Work With Us
Resources

Stand Strong Against Hackers: 7 Steps To Secure Your Website for Unions, Nonprofits and Foundations

A nonprofit that helps the poor lost $650,000 to scammers. The bass had to go after them herself.

Imagine you fundraise to build housing for people who are homeless. You became a passionate advocate after seeing rental prices sky rocket along with the number of people who live in tents on top of cardboard under highway overpasses. After months of hard work you successfully secure $650,000 to pay building developers to design the blueprints for new affordable housing units. This will house many families in need. The developers ask to receive the funds in three separate payments, which you send. Then you schedule a meeting to kick off the vision and ideation stage. At the meeting, you have a feeling of celebration when you say, “Great! And now you’re all paid!” To which they respond, “No, we haven’t received anything,” and your heart sinks.

It was this kind of nightmare that Sherry Williams, executive director of One Treasure Island, faced in January of 2021 (Asimov, 2022). She and her team were victims of a phishing scam where they accidentally sent $650,000 into a hacker’s account after believing the hacker’s email with payment instructions had come from their housing development partners.

How common is it to fall for these kinds of scams? More common than you might think. A report by Nonprofit Tech For Good stated that 27% of nonprofit organizations worldwide fell victim to a cyber-attack in 2023. Breaches like these don’t just threaten your funding; if bad actors access your databases or web services, they can sell sensitive data while eroding your community’s trust. Or they can shut down your digital infrastructure and completely halt your digital organizing.

Unions, nonprofits, and foundations are particularly susceptible to these attacks because the price for cyber security can be high, and these organizations can often rely on teams of volunteers and overworked staff who don’t have the time to dedicate to this problem. But no matter your budget, we believe you deserve straight-forward advice about how to become cyber secure. We’ve written this article hoping to help you on your journey.

Want to learn the details of a few threat scenarios? Start with How Hackers Steal From Unions and Nonprofits. Or jump to Cybersecurity Best Practices for WordPress to get into the thick of it. And if you read a term that’s new to you, you might find its definition in our Glossary of Cybersecurity Terms.

Secure Your Website and Keep The Campaign Strong

Table of Contents

How Hackers Steal Funds From Unions And Nonprofits

Williams of One Treasure Island is not the first nor the only person to fall victim to a phishing scam.

  • In 2018, the Save the Children Federation fell victim to a sophisticated email scam that tricked the organization into sending nearly $1 million to a fraudulent entity in Japan. The hackers, posing as an employee, compromised an email account and created fake documents, directing funds supposedly for solar panels for Pakistani health centers (Wallack, 2018).
  • In 2020, Philabundance, a Philadelphia-based food bank, lost $1 million to malicious actors who sent a fake invoice to the organization (Brandt, 2020).

Let’s dive into the details of the One Treasure Island scam to expose the techniques hackers used to defraud these organizations.

Hacking the Bookkeeper’s Email

The scam that hit One Treasure Island started when hackers stole access to their bookkeeper’s email. While we don’t know exactly which method they used to get access, there are a number methods they could have used. Here are a few:

  1. Guessing the bookkeeper’s password or security questions, also known as a brute force attack.
  2. Finding the bookkeeper’s credentials that were leaked elsewhere and then trying them on their email, also called credential stuffing.
  3. Stealing the bookkeeper’s credentials while they work at a coffee shop using a man-in-the-middle attack.

However the hacker stole the bookkeeper’s credentials, they then moved to the next step.

Hackers Strike Gold with a Spoofed Email

Once the hackers were in the bookkeeper’s email, they just had to watch and wait for an opportunity. It came when Williams’ forwarded an email to their bookkeeper with the legitimate instructions for how to send money to the building developers’ bank.

Seeing the opportunity, it was then easy for the hackers to use Google to create a similar-looking email address as the building developers, duplicating their name, photo and signature. They then sent a new email to Williams explaining that their Denver bank was undergoing a yearly tax audit, so could they deposit the money into a different bank instead? Because there was just a one letter difference in the email address, Williams didn’t notice the counterfeit, trusted the email and complied with the request.

What started as an opportunity to snoop the bookkeeper’s email address ended by successfully defrauding $650,000 because of a spoofed gmail account that was deceivingly accurate.

Below are some real spoofs that we’ve received.

A phisher poses as someone from our text, asking for financial information about our clients.
This password reset email is for a service that don't subscribe to and from an email address we don't know.
This phisher used names from real people at our cooperative to make their spoof look real.

Phishing scams are dangerous because, although a competent web team can help keep your website secure, there’s nothing that replaces a team that recognizes and disposes of phishing scams when they show up. Learn how phishing simulators can help improve your team’s resistance to phishing.

When Hackers Steal Sensitive Data And Erode Your Community’s Trust

Imagine that, instead of your email account, hackers had used one of the previous attacks to gain access to your database. What do you store in there, and how much damage could they do to your community and with your reputation? Here are just a few of the data breaches that hit unions and nonprofits in recent years.

  • Service Employees International Union (SEIU) Local 1000 represents nearly 100,000 state employees in California. In 2024, the LockBit ransomware gang said it stole 308 gigabytes of data from the union that included employee Social Security numbers, salary information, financial documents and more (Greig, 2024).
  • In 2023, Norton Healthcare, a nonprofit healthcare system based in Louisville, Kentucky, fell victim to an attack that compromised the personal information of nearly 2.5 million individuals, including names, dates of birth, Social Security numbers, health and insurance information and medical identification numbers (Times of India, 2023).
  • Also in 2023, the Medusa gang stole sensitive data from the Minneapolis Public Schools. They demanded $1 million, threatening to release the data online. Initially the school downplayed the leak, calling it an “encryption event.” But they had to own up to the severity of the breach after the gang posted a video showcasing some of the stolen documents (Keierleber, 2023).

What can a hacker do with stolen community data?

A hacker could do a number of harmful things with this kind of information, all eroding your community’s trust.

  • Hackers could use your community email list to send phishing scams in your name. Imagine an end-of-year fundraising appeal letter that deposits money in the hackers’ accounts instead of yours.
  • If you are a Union that runs a retirement fund, you could lose money from your workers’ pensions.
  • Depending the data you store, hackers could open lines of credit in your community’s name.

None of these scenarios are good. So what do you do if your community data has been compromised? In Data Breach Response: A Guide for Business, the Federal Trade Commission explains the legal requirements you need to take. You may even be required by law to alert individuals that their data has been stolen.

Along with the effort you will spend securing your system, you may also need to rebuild trust with your community. As part of that repair, you might consider undergoing a security audit with a reputable vendor. With GDPR Compliance, SOC 2 Compliance, or ISO/IEC 27001:2022 Compliance, a third party will test the security of your system over time and provide you with a certificate of compliance which you can then share to reassure your community that you are a safe partner to store information with.

When we need a third party to help us strengthen our IT security, we work with Tech Collective, a worker-owned cooperative.

When Hackers Ransom Your Hardware And Stop Your Campaign Cold

Ransomware gangs steal your assets and demand money.

Ransomware is on the rise, and they not only cost millions but can stop your campaign cold.

Ransomware is any kind of breach where the hacker demands payment in exchange for your data and assets. In some cases, the hacker may encrypt all the data on your hard drive, requiring you to receive the decryption code in order to regain access. But there are other assets that can be ransomed as well:

  • Social Media Accounts
  • Email Accounts
  • Community Data
  • Access to your machines, websites and databases

In all these cases, hackers revoke your access to the vital tools you need to run your campaign.

Thankfully, if you have stable and recent backups of your website and database, you may be able to rebuild your system at a much smaller cost than paying the ransoming gang. That’s what the Teamsters Union did in 2019 when hackers locked them out of their computer systems and demanded $2.5 million.

“The Teamsters decided to rebuild their systems, and 99 percent of their data has been restored from archival material — some of it from hard copies — according to the union’s spokesperson” (Allen, Collier, 2021).

Cybersecurity is an enormous topic. If you wanted, you could create a dedicated role in your organization and hire someone with years of experience. But the chances are that you are here because you don’t have that kind of time or resources. Whether you have the support of a dedicated technology partner or not, we hope the steps below help you get even an inch closer to tightening your cyber security. Our community’s trust and our ability to organize effectively depend on it.

Have a problem that you don’t see written here? Help us improve this resource by letting us know.

Cybersecurity Best Practices for WordPress

Much like a well-maintained home is the key to keeping it safe from pests, cracks, leaks, fire hazards and clutter, a well-maintained site keeps it safe from hackers. According to Seetify, 43.2% of all sites are built on WordPress, making it the most popular content management system (CMS). Unfortunately, this also means hackers are testing all of the system’s locks.

Thankfully, with over 20 years of experience securing WordPress websites, we are aware of common pitfalls you should heed and best practices you should follow to ensure your site is locked safe. We proud to share some of what we’ve learned with you. Here’s 7 ways to keep your site in tip-top shape and less vulnerable to hacking.

7 Steps To Secure Your WordPress Website

Have a digital vulnerability that isn’t secured using the steps below? Tell us what you know and help us improve this resource.

1. Test your team’s vulnerability to phishing scams

If you walk away with one lesson from this article, it’s this: the majority of hacks require that a real human on your team fall victim to some kind of spoof or phishing scam.

Instead of clicking on suspicious links and logging in from fishy wifi networks, we recommend you support your team with security awareness training. There are many for-pay, free and DIY methods you can use to increase your team’s awareness of phishing scams. These are called phishing simulators, and most tools let you create campaigns using these steps:

  1. Plan your Simulation: Choose which social engineering tactic you want to raise awareness for. Then select the industry to spoof, the service to spoof, and the type of spoof. For example, you might want to raise awareness about the dangers of credential harvesting (social engineering tactic) for your email service (industry). You could then send a fake Login Alert (type) for employee Google accounts (service) that includes the link to a fake credential harvesting website.
  2. Create the Phishing Emails: Write the email, text messages, and set up the spoofed web pages that you will include in your tests.
  3. Send the Scams: Select the cadence at which you will test your team. Then begin sending the phishing tests.
  4. Watch Responses: Gather information about how many people on your team fell for the attack. With continuous training, you should see this number diminish.
  5. Provide Just-In-Time Training: If a team member does fall for an attack, the spoofed link they click should also direct them to a page where they can learn about the attack and how to spot it in the future.

In advance of a phishing simulation, here are some best practices your team can implement today to become more phish-resistant:

  • When in doubt about a suspicious email, find a secure way to verify that it is from the supposed sender.
  • Do not download or open any attachments in text messages or emails from unknown sources.
  • Avoid clicking on any unverified link. The leading cause of ransomware attacks is clicking on untrusted links and attachments.
  • Regularly update your operating system, applications, and software to fix known vulnerabilities.

Have you been the victim of a phishing attack? Let us know what helped you and your team build their human firewall.

2. Choose plugins that are actively supported, and update them often

By far the simplest way to keep your site well-maintained and safe from vulnerabilities is to update your plugins. We recommend going the extra mile and making sure to pick plugins that are consistently updated––say within the last 3-4 months. This is especially important for plugins that have access to the core elements of your website such as your database.

High quality plugins are well-reviewed by many people, are installed on many websites, and receive frequent updates.

We also recommend removing plugins that you do not regularly use. Not only will unused plugins slow down your site, but hackers are always looking for vulnerabilities to exploit, and websites with plugins that are not maintained, updated, or are inactive are an easy target.

Updates are sometimes incompatible and can crash a website, so we recommend setting up a staging website to test updates on first. If the staging website passes the tests, chances are good that it’s safe to run your updates on your live website as well.

A staging website may, for example, have the url staging.your-website-url.com. Not sure if you have a staging website set up? Ask us for help.

3. Resolve issues in the Site Health Status tool

This features comes with all installations of WordPress. You can find it on the Dashboard or under Tools > Site Health.

The Site Health tool shows both security and performance issues.

The tool scores your website’s health, with both security and performance tests. It then provides straight-forward steps to take to resolve the issues. Many issues you can improve without needing to hire technical assistance. For example, the health check above recommends removing unused themes, which is something you can do if you have administrator access to your website.

4. Install a security plugin to take care of common threats

Security plugins offer features that can protect against some of the hacks that hit unions, nonprofits, and foundations.

Features such as…

  • Two-Factor Authentication
  • Firewalls
  • Enforcing strong passwords
  • Enforcing SSL Certificates

…to protect against…

  • Brute Force Attacks
  • Suspicious Logins
  • Credential Stuffing
  • File tampering which could lead to viruses, malware and ransomware
  • And more
Solid Security Pro is a powerful security plugin for WordPress.

Some security plugins also act like a stricter, more knowledgeable WordPress Site Health tool, letting you scan your website for additional security issues that need to be resolved. Having a security plugin is as necessary as having antivirus software on your computer.

Solid Security Pro lets you hide your login URL.

5. Enable Two-Factor Authentication (2FA) and use User Roles

Two-factor authentication is being used in more and more digital services, and for good reason. As we saw, there are several ways a hacker could steal your username and password––brute force, credential stuffing, man-in-the-middle attacks, and more.

Using 2FA, your website and your personal device share a secret key. The key is a long string of random characters, such as LAK34EI8HH377ASL01SWE9AKDF. Both your website and your device store the secret and use it as the seed to generate a new, temporary password every 30 seconds. Both devices use the same algorithm to generate the password, so both passwords will be the same. And because the password goes stale every 30 seconds, a leaked 2FA password is quickly useless.

So with 2FA enabled, if a hacker steals your credentials while you work from your favorite coffee shop, they will still be unable to log into your account.

Here is one way to enable 2FA and to connect it to a password manager.

Step 1 – Enable two-factor authentication for your WordPress user
Solid Security Pro lets you enable Two-Factor Authentication.
Step 2 – Generate the code with which you will receive one-time passwords
We enable 2FA using the Mobile App option, which we use with our password manager.
Step 3 – Enter the authentication key into your authenticator app (many password managers have this available)
You can connect the secret key into the Authenticator app using a QR code or a text code.
Step 4 – Enter the generated one-time password into WordPress
Your authenticator app will then give you a 6-digit one-time password.
Step 5 – Use two-factor authentication to keep your account secure
2FA using a mobile app is now active.

We recommend that all administrators of your website use 2FAs, and we recommend following the principle of least privilege (PLoP); anyone who doesn’t need to perform administrative tasks should have a user role with fewer privileges. Read more about WordPress user roles to find out what’s right for your team.

6. Pick a hosting service that is communicative, secure and responsive

Not all web hosts are made of the same stuff. Take PHP server updates as an example.

PHP is a web language that powers all WordPress websites. It was invented in 1995, and in 2020 it went through its 8th major version upgrade. As with updating WordPress, upgrading PHP comes with the possibility that your website will crash, and so any update should first be tested and fixed in a staging environment.

That’s why it’s important to host your website with a server company that is communicative and tells you when major updates are coming.

We recommend working with Electric Embers and MayFirst, not only because they are excellent and communicative when upgrading their servers, but because they also share our commitment to collective liberation.

7. Protect your site from spam

We all know what it is. So how do we stop it from reaching us through our website?

We have seen clients receive more than 10,000 form submissions in a week. And most of it was spam. When this happens, these entries not only require time to delete, but they take up space on the server. This can slow down your website for other visitors while you are also charged by your host for the extra space to store these entries.

So if your website accepts comments or form submissions, then you will definitely want to protect yourself from spam by installing tools that sniff out bots. Save yourself time, money, and headache by turning on ReCAPTCHA (free with registration) or Akismet (free for qualified nonprofits), and consider activating form honeypots as well.

Add a reCAPTCHA to your WordPress forms.

Stay Vigilant, But Still Have Fun

Hacking is a serious threat that can cost your organization its funding, credibility, and ability to campaign for collective liberation.

But we believe it’s also important to share moments of joy with each other. If you need a design and technical partner who can keep our people safe while also bringing levity, we would love to work with you. Send as a message to work with us.

Secure Your Website And Keep The Campaign Strong

Glossary of Cybersecurity Terms

To successfully predict and prevent a threat, you will need to know the kinds of vulnerabilities that are in your system. Below are some terms that can help you model your environment.

Brute Force Attack – There are several types of brute force attacks a hacker could use to access someone’s email. Many involve using a computer program to try different possible combinations of keys, or dictionaries of common passwords. We protect your website against brute force attacks by installing a security plugin. The plugin limits the number of times a person can enter an invalid password before being temporarily locked out, slowing down the speed with which a hacker can continue a brute force attack.

Community Data Theft – This happens when a hacker gains access to sensitive data that you store about your community, whether it’s in a filing cabinet, spreadsheet or Community Relationship Manager (CRM).

Credential Stuffing – A more clever type of brute force attack is credential stuffing. Say for example the bookkeeper uses the same or similar username and password for all of their credentials. If their credentials for their airline reservation website is leaked, a hacker could try the same password and username for their email address and successfully get in.

Want to know if your credentials have been leaked? Check at one of these services:

Protect against credential stuffing by using a password manager that makes it easy to create strong, unique passwords for every site you use. And when possible, enable Two-Factor Authentication.

Credential Theft – When a hacker gains access to your credentials, such as email or social media. This is akin to stealing your house key.

Cross Site Scripting (XSS) – A type of website vulnerability hackers use to get access to sensitive data.

Distributed Denial of Service Attack (DDoS): This tactic is used by hackers to crash your website so that it cannot be used. When too many people attempt to read the same website at the same time, there is a chance the server will be inundated with requests, causing the crash. Hackers may get you to download a virus that lets them use your machine in this kind of attack or they may use this tactic to disrupt your work.

Elevation of Privilege: This is a strategy hackers use to gain access to sensitive data by first accessing an account with privileges the hacker shouldn’t have. For example, if someone accesses a Google Document that they should not have access to, they may have used a technique to elevate their user privileges.

Human Firewall – Teams that are well aware of social engineering tactics, can identify them, and resist them, are said to have a strong human firewall. The term comes from the computer firewalls that protect websites and servers. Use a phishing simulator to help strengthen your human firewall.

Information Disclosure: Another name for “data theft” and “credential theft.” This occurs when sensitive data gets into the wrong hands, either by gaining administrator access to a system or when sensitive data is not stored in a safe location.

Intercepting Web Requests – A man-in-the-middle attack operates by intercepting your web requests. This can be a precursor to tampering with data.

Malware and Viruses – Computer programs that, when you download them, are designed to leak your sensitive information, disrupt your ability to use your computer, or lets the hacker use your computer for their own purposes (such as a DoS attack).

Man-In-The-Middle Attack – Have you ever wondered if the free wifi networks you connect to are secure? With a variety of tools, a hacker can set up a free wifi network for you to connect to from a coffee shop or an airport. If you connect to this network, you may be more susceptible to phishing scams (like a fake Facebook login page that asks for your credentials). And if your web request isn’t encrypted (using a VPN or SSL/TLS Certificate) then it would be easy for the hacker to steal your credentials.

Principle of Least Privilege (PLoP) – A strategy for securing data by ensuring that only the people who need to complete a task have the ability to do so. For example, you could implement the profile of least privilege in a bookkeeping system by granting just the bookkeeper the privilege to access and modify information about payroll but not a project manager.

Phishing – A type of spoof where a hacker may, for example, send you an email from an account that looks genuine and trustworthy but is not. Usually the email asks you to do something you would otherwise not want to do, like share your sensitive data or, as in some of the examples above, persuade you to send money into the hacker’s account.

  • Smishing – Phishing that happens over text message.
  • Quishing – Phishing that happens using a QR code instead of a link.
  • Vishing – Phishing that happens over a phone call, sometimes by an AI deep-fake that impersonates someone you know.

Phishing Simulator – A tool that helps you test and improve your team’s resistance to phishing scams.

Ransomware – A type of virus or malware that locks you out of your digital system, whether that’s email, social media, slack, website or your computer. The hacker will sometimes ask for a ransom in exchange for access to your digital system.

Role Based Access – The practice of limiting who has access to what data based on one’s role. Google Documents, for example, have the roles “Viewer,” “Commenter” and “Editor.”

SSL Certificate and httpS: An internet protocol that helps protect against man-in-the-middle attacks by ensuring the data between you and the server is encrypted. You know you’re navigating a website with an SSL Certificate if it uses the httpS protocol.

Social Engineering – In addition to technology, hackers use social engineering to gain your trust and trick you into sharing sensitive information that you otherwise would not share. There are several types of social engineering tactics to watch out for:

  • Credential Harvest
  • Malware Attachment
  • Link in Attachment
  • Link to Malware
  • Drive-by URL
  • OAuth Consent Grant

Sensitive Data – The list below includes the sensitive data as defined by the European Union’s General Data Protection Regulation (GDPR) and then some.

  • names, email addresses, home address, banking information, social security numbers
  • real-time location
  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
  • trade-union membership
  • genetic data, biometric data processed solely to identify a human being
  • health-related data
  • data concerning a person’s sex life or sexual orientation

Spoofing: When an attacker pretends to be a valid, trustworthy contact. A spoof could come in the form of an email address, phone call, text message or other communication that looks familiar, but isn’t. You might land on a spoofed Facebook login page that asks for your credentials, or a spoofed public Wifi network that intercepts your web communication.

STRIDE Framework – A framework for mapping possible threats to your organization. It stands for Spoofing, Tampering, Repudiation, Denial of Service, Elevation of Privilege.

SQL Injection – A method hackers use to get access to your database.

Tampering: When an attacker modifies data in transit or at rest.

User Privilege – In the context of data, it refers to the power that someone has according to their role. Looking at Google Documents as an example, someone who is a “Viewer” has the privilege read a document, but not comment or edit it.

Virtual Private Network (VPN) – A tool some people use to hide and encrypt their web use. By encrypting your data, a VPN may offer some protection against some types of man-in-the-middle attacks.

Zero Click Attack – Unlike most phishing scams, a zero click attack does not require that you interact with the attack, just that you receive it. These attacks are rare but dangerous.