1

Threat Landscape for NGOs

Who attacks NGOs, why, and how to think about your own risk.

4 quiz questions

Why NGOs are targeted

NGOs working in human rights, anti-corruption, humanitarian aid, climate, journalism support, refugee assistance and Web3 for social good operate in some of the most contested information spaces in the world. That visibility makes their data, their staff and their money attractive to a wide range of adversaries.

Attackers include opportunistic cybercriminals (ransomware, business email compromise, crypto theft), state and state-aligned actors interested in sources, evidence and movements, hostile local actors targeting specific programs, and insiders — current or former staff, volunteers or partners with privileged access.

Most common entry points

Targeted phishing emails impersonating donors, partners, banks or grant portals.
Compromised passwords reused across services (credential stuffing).
Malicious documents and links shared via messaging apps or social media.
Lost or stolen laptops and phones without full-disk encryption.
Misconfigured cloud sharing (Drive, Dropbox) exposing beneficiary data.
Crypto-specific: wallet drainers, fake support DMs, and malicious browser extensions.

Threat modeling in 5 questions

Before buying any tools, sit down with your team and answer five questions. The conversation itself is the value.

What do we protect? (Data, money, identities, infrastructure, reputation.)
From whom? (Criminals, state actors, local opponents, insiders.)
How bad would compromise be? (For staff, sources, beneficiaries.)
What is the adversary realistically willing and able to do?
What are we already doing — and what would we change first?

You will not stop a serious state-level adversary on your own. You can, however, raise the cost enough that opportunistic threats and most targeted attacks fail.

A realistic baseline for any NGO

Unique strong passwords in a password manager.
Phishing-resistant 2FA on email, finance and admin systems.
Full-disk encryption on every staff device.
Up-to-date OS and browser, automatic security updates.
Signal (or equivalent) for sensitive conversations.
A written, simple incident response plan.
Access Now Helpline (24/7 digital security support for civil society)Security in a Box (free practical guides)
Next Module