Cyber Basics for Charity Volunteers: A One-Page Training Pack

Cyber Basics for Charity Volunteers: A One-Page Training Pack

Front-of-house volunteers are the face of your charity — welcoming donors, taking payments, and handling sensitive information. That visibility makes them a prime target for phishing and social engineering. This one-page training pack gives busy volunteers a concise, printable checklist and clear actions on phishing, password hygiene, two-factor authentication, and secure handling of donor info.

Why this matters in 2026 (in two quick points)

Late 2025 and early 2026 saw renewed waves of password and account attacks across major platforms, and attackers are increasingly using AI to craft believable phishing messages. For front-of-house teams with limited training time, simple rules and a printed checklist can stop the most common attacks and protect donor trust.

If in doubt: stop, verify, and report. A single click can cost trust and gifts.

How to use this pack

• Print the one-page checklist and place it at tills and volunteer stations.
• Run a 10-minute briefing at the start of each shift using the checklist as your script.
• Track any reported incidents on a simple log and review monthly with your manager.

One-Page Cyber Checklist (printable)

• Phishing — Think Twice Before Clicking
  • Check sender address and look for slight misspellings.
  • Never give card details, passwords, or donor records over email or DM.
  • If a message pressures you to act now, treat it as suspicious.
  • When in doubt, call your manager or the official charity phone number.
• Password Hygiene — Simple Rules
  • Use a password manager for all charity accounts.
  • Create long passphrases (12+ characters) and never reuse passwords.
  • Change passwords immediately if you suspect compromise.
• Two-Factor — Turn It On
  • Enable authenticator app 2FA on all charity accounts. Avoid SMS when possible.
  • Label backup codes and store them securely with the manager.
• Donor Info — Minimal & Secure
  • Collect only what you need: name, contact method, donation amount.
  • Lock paper records in a cabinet; log out of systems when finished.
  • Shred receipts or notes that include card or personal details.
• Devices & Wi‑Fi
  • Use the charity’s secure network, not public Wi‑Fi. For remote work, use the charity VPN.
  • Keep software updated and report strange popups or slowdowns.
• Report & Respond
  • If you click a suspicious link, disconnect the device, tell your manager, and change passwords.
  • Keep a simple incident log with date, time, what happened, and who you told.

Expanded guidance: what volunteers need to know

Recognising phishing in 2026

Phishing remains the most common threat to small charities. In 2026 attackers often use AI to write convincing emails, craft deepfake audio on phone calls, or spoof official-looking receipts. Volunteers should focus on quick checks:

• Look beyond the display name and check the full email address or the sender ID in a DM.
• Hover over links to see the destination. If it doesn’t match the charity’s domain, do not click.
• Be suspicious of urgent payment requests — scammers create fake invoices and pretend to be suppliers or HQ.
• For voice calls asking for account information, hang up and call back on the charity’s known number.

What to do when you spot phishing

• Do not reply, click links, or open attachments.
• Take a screenshot of the message and forward it to your manager or IT contact.
• Quarantine the email using your mail system’s “report phishing” feature if available.
• If you clicked something, disconnect from the network and report immediately. The faster you act, the lower the risk.

Password hygiene that fits volunteer schedules

Volunteers often share devices or use personal phones for quick tasks. Good habits make all the difference and are quick to enforce.

• Adopt a password manager and train volunteers on one shared charity vault if needed. Managers should control access levels.
• Use long passphrases instead of complex hard-to-remember passwords. Example: BlueBobbySale2026! or better, a four-word phrase.
• Never reuse passwords between personal and charity accounts.
• If a volunteer leaves, revoke access to shared accounts immediately and change shared passwords.

Two-factor authentication — the non-negotiable step

Two-factor authentication (2FA) blocks most account takeovers. In 2026, many platforms also support passwordless logins and hardware security keys. For a charity front desk:

• Enable an authenticator app as the first choice (easier and safer than SMS).
• Store backup codes securely with a designated manager in a sealed envelope or encrypted file.
• For shared accounts, use business features that allow centrally managed 2FA rather than sharing codes via chat.

Secure handling of donor information

Donor trust is your charity’s currency. Collect only what you need and treat it as confidential.

• Limit physical paperwork. If you use paper donation forms, keep them locked and shred when finished.
• When processing card donations, follow card terminal best practices: don’t leave terminals unattended and never write full card numbers on paper.
• For donation queries, confirm a donor’s identity before discussing their records. Use a short verification script: “Can I confirm the donation date and amount?”
• Communicate your privacy promise to donors: who sees their data, why it’s needed, and how long you keep it.

Devices, networks and patching

Small shops often rely on a mix of old and new devices. Basic maintenance reduces risk dramatically.

• Enable automatic updates for POS systems, tablets, and PCs where possible.
• Use a separate guest Wi‑Fi for public access and a locked network for staff devices.
• Install reputable endpoint protection on charity-owned devices and keep backups of critical data offsite or in secure cloud storage.

Incident response — a short script for volunteers

Time matters. Here’s a short, repeatable response volunteers can follow if something feels wrong.

1. Stop using the device and disconnect from the network.
2. Record what happened (time, what you clicked, message sender).
3. Tell your manager immediately and forward any suspicious messages/screenshots.
4. Change your password from a different, safe device. Enable 2FA if not already set.

Real-world example (experience)

At a small community shop in 2025 a volunteer opened a realistic-looking email asking for an urgent supplier payment to avoid late fees. The volunteer nearly followed the link, but the printed checklist at the till reminded them to check the sender. They noticed the supplier domain had one wrong character, reported it, and the finance lead prevented a fraudulent bank transfer. This quick habit saved the charity significant funds and morale.

Training formats that stick

Volunteers are busy. Use short, frequent training that fits shifts:

• 10-minute shift briefings using the printed checklist.
• Monthly 20-minute tabletop exercises to walk through a simulated phishing or data mishap.
• One-page wall posters at the front desk with the top three rules: stop, verify, report.
• Assign a volunteer cyber champion to be the first responder and liaison with your IT or HQ.

2026 trends and what front-of-house volunteers should watch for

Understanding the threats helps volunteers spot them faster. Here are the key trends shaping charity cyber risk in 2026 and how to adapt:

• AI-crafted phishing: Hyper-personalised messages make scams more believable. Rely on verification routines, not intuition.
• Deepfake calls: Scammers can mimic voices. Always use call-back policies to known numbers.
• Passwordless and hardware 2FA: As platforms move towards passwordless logins and security keys, prepare by naming an IT contact to manage rollouts.
• Privacy-first donor tools: More charities are using encrypted donation and CRM tools that limit volunteer access. Ask for role-based permissions so volunteers only see what they need.
• Regulatory focus: Data protection regulators continued enforcement in 2025–2026. Minimising collected data reduces compliance risk.

Quick scripts volunteers can use

Scripts reduce hesitation and help maintain professional responses.

• When a donor asks for a receipt with personal details: “I can email that to you. Can you confirm the best email address to send it to?”
• When asked for password or account details: “I’m not able to share or take that information. I’ll ask our admin to handle that and they’ll contact you directly.”
• When a supervisor is unavailable and a caller pressures for payment: “I need to confirm with our manager. I’ll call the number we have on file and put you through if it’s the same.”

Small charity checklist for managers

• Provide the printed one-page checklist to every volunteer and include it in induction packs.
• Use a shared password manager with role-based access and rotate passwords when volunteers change roles.
• Keep an incident log and review it monthly, then update the checklist based on real incidents.
• Invest in a modest budget for endpoint protection, a VPN for remote access, and a hardware 2FA key for high-privilege accounts.

Final checklist to pin at the till (short version)

• Stop — Don’t rush: check sender and link destinations.
• Verify — Call back or ask your manager before sharing data.
• Protect — Use password manager and enable 2FA.
• Secure — Lock paper records and shred unnecessary notes.
• Report — Log incidents and tell your manager immediately.

Closing — your next step right now

Print this page and place the checklist at your front desk. Run a 10-minute shift briefing this week and ask volunteers to practice the short scripts. If you want a ready-built PDF you can brand, visit charityshop.website/training-pack to download a one-page printable version and a short facilitator guide tailored for small shops.

Protecting donor trust is simple when everyone knows the basics. Keep the checklist visible, rehearse responses, and make reporting frictionless — that combination stops most attacks before they start.

Call to action

Download the printable one-page training pack, print it for every shift, and sign up for our monthly volunteer micro-training emails at charityshop.website/training-pack. Start your 10-minute briefing this week and reduce your charity’s risk today.

Related Reading

• How to Budget for an Internship: Phone Plan Choices That Can Save You $1,000
• How Music Creators Can Pitch to New Festival Players in Santa Monica
• Warren Buffett’s Timeless Rules Applied to Gold: Should Value Investors Buy Gold in 2026?
• Centralized Brand Safety: Building an Account-Level Exclusion Workflow for Agencies
• Community Healing After Hate: Lessons from the Guardian's Hope Appeal for Caregivers