The Growing Role of AI in Cybersecurity Risk for Nonprofits Explained

Cybersecurity and AI: Nonprofit Sector and Threats Overview

Cybersecurity risks present a unique challenge in the nonprofit sector. Nonprofits often steward healthcare, financial, personally identifiable information (PII), donor data, volunteer lists, and beneficiary contact information. Many organizations also accept online gifts and payments, run programs or client-facing services that collect PII, and work with third-party vendors and platforms (frequently at a small or entry level). Nonprofits also often leverage volunteers and have small IT teams or outsource security. The resulting combination of limited budgets, complex third-party information flows, public trust, and tech-based touchpoints makes the sector a particularly attractive target for cybercriminals. Add to that AI-enabled attacks that are faster and more convincing as donors, regulators, and grantmakers demand evidence of “reasonable care” around cybersecurity risk, and it’s a powder keg. The questions are: what cybersecurity obligations are on nonprofits to know? What kinds of threats are changing, and how can they be prepared for? What first steps make sense even with constrained resources?

 

Why Nonprofits are Attractive Targets for Cybercriminals

Nonprofits may have a name, address, credit card or banking information, and volunteer contact information. In some cases, nonprofit programs also collect client or beneficiary medical or social security numbers. Donations and gifts can also be collected online, and nonprofits open up identity-verified information for collection and access via client portals, third-party service platforms, and donation sites. Throw in cloud service providers and additional vendor platforms and that’s more potential attack vectors. With fewer dollars to spend and limited staff, many nonprofits have small IT teams or outsourced security providers. Many small and midsize nonprofits have unmet cybersecurity tool wish lists that include tools like MFA (multifactor authentication) and enterprise patching — and the entire package presents an additional barrier to implementing basic cybersecurity hygiene, like protections against phishing, account takeovers, ransomware, and insider threats, all of which can directly impact operations and stakeholder trust. Research and reporting consistently show that the majority of nonprofits have no cybersecurity policy or data classification, at the same time as data shows rates of attack against nonprofits are increasing.

 

How AI is Changing Cybersecurity Risk: Threats for Nonprofits

AI-based tools present new wrinkles for traditional cybersecurity threats.

  • AI-facilitated phishing and impersonation. Scammers can use AI to generate personalized emails or text messages that mimic a trusted sender’s tone and language in order to make stolen credentials reuse and payment fraud more convincing. In general, AI-fueled and AI-assisted cyberattacks are on the rise and more difficult to detect.
  • Deepfakes for impersonation. Audio or video deepfakes created with AI can be used to impersonate company leaders, key influencers, or disaster victims, making urgent appeals for contributions, which opens a new frontier for BEC and cyber-enabled deception and scams not covered by standard training or assumed attack techniques. Recent surveys and tech assessments have also found elevated or rising deepfake risk across industry verticals.
  • Automated reconnaissance and exploit development or enhancement. AI can be used to scan networks for open ports and vulnerability indicators, as well as generate or optimize exploit code (payloads, hacking tools, etc.) much more rapidly than previous threat actors. This raises risk overall and contracts the window for defenders to react and remediate.
  • Synthetic identity and fraudulent traffic creation. AI tools can also generate synthetic donor profiles and fraudulent donation traffic that can bypass traditional validation and controls, ultimately impacting financial records and potentially distorting fundraising performance metrics. 

 

Key Laws, Standards, and Nonprofit Security Obligations

There are a number of legal and contractual expectations nonprofits should be aware of:

  • HIPAA. If a nonprofit delivers health care or manages PHI, HIPAA applies — even if it’s a nonprofit. This tiered set of security controls must be followed, and breached data must be reported.
  • PCI DSS. Nonprofits that accept credit card donations must also follow payment card security standards (PCI DSS). Correct implementation matters, including utilization of tokenization or hosted payment forms, as well as ensuring self-assessments and validation activities are up to date.
  • State privacy laws and FTC action. Most U.S. states now have privacy laws that apply broadly, and the FTC can also take action against nonprofits for unfair or deceptive practices that relate to privacy or security. Documented, reasonable security measures also help demonstrate compliance.
  • Contractual and reporting requirements. Many government grant agreements and private funders add security or reporting requirements to funding terms. Failing to meet these contractual obligations creates additional risk around future funding.

 

Sector-Wide Breaches and Notable Nonprofit Cybersecurity Incidents

Real-world incidents make clear why taking action is important.

  • Welthungerhilfe ransomware attack (2025). Welthungerhilfe, a German humanitarian organization, confirmed unauthorized access to its systems through a ransomware attack where attackers encrypted and, in some cases, stole supporter data. Systems were taken offline, external IT responders and auditors were engaged, and authorities were notified and engaged.
  • International Committee of the Red Cross (ICRC) data breach (2022). Attackers gained access and exfiltrated information about over half a million individuals the Red Cross and Red Crescent movement serves, who were especially vulnerable to trafficking and abuse, illustrating what can happen when beneficiary and program data is accessed by criminals.
  • Ransomware and nonprofit trend reports. More general ransomware and cyberattack reporting and research show that cybercrime campaigns and targeted attacks driven by business competitors or adversaries are also increasingly targeting organizations of all sizes and missions, including mission-driven nonprofits that may not have prioritized robust security or had mature policies and training.

 

Practical, Prioritized Steps Nonprofits Can Take Today

Steps for cybersecurity investment and process improvement do not all require enterprise budgets:

  1. Map your data and vendors. Nonprofits of all types typically have donor, volunteer, client, and program data to manage, including some personally identifiable or regulated information (health, etc.). Where it’s held, who has access to it, and which third parties manage payments or other personally identifiable or regulated data should be the first things you map to narrow your risk footprint.
  2. Pay particular attention to protecting payments and identity. For donation and gift portals, use secure hosted forms and avoid storing card data if possible (tokenization is key). Ensure MFA is enforced on donor-facing portals and financial systems. Maintain up-to-date PCI DSS self-assessments.
  3. Apply the basics. Enabling MFA on privileged accounts, root/administrative-level servers, keeping systems and operating systems updated and patched, enforcing least privilege access, and maintaining offline backups (where possible) are all core cybersecurity hygiene practices that reduce common attack vectors.
  4. Harden against AI-enabled scams and business email compromise (BEC). AI-facilitated scams and BEC attacks are especially effective when the ruse is high stress and time-sensitive (typical situations with a nonprofit). Build verification procedures for urgent donation or wire requests, ask staff and volunteers to verify requests by calling or through a secondary channel (versus replying to an email), and add AI-generated phishing examples to your security awareness training.
  5. Update incident response plans and tabletop exercises. Build out playbooks to cover ransomware, impersonation and deepfake campaigns, and data exposures, including scenarios involving deepfakes and AI-generated social engineering.
  6. Strengthen vendor security requirements. Contractually require vulnerability testing, audit/SOC reports, and breach notification timelines for payment platforms, cloud hosts, and other service partners.
  7. Use affordable managed services. Smaller organizations without security teams can still use managed detection and response (MDR), managed backup, and security-as-a-service offerings to get 24/7 monitoring and coverage.
  8. Plan to communicate clearly and transparently with donors. Transparency is important to maintaining donor trust and support if a breach occurs. Be proactive about giving stakeholders advice for validating legitimate appeals and protecting against impersonation fraud.

 

Tips for Prioritizing Limited Budgets and Showing Stewardship

  • Secure sensitive financial and beneficiary data first. Focusing first on the attacks and controls that reduce direct financial loss and mission-critical function disruption helps protect a nonprofit’s primary functions.
  • Reduce your overall data holdings. Collecting and storing only the data you need and purging regularly means less data to secure.
  • Backups and response are a good investment. Backups and pre-built incident response playbooks often provide the best return on investment for ransomware and other major cybersecurity incidents.
  • Use shared resources. Participate in industry information-sharing groups, join nonprofit-specific security programs, and apply for cybersecurity grants where available.

 

Cybersecurity with AI: Final Takeaway for Nonprofits

Nonprofits are not immune to the same kinds of sophisticated attacks being leveraged against corporate organizations and governments, even with fewer resources and higher mission risk when disrupted. Limited budgets, a reliance on shared third-party platforms and tools, more personally identifiable and regulated information to protect, and higher public trust make the sector particularly attractive to cybercriminals and a target for ransomware. The use of AI is also accelerating attack speed and realism, while deepfake risk presents new complications for trust. By taking an inventory of data and vendors, hardening payments and identity, focusing on the basics of cybersecurity hygiene, and preparing for rapid response, even smaller nonprofits can significantly reduce risk, protect donor trust, and help maintain mission continuity. Documented and demonstrable controls and changes matter to donors, grantmakers, and regulators — and with AI, the practical, affordable action you can take today builds resilience for tomorrow.

To successfully approach managing risk in the age of AI, nonprofit organizations (NPOs) should incorporate reasonable security into their risk strategy.

 

Establish reasonable security through duty of care.

With HALOCK, organizations can establish a legally defensible security and risk program through Duty of Care Risk Analysis (DoCRA). This balanced approach provides a methodology to achieve reasonable security as the regulations require.

 

Review Your Security and Risk Posture

 

Read more AI Risk Insights

 

Source Links:

  1. Welthungerhilfe cyberattack https://www.welthungerhilfe.org/news/latest-articles/cyberattack-on-welthungerhilfe
  2. ICRC breach: https://www.icrc.org/en/document/cyber-attack-icrc-what-we-know
  3. Deepfake and AI phishing threat trends: https://zerothreat.ai/blog/deepfake-and-ai-phishing-statistics
  4. Deepfake risks reported in global tech surveys: https://www.reuters.com/business/un-report-urges-stronger-measures-detect-ai-driven-deepfakes-2025-07-11/
  5. Nonprofit cybersecurity context (training, data exposure): https://cybercommand.com/cybersecurity-risk-for-nonprofits/ 
  6. Broader nonprofit vulnerability context: https://nlctb.org/tips/8-cybersecurity-concerns-for-nonprofits/
  7. ZeroThreat – AI: https://zerothreat.ai/blog/deepfake-and-ai-phishing-statistics