Why Your Local Food Bank Is the Next Target for Ransomware

TLDR: Research from the CyberCAN project reveals that community-based nonprofits are suffering from a critical lack of basic security controls, making them prime targets for financial fraud and data theft. With over 85% of surveyed organizations reporting at least one cyberattack, the reliance on volunteer staff and minimal IT budgets creates a massive, unaddressed attack surface. Pentesters and researchers should recognize that these organizations are not just collateral damage but are increasingly becoming the primary focus for attackers seeking sensitive PII and financial gain.

Security researchers often focus on the latest zero-day in a high-profile enterprise product or a complex chain of vulnerabilities in a cloud environment. While those are important, the real-world impact of cybercrime is increasingly felt by the organizations that hold our society together. The CyberCAN project, presented at Security BSides 2025, highlights a stark reality: the nonprofits providing essential services like food, shelter, and legal aid are operating with almost zero defensive depth.

The Reality of the Nonprofit Attack Surface

Attackers do not care about the mission of an organization. They care about the data it holds and the ease with which they can extract value. The research data shows that 85% of surveyed nonprofits have been hit by at least one cyberattack. The most common vectors are exactly what you would expect: phishing and business email compromise.

When an organization has no full-time IT staff, as is the case for over 50% of the nonprofits surveyed, the technical barrier to entry for an attacker is non-existent. These organizations are often using standard SaaS platforms like Google Workspace or Microsoft 365, but they are failing to implement even the most basic Identity and Authentication controls.

The lack of multi-factor authentication (MFA) is the single biggest failure point. In an environment where staff turnover is high and security awareness is low, a single successful phishing campaign can lead to full account takeover. Once an attacker gains access to an email account, they can monitor communications, intercept invoices, and execute Business Email Compromise (BEC) attacks that divert funds directly from the nonprofit’s mission to the attacker’s wallet.

The Data Goldmine

Beyond direct financial theft, these organizations are sitting on a goldmine of sensitive data. The survey found that 75% of these nonprofits collect social security numbers, and 61% handle sensitive financial information. For an attacker, this is high-value, low-effort data.

Consider the technical flow of a typical compromise in this sector:

1. Reconnaissance: The attacker identifies the nonprofit’s domain and maps out staff email addresses via public-facing websites or social media.
2. Initial Access: A spear-phishing email is sent, targeting a volunteer or staff member with a link to a credential harvesting page that mimics the organization's login portal.
3. Persistence: Once credentials are stolen, the attacker logs in, sets up an inbox rule to forward all incoming mail to an external address, and begins monitoring for financial transactions.
4. Exfiltration: The attacker scrapes the mailbox for PII, tax documents, and donor lists, which are then sold on dark web forums or used for further identity theft.

Why This Matters for Pentesters

If you are conducting a penetration test for a municipal government or a large organization that partners with nonprofits, you are likely missing a massive blind spot. These nonprofits are often connected to the internal networks or shared cloud environments of the larger entities they serve. They are the weak link in the supply chain.

During an engagement, do not just focus on the primary target. Look at the third-party integrations. Are there shared Microsoft Teams channels or guest access permissions that allow a compromised nonprofit account to pivot into the primary organization’s environment? The lack of CIS Controls in these smaller organizations means that once you have a foothold, lateral movement is trivial.

A Path Toward Defense

Defending these organizations requires a shift from complex, enterprise-grade solutions to high-impact, low-cost implementations. The research suggests that the most effective interventions are not expensive tools but human-centric support.

For the security community, this is a call to action. We have the expertise to help. Whether it is volunteering for a Cyber Resilience Corps or simply helping a local nonprofit configure their MFA settings, the impact of our work can be measured in the continuity of the services they provide.

We need to stop treating these organizations as peripheral to the security conversation. They are the front line of our digital society, and they are currently fighting a war with no armor. If you are looking for a way to make a tangible difference, start by looking at the organizations in your own community. They are likely one phishing email away from a disaster that could shut them down for good.