This post expands upon the one I did last month on good practices for Managing Your Critical Business Accounts. I look more closely at financial risks, again, reaching out to a handful of nonprofit leaders who think about this topic every day.

I know articles and posts about this topic are published frequently. My message is: Just because you are a nonprofit, just because you are a small organization, do not think you will not be attacked. Every leader I spoke with indicated that they have been targeted. And some have lost money because they were not prepared.

Organizations Are Easily Scammed

Fake Check Scam: I had a personal experience with a small nonprofit. We made a critical mistake: We posted our bank account online to make it easier for donors to wire money to us. This information was found by bad actors who created a fake check under our name and deposited it in a bank in another state. We saw a photo of the check. It did not look authentic. It had a high number – and we had only written two checks on the account. The signatures did not match ours. We probably would not have caught the fraud right away except the bad guys were greedy and wrote the check for a large amount. Our board Treasurer caught the scam. We did not lose any money. Our bank was very helpful, and we learned a lot.

Vendor Scam: A vendor emailed the organization to say they had a new bank account. The finance manager changed the account, paid their next invoice, and lost the money. They did not realize the problem until they got a late notice. The “vendor” who sent the email was not the real vendor, but a fake. They were tricked.

Fake Approval Scam: The bookkeeper at a small organization got an invoice forwarded by their ED for some legal fees. The ED also approved the payment in the email. Turns out the invoice and the approval were both a scam. They lost the money. A part-time CFO they were using caught the error later.

People Are the Weak Link — So Train Them

All these stories illustrate that people are the weak link. People make foolish mistakes as in my personal case. Or they do not know that they should double check changes or new accounts. They may not know what invoices to question. Traditional controls help with internal fraud. But today, artificial intelligence and savvy bad actors are very good at tricking people into believing they are doing the right thing.

The Good News? Training Works

Train your staff and volunteers from day one and reinforce the training regularly. Encourage a culture of verification where staff are not only encouraged but rewarded for double checking suspicious emails, bank account changes, and new vendor requests.

Conduct fake phishing tests to gauge awareness. One organization I spoke with sends out fraudulent emails to see who clicks. Instead of punishing staff, they use it as a learning opportunity.

Consider cybersecurity training platforms such as Ninjio that provide monthly cybersecurity training. I found a couple articles that rate these platforms: 6 Best Cybersecurity Training for Employees in 2025, Security Awareness Computer-Based Training Reviews and Ratings, and 10+ popular courses for cybersecurity training for employees. Assess your organization’s needs and review the literature to identify the best course for you.

Additional Pointers from My Experts

Here is a prioritized list from the individuals I interviewed, focusing on financial security, fraud prevention, and cybersecurity:

Top Priority (High Impact, Immediate Risk Mitigation)

1. Never post financial information online. (Prevents exposure to hackers and fraudsters.)
2. Proactively confirm vendor changes. If a vendor emails change of address or bank account, confirm it through an alternative communication channel (e.g., phone call to the vendor). (Prevents falling victim to phishing and fraud.)
3. Do not approve payments via email alone. Emails are easily spoofed. So proactively call or text the person giving the approval. Or use a secure payment platform. (Reduces risk of fraudulent payments from compromised emails.)
4. Establish and follow financials controls. (Ensures financial security by enforcing strict policies.)
5. Keep systems and software up to date. Ensure operating systems, antivirus software, and applications are updated with the latest security patches. (Prevents cyber threats and vulnerabilities.)
6. Use firewalls and endpoint protection to secure nonprofit networks. (Protects against cyberattacks and unauthorized access.)

Secondary Priority (Important but Indirect Risk Mitigation)

7. Enable “Positive Pay” at your bank. Many banks have a system called Positive Pay which means the bank will not honor payments made by paper check or autopay unless they are on an approved list or approved within a certain amount of time. (Adds an extra layer of security to prevent check fraud.)
8. Set up bank alerts. Get notifications for large payments and uncashed checks. Regularly review transactions. (Helps detect unauthorized transactions early.)
9. Do not use handwritten checks. Use electronic bill pay from your bank or an online bill pay platform such as Bill.com, which has workflow built in. (Prevents check fraud and streamlines payments securely.)
10. Use secure payment processors with strong encryption for donations. (Protects donor payment data from breaches.)
11. Keep account signatories updated. Also, make sure you have more than one person who is authorized to make changes to accounts. (Prevents operational delays and unauthorized access to financial accounts.)
12. Do not rely solely on your bookkeeper for financial oversight. Implement independent checks and balances. (Ensures independent oversight of financial processes.)

Other Resources

Here are some additional resources to assist with financial and cybersecurity.

Truist Business Resource Center: This resource provides strategies that nonprofits can use to combat rising fraud and cybercrime threats, including check fraud, ransomware, and data theft.

Nonprofit Risk Management Center: This site offers insights into fraud and financial oversight for nonprofits, including understanding different types of fraud and implementing effective financial oversight practices.

Classy Blog: This blog provides nine essential fraud prevention tips for nonprofits, including educating staff, implementing anti-phishing measures, and creating a culture around fraud prevention.

Nonprofit Cyber – Cybersecurity for Nonprofits: Coalition of cybersecurity nonprofits.