
Cybersecurity & Cyber Liability Guidance for Metro Detroit Nonprofits
By MTS Consulting Group | Serving Southfield & Southeast Michigan
While nonprofit leaders are setting goals for impact, fundraising, and stability this year, cybercriminals are setting goals too.
They’re not focused on balance or mission statements.
They’re reviewing what worked last year—and refining their tactics for this one.
And yes, nonprofits across Metro Detroit and Southeast Michigan are on their list.
Not because nonprofits are careless.
But because they’re busy, understaffed, and accountable to boards, donors, and regulators.
Here’s what cybercriminals are planning this year—and how nonprofits can reduce cyber liability exposure before problems start.
Resolution #1: “I Will Send Phishing Emails That Look Completely Real”
Phishing emails no longer look suspicious.
Modern attacks use AI and research to create messages that:
- Match your organization’s tone
- Reference real vendors, donors, or partners
- Avoid urgency and obvious red flags
- Arrive when staff are distracted
January is ideal timing—new grants, onboarding, year-end wrap-up.
A realistic phishing email might say:
“Hi [your name],
I tried sending the updated invoice but it bounced. Can you confirm this is still the correct email for accounting? I’ve attached the revised file.
Thanks,
[Actual vendor name]”
No panic. No threats. Just normal.
How nonprofits reduce risk:
- Train staff to verify requests involving money, credentials, or data
- Use advanced email security that detects impersonation attempts
- Create a culture where pausing to confirm is encouraged
Verification isn’t mistrust—it’s cyber liability protection.
Resolution #2: “I Will Impersonate Your Vendors or Leadership”
This tactic is increasingly effective for nonprofit organizations.
Examples include:
- Fake emails requesting updated payment instructions
- Text messages pretending to be the Executive Director
- Voice calls that sound exactly like leadership
Voice deepfake scams are rising, using publicly available recordings and voicemail greetings.
For nonprofits handling donor funds and grants, one successful impersonation can create financial, legal, and reputational cyber liability.
How nonprofits protect themselves:
- Require callback verification using known phone numbers
- Prohibit payment changes without confirmation through established channels
- Enforce MFA on finance, admin, and donor platforms
These steps significantly reduce fraud risk.
Resolution #3: “I Will Target Nonprofits and Small Organizations First”
Cybercriminals have shifted focus.
Large enterprises improved defenses.
Insurance requirements tightened.
Security teams expanded.
Nonprofits and small organizations remain attractive targets because:
- They manage valuable donor data
- They process payments
- They rely heavily on trust and reputation
- They lack full-time security teams
The belief that “we’re too small to be a target” is one of the most common vulnerabilities attackers exploit.
How to stop being an easy target:
- Implement consistent basics: MFA, patching, tested backups
- Treat cybersecurity as mission protection—not IT overhead
- Partner with a nonprofit-focused MSP that understands cyber liability
Attackers move on when defenses are stronger than expected.
Resolution #4: “I Will Exploit New Hires and Tax Season Confusion”
January brings new staff—and new opportunities for attackers.
New employees:
- Want to help
- Don’t know internal policies yet
- Are unlikely to question authority
Tax season increases risk further:
- Fake W-2 requests
- Payroll phishing
- IRS impersonation scams
One common attack:
“Please send all employee W-2s for a meeting with our accountant.”
If sent, that data enables identity theft and long-term harm to staff—creating legal and regulatory cyber liability for the organization.
How nonprofits stay protected:
- Include cybersecurity awareness in onboarding
- Create written, enforceable policies:
- “We never send W-2s by email.”
- “All payment requests are verified.”
- Praise employees who verify requests—even when legitimate
Prepared teams are a critical security control.
Preventable Beats Recoverable—Every Time
Nonprofits face two cybersecurity paths:
React after an incident:
Downtime, emergency costs, insurance stress, board explanations.
Prevent the incident:
Monitoring, training, clear policies, reduced exposure.
Prevention is quieter—and far less expensive.
You don’t install smoke detectors after a fire.
You install them so the fire never spreads.
How a Nonprofit-Focused IT Partner Ruins a Cybercriminal’s Year
A managed IT and cybersecurity partner helps nonprofits by:
- Monitoring systems 24/7
- Reducing access and credential risk
- Training staff on modern phishing tactics
- Establishing verification policies
- Testing backups for ransomware readiness
- Closing vulnerabilities before attackers exploit them
That’s proactive protection—not crisis response.
Take Your Nonprofit Off Their Target List
Cybercriminals are planning for the year ahead.
They’re counting on organizations being distracted, under-resourced, and unsure of their cyber exposure.
Let’s change that.
Schedule a Discovery Call with MTS Consulting Group, a nonprofit-focused managed IT and cybersecurity provider serving Metro Detroit, Southfield, and Southeast Michigan.
We’ll help you understand:
- Where cyber liability exposure exists
- What matters most right now
- How to reduce risk without overwhelming your team
No fear tactics.
No jargon.
Just clarity.
👉 Schedule your Discovery Call today.
Because the best New Year’s resolution is protecting your mission—before someone else tests your defenses.



