Phishing Simulations for Nonprofits: What Leaders Need to Know Before They Launch One

Your staff are clicking on things they shouldn’t — and the odds are good that you don’t know it yet. Phishing remains the most common entry point for data breaches across every sector, and nonprofits are not exempt. Before you invest in phishing simulations for nonprofits, there are a few things worth understanding so the exercise actually changes behavior rather than just generating a report nobody reads.

Why Nonprofits Are a Realistic Target

There’s a persistent myth that cybercriminals focus exclusively on banks and large corporations. In reality, attackers follow opportunity. Nonprofits often hold sensitive donor data, client records, and health information — sometimes all three — while operating with lean IT resources and minimal security budgets. That combination is attractive, not invisible.

A 2023 report from the Nonprofit Technology Enterprise Network found that more than half of surveyed organizations had experienced at least one successful phishing attempt in the previous two years. The damage ranged from compromised email accounts to fraudulent wire transfers initiated through business email compromise schemes. The dollar amounts were real, and in several cases, the losses were unrecoverable.

Understanding that your organization is a plausible target is the prerequisite for everything else. Leaders who treat cybersecurity as a “large organization problem” tend to underinvest in training until after something goes wrong.

What a Phishing Simulation Actually Does

A phishing simulation is a controlled test in which your organization — or a vendor working on your behalf — sends staff a fake phishing email designed to mimic real attack patterns. Employees who click a link, enter credentials, or download a file are flagged, and that data is used to shape subsequent training.

The goal is not to catch people or embarrass them. The goal is to establish a realistic baseline: what percentage of your staff are susceptible, which departments click most, and whether awareness improves over time with repeated testing. Done correctly, simulations move security from an annual compliance checkbox to an ongoing, measurable practice.

Most platforms — KnowBe4, Proofpoint Security Awareness, and Cofense are the most widely used — offer libraries of phishing templates ranging from generic credential harvesting to highly specific spear-phishing scenarios. For nonprofits with smaller teams, even a simple quarterly simulation using one of these platforms can produce meaningful data.

How to Run a Simulation That Actually Changes Behavior

The technical setup of a phishing simulation is straightforward. The harder part is designing the program around behavior change rather than metrics collection. Here’s what that looks like in practice.

Start with leadership buy-in, not leadership exemptions. One of the most common mistakes organizations make is quietly excluding executives from the simulation pool. This almost always backfires. Executives are disproportionately targeted by sophisticated phishing attempts — particularly whale phishing and business email compromise — and excluding them signals to staff that security is something that applies to everyone else. Include the executive director, the CFO, and the board if your platform allows it.

Use the moment of failure as the teaching moment. The most effective simulations deliver immediate, contextual training the second a staff member clicks a simulated phishing link. A brief explainer — two to three minutes, not a forty-five-minute compliance module — that shows exactly what the email should have flagged as suspicious is far more effective than a follow-up email three days later. Platforms like KnowBe4 make this configuration straightforward.

Report results at the organizational level first. When you share simulation results with managers before establishing a culture of psychological safety around mistakes, you create shame rather than learning. Share aggregate results with the full team, then use department-level data internally to target additional support — not discipline.

Frequency, Difficulty, and Measuring Progress

A single phishing simulation tells you where you are. A repeated program tells you whether anything is changing. For most nonprofits, quarterly simulations represent a reasonable starting cadence — frequent enough to maintain awareness, not so frequent that staff become desensitized or resentful.

Difficulty should escalate over time. Early simulations might use obvious tells: a mismatched sender domain, urgent language about a password reset, a generic greeting. As your click rate drops, introduce more sophisticated templates — emails that mimic your actual software vendors, payroll providers, or grant funders. Spear-phishing scenarios that reference real internal context are harder to spot and more closely resemble what actual attackers do.

The primary metric to track is your click rate: the percentage of staff who clicked the simulated link. A typical baseline for organizations without prior simulation training runs between 25% and 35%. Industry benchmarks suggest that organizations running consistent simulation programs can reduce that figure to under 5% within twelve to eighteen months. Track it by department, by role, and over time. That trend line is what matters.

Common Mistakes Nonprofits Make — and How to Avoid Them

Running a phishing simulation poorly can do more harm than running none at all. A few patterns come up repeatedly when organizations come to us after a program that didn’t land.

Treating it as a gotcha exercise. If staff learn about the simulation program through a failed click rather than a transparent conversation with leadership, the psychological effect tends to be defensive rather than educational. Be upfront that simulations are happening and explain why. You’re not trying to catch people — you’re trying to understand organizational risk and close gaps before a real attacker finds them.

No follow-through after the report. Platforms generate detailed reports. Those reports sit in inboxes. Leadership reviews the click rate once, nods, and moves on. The simulation becomes a compliance exercise rather than a behavior-change program. Assign someone — your IT lead, your operations director, your outsourced IT firm — to own the results and drive the next phase of training.

Skipping the policy conversation. A phishing simulation reveals a training gap, but training alone doesn’t fully close a security gap. Use simulation results as the catalyst for reviewing your broader email security policies: multi-factor authentication requirements, protocols for verifying wire transfer requests, and what staff should do when they’re unsure about an email. Simulation data gives you a concrete, credible reason to have those conversations.

Getting Started Without a Large IT Budget

The cost objection comes up in nearly every conversation we have with nonprofit leaders about security. The honest answer is that phishing simulation tools are more accessible than most organizations assume. KnowBe4 offers nonprofit pricing, and several community foundations and state nonprofit associations have negotiated group rates for their members. Some cyber insurance carriers are beginning to require simulation training as a condition of coverage — which means the cost of not running a program may be rising regardless.

If budget is genuinely constrained, start with Google’s Phishing Quiz or the Anti-Phishing Working Group’s resources as a low-cost way to build baseline awareness before investing in a full platform. That’s a starting point, not a substitute — but it’s better than nothing while you make the case for a real program.

What matters most is that you treat this as a recurring operational commitment rather than a one-time project. Security awareness degrades quickly. Staff turn over. New phishing techniques emerge. A program that runs once and stops is only marginally more useful than no program at all.

If you’re ready to build a phishing simulation program that fits your organization’s size, budget, and risk profile, book a consultation with the Rosably team. We work with nonprofits at every stage of security maturity, and we can help you move from good intentions to a program that actually reduces risk.