Community IT urges nonprofits to prioritize fraud defenses, phish‑resistant MFA and incident plans

Matthew Eshelman, chief technology officer at Community IT, told nonprofit IT professionals that the “biggest financial risk to nonprofits is ... wire fraud specifically,” and urged organizations to focus on preventing account compromise and spear‑phishing attacks.

Eshelman and Anna Zambrano, a tier‑2 cybersecurity analyst at Community IT, framed their session as a step‑by‑step roadmap for nonprofits: establish clear IT and data‑privacy policies (including an AI acceptable‑use policy), run ongoing security‑awareness training, protect digital identities, ensure reliable backups and deploy basic perimeter and endpoint protections.

Why it matters: Eshelman said small and mid‑sized nonprofits are attractive targets because attackers can monetize account compromise through gift‑card scams, payroll fraud and fraudulent ACH updates. He cited 2023 fraud figures discussed in the session (transcript: a large global figure given as “1000000000000 dollars” and U.S. consumer losses cited as $8,800,000,000) and urged rapid reporting to the FBI’s IC3 unit, which he said can sometimes recover funds if notified promptly.

Training and reporting: Anna described the Legal Services Corporation (LSC) training available to grantees under the LSC contract: an annual 45‑minute required module, monthly phishing tests and monthly aggregated reports that Community IT sends to organizational admins (and to LSC). She noted a technical limitation with the KnowBe4 platform: enrolled accounts generally must use the organization’s primary domain, which can complicate adding third‑party board email addresses.

Practical controls recommended: Eshelman emphasized phish‑resistant multifactor authentication (FIDO keys or platform passkeys) for executive and finance accounts, use of a centrally managed password manager for unique credentials, regular device patching and cloud‑managed endpoint protection (e.g., Microsoft Defender or SentinelOne), and robust email controls (spam/anti‑phishing gateways plus DMARC and DKIM for outbound mail validation).

Remediation and measurement: Presenters recommended monthly phishing tests with targeted remedial training for repeat clickers, and described an escalation of short, interactive remediation modules. Anna introduced a simple decision aid she called the "fake factor" framework (Freeze, Analyze, Investigate, Know/No) to help staff evaluate suspicious messages.

Resources and next steps: Community IT made a downloadable "cybersecurity readiness for nonprofits" playbook available via QR code, and promoted a follow‑up tabletop workshop to test incident‑response plans. Eshelman advised organizations to align backup retention to legal and operational needs (noting default cloud retention windows cited in the session: Office 365 ~90 days; Google ~30 days) and to assign executive ownership of IT risk even when operations are outsourced.

The presenters closed by encouraging attendees to prioritize high‑impact, low‑complexity fixes first (for example, disk encryption and basic email controls) and to progress toward more complex changes such as organization‑wide phish‑resistant MFA.