Facebook Exposes Nonprofits to Donors—and Hackers

Facebook is an enormous platform for charitable giving, but some nonprofit leaders say there aren’t enough resources when something goes wrong.
Hotlittlepotato

As the founder and director of a nonprofit animal shelter on the East Coast, Alana has spent most of the past decade caring for pets that might otherwise be euthanized. Her work also resonates with people online—the Facebook page for the shelter has more than 1.3 million followers. But in August, she noticed something strange: A series of unfamiliar posts began appearing on the page, and no one at the shelter could say where they were coming from. For several days, Alana and her staff simply deleted them. It didn’t initially occur to Alana that her account may have been breached.

Then, in the early morning hours of August 19, a link to a fraudulent GoFundMe fund-raiser appeared on the shelter’s page, claiming the nonprofit was raising money for pets displaced by wildfires thousands of miles away in California. By the time Alana spotted the fund-raiser, it had already raised around $1,500. She quickly crafted a Facebook post alerting donors that it was fake, but it was useless. “The post was immediately removed,” says Alana, who for privacy reasons requested that her last name and the name of the shelter not be used.

Another staff member soon discovered that a stranger had been added as an administrator to the shelter’s Facebook page nearly two months earlier, silently waiting for the right opportunity to act. In a Facebook Messenger chat, the stranger warned the animal shelter to stop telling people the fund-raiser was bogus. “If I see one more post we will delete the page forever,” he wrote.

Frightened and angry, Alana scrambled to ensure GoFundMe canceled the fund-raiser, which it did. “Our fraud protection measures prevented this individual from gaining access to any of the funds raised. This user has been banned and the money has been refunded to donors,” a spokesperson for GoFundMe said in a statement.

But the incident marked only the beginning of what would become a months-long struggle between Alana and a hacker determined to steal her nonprofit’s donations—by weaponizing Facebook.

Americans gave a record-breaking $410 billion to nonprofits last year, according to Giving USA, an annual report from Indiana University researchers. More people are also donating online, either directly through organizations’ websites or via social media platforms.

Facebook entered the game five years ago when it introduced a simple “Donate” button, which allowed users to send funds directly to a select group of major nonprofits. Since then, charitable giving has become a central part of the social network. The company has developed more tools for both nonprofits and regular users interested in raising money for causes; Facebook notifications encourage people to start fund-raisers for their birthdays. Last year, the company stopped charging nonprofits fees to accept donations (though Facebook still collects a small percentage of the money raised via personal fund-raisers).

As Facebook expanded these features, more nonprofits seized the opportunity to connect with a wider audience of potential donors and people who care about their causes. In the US, any registered 501(c)(3) organization with a bank account can sign up to use the social network’s tools. Today, over one million charitable organizations in 19 countries accept donations on Facebook, according to the company. More than 20 million users have either donated or started a fund-raiser themselves. That’s a fraction of Facebook’s over two billion monthly users, but still represents a significant source of funding for many organizations.

Facebook’s nonprofit efforts have also remained a public relations bright spot for the company while it's been embroiled in one scandal after another since the 2016 US presidential election. And they play right into Mark Zuckerberg’s new mission for the company, to “bring the world closer together.” Last week, for example, Facebook announced that users contributed more than $125 million to nonprofits around the world during its annual Giving Tuesday event, over $80 million more than the year before.

But some nonprofit leaders say Facebook’s decision to prioritize charitable giving hasn’t coincided with an appropriate increase in support for the organizations that use its products.

Alana says she and her staff exhausted all of Facebook’s security recommendations to try to keep their hacker at bay, but he kept reappearing as an administrator on their page, under different, seemingly fake accounts. They turned on two-factor authentication, ran antivirus programs, and switched to a more secure password. Alana says she tried changing her password 30 times in a single day. Eventually, she even bought a new laptop. “We were worried he somehow was logging in with a keystroke program,” she says. Nothing worked. “I would take him off and I would wait 30 minutes, and then here he is again.”

Desperate, Alana reached out to Facebook for help by every method she could imagine. She sent emails, tweets, and even mailed letters to Mark Zuckerberg, Sheryl Sandberg, and the company’s board of directors. She says she also tried contacting the FBI and the Better Business Bureau. Weeks went by before she reached anyone who could help. Finally, on September 29, Alana heard back from someone via Twitter: Guy Rosen, Facebook’s vice president of product management. It was the day after Facebook announced a cybersecurity breach that impacted around 30 million users.

“While this does not seem related to the attack we discovered and announced this week, it's still an awful experience for you and we'll try to sort through this soon,” Rosen wrote to Alana in a followup email, which was reviewed by WIRED. (When asked if it's typical for high-level executives to directly contact nonprofits experiencing security issues, Facebook declined to answer on the record.)

Several days later, the hacker evaporated from the animal shelter’s page for good. He had gained repeated access to Alana’s account using a combination of social engineering and malicious phishing links—traps that can be avoided if you’re trained in how to spot them, but not by changing passwords.

After WIRED reached out to Facebook in early October, an employee from the social network’s communications department also contacted Alana to ensure that her account was secure, according to emails. But Alana’s problems weren't over. Numerous fake Facebook accounts soon began appearing that impersonated people who worked for the shelter, or their friends and family. The harassment was exhausting, and it didn't stop until Alana transferred $1,500 to the hacker via an anonymous PayPal account—the same amount the fake GoFundMe had raised before it was shut down and the money returned to donors. Since then, Alana says, she and the shelter's Facebook page have been left alone.

But Alana is still bewildered by how difficult it was to reach a real person at the company. “Facebook needs to have some kind of customer service department,” she says. “PayPal has one, Amazon has one, eBay has one. There is zero reason for them to not have one.”

Facebook says it provides plenty of support.

“With fund-raisers big and small, nonprofits on Facebook are making a lasting difference in communities around the world. Providing these tools to nonprofits and making sure people can safely support the causes that mean a lot to them is important to all of us at Facebook,” John Cantarella, the company’s director for social good and community partnerships, said in an emailed statement. “We offer a number of easy-to-use security features to help protect people’s accounts and nonprofit Pages and make more safety resources readily available to everyone in our Help Center.”

Amanda Lollar also struggled to reach someone at Facebook who could help her after her nonprofit’s page was abruptly shut down.

On October 1, Lollar discovered that a new administrator she didn’t recognize had been added to the Facebook page for Bat World Sanctuary, the Texas-based nonprofit she founded in 1994 to help bats that are injured, mistreated, or orphaned. The next day, she received an email from Facebook saying the page had been removed for “violating our Terms of Use,” which among other things bans pages that are “hateful, threatening, or obscene.” But the email, which was reviewed by WIRED, didn’t specify what exactly landed the page in trouble—and there was no way to appeal the decision.

Lollar began to panic: Bat World Sanctuary’s page, which had more than 240,000 followers, was a major source of funding. She had also recently posted a new video with a call for donations. Facebook can take several days to process funds for nonprofits, and around $800 was still hanging in the balance. Without her page, Lollar had no way to tell supporters on Facebook what was happening—and she didn’t know whether the money would be lost. (Facebook honors a donor’s intent even when a page is taken down, and the company has a form nonprofits can fill out to receive help with donations within 48 hours.)

Lollar tried creating a new Facebook page for Bat World Sanctuary, but the social network initially barred her from using its fund-raising tools. It took a lucky coincidence and Alana’s involvement for help to arrive. After hearing about Bat World Sanctuary’s plight from a Facebook user who followed both pages, Alana connected Lollar with the same Facebook communications representative who had helped her.

It turned out Lollar also lost her page after she or someone from her staff clicked on a malicious phishing link. To get it back, the Facebook communications representative asked Lollar to submit a sworn affidavit confirming her identity and that Bat World Sanctuary’s page belonged to her, as well as a picture of her driver’s license. Only then was Lollar able to get the page restored. (Facebook didn’t specify whether it’s typical for nonprofits to work with communications staff when they experience a security issue.)

Lollar estimates she lost several thousand dollars in potential donations while her nonprofit’s page was down for over a week. For now she’s keeping the backup she created just in case. “I’m afraid something may happen,” she says. “If one page goes, at least we’ll have the other one.”

Experts say that charities are uniquely vulnerable targets online. Collectively, they process millions of dollars in donations, but individual organizations often operate on tight budgets, with limited resources if something goes wrong. Almost 60 percent of nonprofits say they don't provide cybersecurity training to staff on a regular basis, according to a recent survey of 250 nonprofits in the US and Canada by Microsoft and the Nonprofit Technology Network, an organization that helps nonprofits use emerging tech. Almost 70 percent say they don't have a plan in the case of a cybersecurity attack.

“It’s not part of the fabric yet,” says Lauri Goldkind, a professor at Fordham University’s Graduate School of Social Service. “The landscape is changing so rapidly in data security and in cybersecurity that nonprofits would have to have a dedicated person, and that’s a salary.”

Even organizations that do have room in their budget might not want to spend it on hiring another employee. Donors tend to avoid nonprofits that spend higher percentages of their budgets on administration and fund-raising costs. “Often the funding support specifically for more efficient technology isn't matched with the donations being sent specifically for the programs or services,” said a spokesperson for Charity Navigator, an organization that evaluates nonprofits in the US.

Before their Facebook pages were targeted, neither Alana nor Lollar’s organizations were using two-factor authentication, a basic security protection recommended by most experts. Neither woman recalls being warned by Facebook about potential security risks, even though both pages had large followings and processed significant amounts of money each month. And while Facebook’s Charitable Giving Playbook for Nonprofits “covers all of Facebook’s Charitable Giving tools, and gives instructions and tips to help you use them,” it doesn’t provide any advice about cybersecurity or warn about social engineering or phishing scams that could put nonprofits at risk.

Facebook is “coming forward with a paid advertising model for nonprofits, but that’s it,” says Marcia Stepanek, a lecturer who teaches digital media strategy at Columbia University's Nonprofit Management graduate program. “There’s not a lot of guidance there.”

Despite their negative experiences, however, both Lollar and Alana stress that Facebook has been transformative for their organizations. The platform connected them with a flood of new donors, which translated to far more resources for the animals they are dedicated to helping.

“Because of the revenue, we’ve been able to hire more help here. It’s just been so much easier financially,” Lollar says. “It’s just a wonderful thing for nonprofits. It’s the best thing that ever happened to us.”


More Great WIRED Stories