive Pay allows organizations to submit an approved list of checks to their bank to prevent unauthorized transactions. However, this tool only works if properly configured. In one case, a nonprofit paid for the service but suffered a fraud loss because the bank never activated it. Regular testing is essential – don't assume it's working unless you verify it.

Cybersecurity gaps you can't ignore

Business Email Compromise (BEC)

• BEC is one of the fastest-growing cyber threats. Fraudsters gain access to internal email accounts and send legitimate-looking requests to staff for wire transfers or vendor changes. Banks and tools like Positive Pay can't stop this fraud if internal authorization protocols are followed blindly.  In addition to potentially causing money to be fraudulently redirected, they often also constitute a data breach for the organization.  This creates additional legal issues that must be addressed even if no money is lost.

Microsoft 365 misconfiguration

• Microsoft 365 includes over 120 security settings, but most are disabled by default. Many IT departments are only familiar with a small subset, leaving organizations unknowingly exposed. A full assessment and configuration review are critical to reduce risk.

Third-party risk

• Threat actors may not attack you directly, but they may breach a vendor, impersonate them, and reroute payments. Due diligence with third-party providers is a must. Supply chain risk is cybersecurity risk.

Creating a culture of vigilance

Fraud prevention is an organizational mindset. Start with these best practices:

• Provide fraud awareness and phishing training. According to the ACFE 2024 Report to the Nations, organizations that implemented this type of training reduced the duration of fraud by up to 62%.
• Conduct annual fraud and cyber risk assessments
• Enforce audit trails in financial systems to track edits to recorded transactions
• Monitor for excessive and unusual journal entries in control accounts
• Immediately revoke access for employees or volunteers who exit
• Include HR, Finance, Legal, and IT in your incident response planning
• Test your response plan; don't let it gather dust

When IT isn't enough: Rethinking outsourcing

About 42% of not-for-profits outsource their IT, but many mistakenly assume that includes cybersecurity, a poll during our webinar, “Fraud risk management for not-for-profits: Protect your mission”, found. Most managed service providers (MSPs) focus on help desk tasks and operations, not threat prevention. Their business model – flat monthly fees – often discourages proactive security work.

If you outsource:

• Audit what your MSP is doing for cyber
• Ask for documentation of security controls
• Engage a third-party to review and test your cybersecurity setup

As cybersecurity becomes more complex, it demands specialization. Healthcare providers, including specialized clinics, have experienced significant financial losses due to cyberattacks, highlighting the vulnerability of the sector.

Final thoughts: Reduce risk, safeguard your mission

Fraud can’t be eliminated, but it can be contained, mitigated, and managed. Today's IT systems are global doors to your organization. You must build friction into those doors: internal controls, authentication layers, external testing, and continuous monitoring. What's at stake is your credibility, relationships, and mission. Protect what matters, build with intention, and stay vigilant.