Protecting what matters: How nonprofits can keep donations and donor data safe

Cybersecurity — a must-have for nonprofits

When it comes to cybersecurity for nonprofits and NGOs, they face unique challenges. Donations don’t just support the mission — they also help fund salaries, outreach efforts, and fundraising initiatives. And when donors contribute, they’re not just offering financial support, they’re also trusting you with sensitive information like credit card details, email addresses, and phone numbers. A cybersecurity incident can damage that trust.

The consequences of cyber intrusions go beyond donor relationships. They can affect the people nonprofits serve, the essential services they provide, and the communities they support.

Recent surveys paint a clear picture of the cybersecurity challenges nonprofits and NGOs are up against:

• Donors are worried. A survey from 2024¹ found that 68% of donors are very concerned about their information being hacked or stolen when donating to a charity for the first time. If the charity was hacked, 27.8% of participants said they would stop donating, while 52% would hold off on future giving.
• Cyberattacks are widespread. In 2023, 41% of surveyed NGOs revealed they have been a victim of a cyberattack in the past three years.² All NGOs that experienced cyber incidents reported that these attacks weren’t isolated — some organizations dealt with them daily, while others faced them on a monthly or yearly basis.
• Organizations face internal risks. Notably, 85% of NGOs acknowledge that their staff are a significant element in their cybersecurity posture, while 52% identify unpatched software systems and weak credentials as major risks.³
• Web protection is crucial. Another survey from 2023,⁴ completed by nonprofit professionals from 116 countries, found that 93% of nonprofits engaged in online fundraising accept donations through their website, and 91% process credit card payments on their website, bumping web protection to the top of the cybersecurity priorities list.
• Controlling data access is challenging. One of the biggest issues for nonprofits and NGOs is stopping the wrong people from accessing their data,⁵ which often includes donor information. 

Small nonprofits are often more exposed than organizations with a larger pool of resources. Without dedicated IT staff, security tools, or recovery budget, a phishing attack or data breach can be hard to handle — or recover from.

Key cybersecurity risks for nonprofits and NGOs

To build an effective cybersecurity strategy, it’s important to first understand the common risks your nonprofit faces. These include both external threats you need to watch out for and internal vulnerabilities you need to address:

1. Fake donation forms and cloned websites

Cybercriminals set up fake versions of nonprofit donation pages to trick supporters into submitting payment information. These fake pages and charity scams are typically promoted via phishing emails or fake social media ads.

Unfortunately, nonprofits have no control over these sites. However, it’s worth posting warnings on your organization’s website to alert supporters about scam websites and impersonators. Encourage your donors to double-check URLs and only donate through official channels.

Pro tip: You can check any link for scams before you click. Copy and paste the suspicious URL into NordVPN’s link checker to instantly confirm it’s safe.

2. Phishing emails targeting staff and volunteers

Phishing is among the most common cyberattack vectors worldwide. Nonprofits frequently receive fraudulent emails designed to look like they’re from legitimate entities in order to steal login details, access donation platforms, or trick staff into transferring funds.

3. Unsecured donation pages

If your donation pages lack SSL/TLS encryption (you’d see “https” and a padlock icon in the browser), they are highly vulnerable to data interception during transactions. This means donor information could be easily stolen.

4. Weak internal data access controls

Without proper access controls — such as multi-factor authentication (MFA) or role-based permissions — sensitive donor data may be left unnecessarily exposed to unauthorized staff, volunteers, or bad actors.

5. Insider errors and misuse

Security breaches are often accidental. Mistakes like responding to phishing emails, mishandling donor data, or using weak passwords can leave your organization wide open to attacks. 

Practical steps to improve your nonprofit’s cybersecurity

Even without advanced IT expertise, your nonprofit can adopt key practices to protect donor information and donations. Focus on these areas to build a stronger defense:

Secure your online donation channels

Your website and payment processors are the front lines of your fundraising efforts, so keeping them secure is one of the most important things you can do. Make sure your donation page uses SSL/TLS encryption (visible as “https://” in the URL and a padlock icon in the browser). This encrypts data transferred between your donors and your site, making it unreadable to snoopers.

Always use trusted payment processors with a proven track record and strong security measures. Companies like Stripe or PayPal, or donor-focused platforms like DonorBox or GoFundMe Charity, invest in security. Avoid third-party plugins or unofficial tools unless you’ve thoroughly vetted them for security risks.

Strengthen account access

One of the easiest ways to prevent unauthorized access is to make sure your login credentials are very strong. Always use intricate, unique passwords for all accounts, especially those accessing sensitive donor data or financial information. A password manager like NordPass can help you create and securely store these complex passwords so you don’t have to remember them all.

Beyond passwords, enable MFA wherever you can. MFA adds an extra layer of security by requiring users to verify their identity with a second factor, like a code from a phone app, after entering their password. Many platforms offer MFA for free, and it significantly reduces the risk of stolen credentials leading to a breach.

Empower your team through training

Your staff and volunteers are your first line of defense. Regularly train your team in phishing awareness so they can recognize and avoid common scams. Teach them how to spot suspicious emails, links, or messages that try to trick them into revealing sensitive information.

It’s just as important to have a clear way for your team to report suspicious emails. Encourage them to report emails with unexpected links or unusual attachments, rather than clicking on them. Reporting suspicious emails not only prevents immediate harm but also acts as an early warning system for your organization. For instance, if several team members flag the same suspicious email, your security team can quickly spot the pattern, block the sender, and warn everyone else, stopping a wider attack before it spreads.

Protect your data from loss

Imagine losing all your donor records or financial history. It’s a nightmare scenario, but it’s easily preventable. Set up automated backups for all critical data, including donor information and financial records. Modern cloud storage providers like Google Drive or Dropbox as well as dedicated backup services often automate this process and come with built-in security features.

But simply having backups isn’t enough — you also need a backup recovery process. This means you have a defined plan for restoring your data, and you periodically test your backups to confirm that plan works effectively when you need it most.

Prioritize donor data privacy

Protecting your donors’ personal information isn’t just about preventing breaches — it’s also about handling their data with genuine care and respect for their privacy. You might know about the GDPR in the EU, while in the US, many states have their own rules for how organizations should collect, use, and protect personal information. This means your nonprofit needs to be thoughtful about what data you gather, why you’re gathering it, and how you keep it.

Always collect only the data you truly need, keep it for only as long as necessary, and be transparent with your donors about your privacy practices. A clear privacy policy on your website is a must, outlining what data you collect, how you use it, and how donors can request access to or deletion of their information. This responsible approach to collecting and keeping donor data strengthens your overall data security.

Protect your devices and connections

Every device used for work is a potential entry point for attackers. Make sure that all work devices, including those used by volunteers, have antivirus software installed and kept up to date. This software is a basic, yet essential, tool that shields devices from malware, viruses, and other cybersecurity threats.

Staff and volunteers working from home or using public Wi-Fi can significantly benefit from using a virtual private network (VPN). How? A VPN encrypts their internet activity and creates a secure tunnel between their device and the internet, which protects sensitive data from being intercepted by cybercriminals, especially on unsecured networks.

Communicating trust to donors

Cybersecurity doesn’t just protect your nonprofit internally — it’s also a powerful way to reassure donors and build lasting trust. Your commitment to their safety shows how much you value your organization's integrity.

Highlight security practices proactively

On your website, go beyond generic statements and clearly show the security tools and trusted payment processors you use. For example, display the logos of your secure payment gateways. You might also highlight any security badges or certifications your platforms hold. This transparency gives your donors confidence when they support your mission.

It’s also important to help your donors protect themselves. Since your donors might run into fake donation forms and cloned websites, regularly educate your supporters on how to identify your official website and online presence on social media. Encourage them to always check if the URL is correct and to only use links directly from your official website or verified communication. You can include a dedicated section in your FAQ, add a note on your donation page, or send out email reminders with tips on recognizing legitimate donation channels versus scams.

Be transparent during incidents

While no organization wants to experience a security incident, how you handle one speaks volumes. If a data breach happens, notify affected donors right away. Provide clear, actionable steps the donors can take. For instance, advise them to check their credit card statements for any unusual activity or to update their passwords on other sites if they’ve reused credentials that might have been exposed in the incident.

Owning up to mistakes, explaining the situation, and sharing what you’re doing about it builds credibility and can ultimately salvage donor relationships.

Maintain open lines of communication

Keep the lines of communication open with your donors about all issues, including their security and privacy concerns. Have an easy way for them to reach out with questions or feedback, like a dedicated email address (e.g., security@yourorganization.org) or a clear section on your FAQ page. Being approachable and responsive helps them feel secure and trust you more.

A quick security checklist for nonprofits

To strengthen your nonprofit’s cybersecurity, use this quick checklist — think of it as your cybersecurity ABCs:

Technology grants for nonprofits

Securing your nonprofit doesn’t have to break the bank. You might be surprised to learn that many organizations offer grants specifically for technology.

First, look at government agencies — federal, state, and even local ones. These agencies often want to help nonprofits upgrade their systems and improve how they deliver services.

Then you have foundations. These can be big national names or smaller community groups, and they’re usually a reliable source for getting monetary help to improve your tech infrastructure, including those critical cybersecurity tools.

And don’t forget corporations, especially big tech companies like Google or Microsoft. They often have grant programs to help nonprofits get access to the latest tools as part of their community support efforts.

A great starting point is Grants.gov for federal programs. You can also explore general grant databases like GrantStation, and many tech companies list their specific grant programs right on their own websites.

How NordVPN can help your organization

To do your work safely and effectively, you need to have secure and private online access — no matter where your mission takes you. That’s why the NordVPN for Nonprofits program offers discounted subscriptions and even free VPN licenses to eligible organizations, including human rights advocates and journalists.

By encrypting your online activity, our secure, ultra-fast VPN helps you protect sensitive donor data and communication. It prevents unauthorized interception when you send and receive data, even on unsecured public Wi-Fi. You can apply for the program simply by filling out the form on the NordVPN for nonprofits webpage.

Moving forward

Securing donor data and donations is a big task, but every step you take builds a stronger shield around your vital work. Start by making those practical changes outlined in our checklist. Equip your team with the best tools you can and don’t hesitate to explore technology grants that can help you do even more. When you prioritize cybersecurity, you protect your organization, build donor trust, and ultimately strengthen your mission’s impact.

Disclaimer: NordVPN is not affiliated, associated, authorized, endorsed by, or in any way officially connected with the brands, companies, or platforms mentioned in this blog post.

The use of these names is for informational purposes only and does not imply any form of partnership or sponsorship.

List of references

¹BBB Wise Giving Alliance. (2024). Donor trust report: Trust and giving attitudes across U.S. regions and religious affiliation. Give.org. https://give.org/news/donor-trust-report-2024-trust-and-giving-attitudes-across-u-s-regions-and-religious-affiliation

^{2, 3}CyberPeace Institute. (2023). Analytical report on NGOs serving humanity at risk. https://cyberpeaceinstitute.org/wp-content/uploads/CyberPeace_Analytical%20Report_NGO.pdf

⁴Nonprofit Tech for Good. (2023). Nonprofit tech for good report. https://www.nptechforgood.com/wp-content/uploads/2023/02/Nonprofit-Tech-for-Good-Report-Final2-2023.pdf 

⁵Hulshof-Schmidt, R. (2018, November). State of nonprofit cybersecurity. NTEN. https://word.nten.org/wp-content/uploads/2018/11/NTEN-State-of-Nonprofit-Cybersecurity-Report-2018.pdf