The 2026 outlook: Why cybersecurity matters more than ever for nonprofits

70 years of cybercrime explained simply 

For a long time, cybercrime was relatively straightforward. The goal was almost always to gain financial information or sensitive data. Now, the tactics have evolved, but the target remains the same. Here are some of the most common methods criminals use: 

• Password theft. Criminals will try to brute force passwords or buy databases of stolen credentials on the dark web. Because people reuse passwords, gaining access to one account could open many more doors. Guessing simple passwords is also common.
• Phishing. Many types of phishing, such as vishing or smishing, use social engineering techniques to exploit human psychology. Criminals pretend to be law enforcement officers, social workers, or government employees. They try to persuade the target to visit a fake website and enter their credentials, send money, or click on a link that downloads malware onto the person’s device.
• Software exploitation. No software or hardware is 100% tamper proof. Companies try to find vulnerabilities in their software and patch them, but hackers often have knowledge of software flaws, known as zero-day vulnerabilities, well before the companies do. All criminals have to do is find out what software their targets use, look for vulnerabilities, and launch an attack. 

These traditional threats are still widespread. Despite their meme status, “Nigerian Prince” scams find victims to this day. Every user has to update software as soon as patches are released, pay attention to whom they talk to online, and use complex passwords for better account security. However, these scams and cyberattacks once required specific technical skills or knowledge of human psychology. To become a criminal, you often needed mentors to learn from and a community to share ideas with. Those barriers have now disappeared. 

How AI is changing the game

Artificial intelligence (AI), or to be more specific, machine learning, is decades old. The problem with AI today is that control is no longer in our hands. Many equate the release of ChatGPT with opening a Pandora’s box. While AI is capable of transforming technology and offering immense benefits, we’ve never had adequate time to assess the risks. 

The result? The same tools that a fifth-grader might be using for math homework, cybercriminals use to write malicious code, craft grammatically correct phishing emails, clone voices, create deceptive images, and carry out attacks. They don’t need to join a secret criminal community or spend years learning — the attacks can be generated with only a few clicks. Let’s look at a few examples of how AI has transformed cyberattacks. 

An example of an AI-generated phishing attack

Let’s say a criminal wants to grab the credentials of subscription service users. They can ask AI to first find available domains that mimic the service’s, like spofify.co or metflix.tv. Then, they can use another prompt to clone the service’s login page design and generate the HTML and CSS code, so the fake website looks exactly like the original. No coding or design skills are required.  

The scammer can obtain user email addresses from the dark web and use AI to write a compelling email, informing users why they need to log in to their accounts. 

An example of using AI in vishing attacks 

While phishing is a catch-all term for deceptive practices online, vishing (voice phishing) is an attack where the potential victim is targeted by a phone call. It has soared in recent years by hundreds of percent because of how easy it is to clone a voice and accent with AI. All a criminal needs is 30 seconds of the target’s voice.

The attackers can use these voice cloning tools to call finance managers and staff members, pretending to be high-ranking company officials. Criminals could create a sob story about how they lost their phone and urgently need funds or use a variety of other plausible scenarios. What eager manager wouldn’t want to do the CEO a favor?

How nonprofits can fight back

Big organizations with IT departments can do a lot to protect themselves: enforce company-wide password policies and SSO, give employees monitored devices that can be locked remotely, and run phishing simulations to train their employees on how scams work. Small nonprofits usually don’t have the staff or resources for any of that. So what can they do instead? 

• Train the team. Training can be extremely valuable, no matter how brief. Even if it is just a monthly email with scam examples, it’s still worth sending. Your team members can’t help you protect against threats if they’re not aware they exist. 
• Establish a “Pause to verify” protocol. Make sure that your team members verify urgent requests, such as financial transactions, through another channel. If the request came via email, make the person call to confirm. 
• Use a “challenge phrase.” It’s a secret word or question that only finance and leadership teams know. Whenever one of the team members receives a call with a suspicious request, they ask for the phrase. It costs nothing but can be a great defense against voice cloning.
• Focus on red flags. While scam emails with malicious links may have perfect grammar today, they are almost always either extremely vague or designed to scare you into an immediate response.
• Promote password manager use. Password reuse is one of the biggest vulnerabilities in account security. Password managers create strong, unique passwords for every account and fill them in automatically, while you only need to remember the master password. 
• Build the culture of no shame. Promote sharing and support within your team. Even experienced staff can accidentally click on a phishing link. If a team member fears ridicule, they’ll likely hesitate to report security incidents, allowing cyberattacks to spread.
• Have an incident response plan. People can make lots of mistakes under stress. Prepare an action list in advance. Know who you call, what you shut down, and how you communicate with your donors.