When it comes to cybersecurity, associations and nonprofits often think they’re flying under the radar. But the truth is—they’re not. Hackers love organizations that rely heavily on email, store sensitive member or donor data, and don’t always have big IT budgets. That’s why attacks like Business Email Compromise (BEC), Account Takeover (ATO), and ransomware are increasingly hitting mission-driven organizations.
In this Vortacity (Cyber for Associations) blog post we break down what these threats are, how they’re connected, and why associations and nonprofits should be paying close attention.
📨 What Is Business Email Compromise (BEC)?
BEC is when a cybercriminal tricks someone into doing something harmful—like wiring money or sharing sensitive data—by pretending to be someone trustworthy (like your CEO, a vendor, or a board member). It’s social engineering with a professional twist, and it’s incredibly effective.
Think of it as a scam that looks legit because it lands in your real inbox, sometimes even from a real person in your organization. The FBI tracks these cases closely: Business Email Compromise | FBI
🔐 What Is Account Takeover (ATO)?
ATO happens when attackers get access to a real user’s email account—usually through stolen passwords, phishing, or credential stuffing. Once inside, they can snoop, steal data, and impersonate that person to trick others (cue the BEC).
These attacks are sneaky because they’re not just spoofed emails—they’re coming from real accounts. That means they often bypass spam filters and don’t raise red flags.
Varonis breaks it down well: How to Identify and Investigate BEC Scams
🔄 How BEC + ATO Can Lead to Ransomware
Here’s where things really escalate. Once a bad actor gains access to someone’s email (ATO), they can use that to launch a BEC scam. But that’s not always where it ends. Increasingly, attackers use that access to move deeper into the network—sometimes planting ransomware along the way.
According to the 2024 Microsoft Digital Defense Report, ransomware is still a top threat—especially when tied to email-based access. And unmanaged devices? They’re often the point of entry.
“Increases in human-operated ransomware and initial access activity underscore the importance of monitoring identity and endpoint posture.” — Microsoft Digital Defense Report 2024
⚠️ Why This Matters to Associations & Nonprofits
You might be thinking: “We’re a membership org, not a big corporation. Why would they target us?”
Here’s why:
- Associations run on trust. That makes it easier for attackers to exploit staff, volunteers, and members with urgent-sounding, fake emails.
- Nonprofits collect sensitive data. Donor info, membership records, event registrations—these are gold mines for cybercriminals.
- Resource constraints. Smaller orgs often lack the IT tools and staffing to detect or respond to threats quickly.
And yes, this is happening in our space.
📍 Real Example: Charities Hit by Ransomware
In 2023, a data breach hit a company called Evide, which managed sensitive data for about 140 nonprofits across the UK and Ireland. Multiple charities—like One in Four, which supports survivors of abuse—were affected, and thousands of personal records were exposed.
Check it out here: Evide Data Breach (Wikipedia)
This kind of ripple effect shows why even indirect email compromises can have devastating impacts across the association and nonprofit ecosystem.
🛡️ How to Protect Your Org
The good news? There are affordable, manageable steps associations and nonprofits can take right now:
✅ Turn on MFA (Multi-Factor Authentication) – For every user, especially on email and cloud tools.
✅ Use strong, unique passwords – And encourage the use of password managers.
✅ Train your team – Make sure staff and volunteers know how to spot phishing and fraud.
✅ Lock down email authentication – SPF, DKIM, and DMARC make it harder for attackers to spoof your domain.
✅ Have an incident response plan – Know what you’ll do if something goes wrong.
If you want a deeper dive, Varonis has a great resource on securing your domain: Stop Email Spoofing with DMARC, SPF, and DKIM
🧩 How Vortacity Helps
At Vortacity, we work with associations and nonprofits every day to shore up defenses before these kinds of attacks happen. Whether it’s email security audits, recommending training tools, relationships with the top MSP’s, deploying MFA, attack path mapping or monitoring for account compromise, we’ve got your back.
Let’s keep your mission safe from cybercriminals—because your cause deserves nothing less.
🧠 Sources & References
Want to see how your org stacks up? Let’s chat.
A quick security check could save your association from major headaches down the road.
