FakeBat Scenario: Nonprofit Organization Deception

FakeBat Scenario: Nonprofit Organization Deception

Heartland Community Foundation: Nonprofit, 50 employees, $12M annual budget, 501(c)(3)

Social Engineering • FakeBat

STAKES

Donor information + Volunteer safety + Program funding + Community trust

HOOK

Volunteer laptops are redirecting donor outreach to lookalike charity portals, pop-up security alerts are pushing fake update tools, and fundraising staff report unfamiliar browser extensions appearing after software installs. Two days before the annual gala, donor communication workflows are unstable and confidence is dropping.

PRESSURE

• Annual fundraising gala Thursday — system compromise threatens donor confidence and 35% of annual funding

FRONT • 120 minutes • Intermediate

Heartland Community Foundation: Nonprofit, 50 employees, $12M annual budget, 501(c)(3)

Social Engineering • FakeBat

NPCs

• Margaret Sullivan (Executive Director): Leading nonprofit operations while donor confidence drops ahead of the gala
• Tom Nakamura (IT Manager): Investigating fake software installs, browser manipulation, and unauthorized persistence on volunteer laptops
• Diana Watts (Programs Director): Managing donor outreach disruptions while programs depend on successful fundraising

SECRETS

• Volunteers installed convincing fake security and productivity tools from lookalike nonprofit domains
• Browser extensions are collecting form data from donor workflows and injecting malicious redirects
• Shared volunteer endpoints created an easy path for lateral spread through reused credentials

FakeBat Scenario: Nonprofit Organization Deception

Compass Community Trust: Charity, 40 employees, £8M annual budget, Charity Commission registered

Social Engineering • FakeBat

STAKES

Donor information + Volunteer safety + Program funding + Community trust

HOOK

Volunteer laptops are redirecting donor outreach to lookalike charity portals, pop-up security alerts are pushing fake update tools, and fundraising staff report unfamiliar browser extensions appearing after software installs. Two days before the annual gala, donor communication workflows are unstable and confidence is dropping.

PRESSURE

• Annual fundraising gala Thursday — system compromise threatens donor confidence and 35% of annual funding

FRONT • 120 minutes • Intermediate

Compass Community Trust: Charity, 40 employees, £8M annual budget, Charity Commission registered

Social Engineering • FakeBat

NPCs

• Helen Cartwright (Chief Executive): Leading charity operations while donor confidence drops ahead of the gala
• Raj Patel (IT Manager): Investigating fake software installs, browser manipulation, and unauthorized persistence on volunteer laptops
• Sophie Greenwood (Programs Director): Managing donor outreach disruptions while programs depend on successful fundraising

SECRETS

• Volunteers installed convincing fake security and productivity tools from lookalike nonprofit domains
• Browser extensions are collecting form data from donor workflows and injecting malicious redirects
• Shared volunteer endpoints created an easy path for lateral spread through reused credentials

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

FakeBat Nonprofit Organization Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

FakeBat Nonprofit Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Tuesday morning at Heartland Community Foundation. Volunteer laptops that were stable yesterday are now redirecting donor outreach to unfamiliar charity portals, persistent pop-ups are urging staff to install urgent security tools, and browser extensions appeared overnight on machines used for fundraising. With the annual gala in two days, the team must identify what changed before donor trust and program funding are damaged.”

“It is Tuesday morning at Compass Community Trust. Volunteer laptops that were stable yesterday are now redirecting donor outreach to unfamiliar charity portals, persistent pop-ups are urging staff to install urgent security tools, and browser extensions appeared overnight on machines used for fundraising. With the annual gala in two days, the team must identify what changed before donor trust and program funding are damaged.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• Volunteer computers running slower than normal since yesterday
• Browsers redirecting to unexpected charity and donation websites
• Persistent pop-up advertisements appearing during donor outreach tasks
• Staff mention installing urgent security updates for data protection
• Help desk reports repeated homepage changes on shared volunteer machines

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Software installation logs show NonprofitSecure_Suite.exe and DonorProtect_Tool.exe deployed on volunteer workstations
• Process monitoring reveals unfamiliar executables running from temp directories
• Browser history shows visits to nonprofit-security-tools.org and charity-data-protection.com
• Registry analysis shows unauthorized browser extensions and homepage modifications to fake charity portals

Protector System Analysis:

Note🛡️ Protector System Analysis

• Memory scans reveal browser hijacking processes modifying web traffic across volunteer systems
• System performance metrics show hidden processes consuming resources on donor management computers
• Browser security analysis reveals nonprofit-themed extensions with broad data access permissions
• Digital signature verification shows the downloaded updates lack valid publisher signatures

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• DNS logs show queries to recently registered domains mimicking nonprofit security services
• Network traffic analysis reveals connections to advertising and malware distribution servers
• Browser traffic shows redirected donor searches and injected charity-related advertisements
• Download source analysis traces fake updates to malvertising workflows targeting nonprofit staff and volunteers

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Volunteers report receiving convincing pop-up notifications about nonprofit cybersecurity compliance
• Leadership reports concern about donor confidence before the fundraising gala
• Coordinators confirm volunteers have local admin rights on shared productivity endpoints
• Staff describe fake security warnings appearing while handling sensitive donor workflows

Mid-Scenario Pressure Points:

• Hour 2: A major donor calls to confirm gala attendance and asks whether donor data is safe
• Hour 3: Leadership demands an immediate operational plan for volunteer systems and donor communications
• Hour 4: A prospective donor questions the organization’s cybersecurity posture after observing browser issues

Evolution Triggers:

• If containment takes longer than 3 hours, the attacker begins targeting donor CRM authentication flows
• If browser security is not addressed, malware creates persistent reinfection vectors across volunteer systems
• If fake software sources are not identified, additional volunteers may install the same malicious tooling

Resolution Pathways:

Technical Success Indicators:

• Team identifies the software masquerading chain through installer and browser telemetry analysis
• Browser hardening and software allowlisting prevent future unauthorized installs on volunteer endpoints
• Credential reset and session revocation block continued donor platform abuse

Business Success Indicators:

• Fundraising gala proceeds with minimal disruption despite the incident
• Donor confidence is maintained through clear, accurate communication
• Volunteer operations continue while malware is removed and systems are stabilized

Learning Success Indicators:

• Team understands how software masquerading exploits nonprofit resource constraints and trust dynamics
• Participants recognize why software verification is critical in volunteer-managed environments
• Group demonstrates balance between operational continuity and cybersecurity controls

Common IM Facilitation Challenges:

If Team Focuses Too Heavily on Technical Details:

“Your technical analysis is strong, but how will you explain current risk to a major donor asking whether gala communications are still safe?”

If Business Stakeholders Are Ignored:

“Leadership needs an answer now: what can be restored before the gala, and what needs a temporary manual workaround?”

If Software Masquerading Is Missed:

“The indicators are clear, but why did volunteers trust these specific security tools at this exact moment before a major fundraising event?”

Success Metrics for Session:

• Team identifies nonprofit-targeted software masquerading and social engineering components
• Volunteer coordination concerns are balanced with thorough malware containment
• Software verification processes are established for volunteer-managed endpoints
• Response strategy addresses immediate risk and longer-term donor protection
• Learning includes volunteer education and practical nonprofit security culture improvements

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the Hook and Initial Symptoms to quickly establish the nonprofit crisis. Present guided clues at 5-minute intervals, then move to predefined responses and a short debrief on trust, phishing-resistant workflows, and software verification.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: Add realistic governance pressure and donor communication complexity. Two rounds let the team experience both technical containment and regulatory or oversight decision-making.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players run open investigation and build their own response strategy balancing endpoint security, donor trust, volunteer coordination, and nonprofit governance obligations.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings from legitimate updates and shared workstation noise. Force decision-making with incomplete information and competing mission priorities.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “You discover that volunteer workstations visited nonprofit-security-tools.org and charity-data-protection.com yesterday, then downloaded NonprofitSecure_Suite.exe and DonorProtect_Tool.exe. Both domains were registered last week.”
Clue 2 (Minute 10): “File analysis shows the installers lack valid publisher signatures. Legitimate nonprofit security tools from trusted vendors should be signed and verifiable.”
Clue 3 (Minute 15): “New browser extensions named Nonprofit Data Guard and Charity Security Helper now have permissions to access donor form data and inject redirected links.”

Pre-Defined Response Options

Option A: Remove Malware and Verify Software Sources

• Action: Uninstall unauthorized software and extensions, remove active malware components, verify approved software sources, and implement install controls for volunteer endpoints.
• Pros: Removes the active threat and reduces repeat compromise risk.
• Cons: Takes time and may temporarily disrupt gala preparation workflows.
• Type Effectiveness: Super effective against Trojan and Downloader behavior.

Option B: Browser Security Hardening for Volunteers

• Action: Reset affected browsers, remove unauthorized extensions, enforce browser security policies, and lock down extension install permissions.
• Pros: Quickly reduces visible hijacking and protects donor communication sessions.
• Cons: Does not fully address deeper endpoint compromise on its own.
• Type Effectiveness: Moderately effective against Browser Hijacker behavior.

Option C: Block Malicious Infrastructure and Monitor

• Action: Block known malicious domains and C2 destinations, add DNS and firewall detections, and monitor for new lookalike domains.
• Pros: Limits reinfection and outbound communications.
• Cons: Existing compromised hosts still require remediation.
• Type Effectiveness: Partially effective against Downloader behavior.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Initial Detection and Gala Readiness Crisis (35-40 min)

It is Tuesday morning at Heartland Community Foundation, two days before the Thursday fundraising gala that supports 35% of annual operations. Executive Director Margaret Sullivan opens an emergency call after several donor emails were sent with unexpected links. IT Manager Tom Nakamura reports that volunteers installed tools named NonprofitSecure_Suite.exe and DonorProtect_Tool.exe after seeing urgent browser warnings. “These installs looked like compliance tools, but the signing information is missing and browser traffic is being rewritten in real time,” he says. Programs Director Diana Watts adds that donor coordination pages now show injected advertisements during routine outreach work. “If this keeps spreading through shared volunteer laptops, we risk failed donor communication before the gala,” she warns.

It is Tuesday morning at Compass Community Trust, two days before the Thursday fundraising gala that supports 35% of annual operations. Chief Executive Helen Cartwright opens an emergency call after several donor emails were sent with unexpected links. IT Manager Raj Patel reports that volunteers installed tools named NonprofitSecure_Suite.exe and DonorProtect_Tool.exe after seeing urgent browser warnings. “These installs looked like compliance tools, but the signing information is missing and browser traffic is being rewritten in real time,” he says. Programs Director Sophie Greenwood adds that donor coordination pages now show injected advertisements during routine outreach work. “If this keeps spreading through shared volunteer laptops, we risk failed donor communication before the gala,” she warns.

Time-Stamped Investigation Clues:

• Minute 5: Multiple volunteer workstations visited suspicious domains and downloaded unsigned installers
• Minute 8: Memory analysis shows browser injection behavior and unauthorized persistence
• Minute 12: DNS logs reveal recurring callbacks from volunteer endpoints to ad-tech and malware delivery infrastructure
• Minute 16: Staff report fake compliance warnings that appeared while processing donor records
• Minute 20: Browser extensions with donor form permissions are found on shared machines

Pressure Event (Minute 22): “A major donor asks whether the gala communications channel is trustworthy right now and expects an answer before confirming attendance.”

Response Options:

• Option A: Full volunteer workstation remediation and software verification before gala messaging resumes
• Option B: Immediate browser containment and staged endpoint cleanup to protect donor communications first
• Option C: Forensic-first approach for evidence preservation and governance reporting, then remediation

Round 1 Debrief: “How did you balance leadership pressure for event continuity against the time needed for safe technical containment?”

Round 2: Donor Data Exposure and Oversight Decisions (35-45 min)

Evolution Based on Round 1 Choice: Containment progress varies, but deeper telemetry shows credential theft attempts against donor systems and increased scrutiny from governance stakeholders.

Advanced Investigation Clues:

• Minute 44: Loader behavior indicates credential collection from volunteer endpoints used for donor operations
• Minute 49: Session and token artifacts suggest attempted reuse against donor management systems
• Minute 54: Attribution points to malvertising campaigns themed around nonprofit compliance and data protection tools
• Minute 59: Donor outreach quality drops as trust concerns spread through board and supporter channels

Regulatory and Governance Pressure: Board counsel asks for a documented response path that aligns with IRS nonprofit governance expectations and state charitable oversight before the gala communication window closes.

• Regulatory clock: State Attorney General Charities Division expects initial engagement under IRS 501(c)(3) obligations plus state charitable solicitation rules using state-dependent timelines.
  
• Agency coordination: Incident escalation and evidence sharing should include FBI Cyber Division and CISA.
  
• Stakeholder scale: Communications planning should account for approximately 3,000 donors.

Regulatory and Governance Pressure: Board counsel asks for a documented response path that aligns with Charity Commission expectations and UK GDPR reporting obligations before the gala communication window closes.

• Regulatory clock: Information Commissioner’s Office (ICO) expects initial engagement under UK GDPR plus Charity Commission governance requirements within 72 hours for qualifying personal data breaches.
  
• Agency coordination: Incident escalation and evidence sharing should include NCSC and National Crime Agency.
  
• Stakeholder scale: Communications planning should account for approximately 3,000 donors.

NPC Interaction Priorities:

• Executive leadership: Preserve donor confidence and protect mission-critical fundraising
• IT management: Coordinate remediation, containment validation, and evidence capture
• Programs leadership: Maintain service continuity while donor operations are constrained

Round 2 Debrief: “Which decision most improved trust outcomes: faster communication, stronger containment evidence, or clearer governance alignment?”

Key Learning Objectives (Lunch & Learn)

Technical: Software masquerading, browser injection, credential theft workflows, and practical endpoint containment in low-resource environments.
Business: Donor confidence protection, nonprofit governance pressure, and operational tradeoffs before mission-critical events.
Incident Response: Triage under uncertainty, communication timing, and defensible documentation for oversight bodies.

Full Game Materials (120-140 min, 3 rounds)

TipFull Game vs. Lunch & Learn

The Full Game adds open investigation, creative response design, and a third round focused on strategic recovery. Rounds run 35-45 minutes to allow deeper exploration of governance, trust, and sustainable nonprofit security practice.

Round 1: Discovery and Immediate Containment (35-40 min)

It is Tuesday morning at Heartland Community Foundation, two days before the Thursday fundraising gala that supports 35% of annual operations. Executive Director Margaret Sullivan opens an emergency call after several donor emails were sent with unexpected links. IT Manager Tom Nakamura reports that volunteers installed tools named NonprofitSecure_Suite.exe and DonorProtect_Tool.exe after seeing urgent browser warnings. “These installs looked like compliance tools, but the signing information is missing and browser traffic is being rewritten in real time,” he says. Programs Director Diana Watts adds that donor coordination pages now show injected advertisements during routine outreach work. “If this keeps spreading through shared volunteer laptops, we risk failed donor communication before the gala,” she warns.

It is Tuesday morning at Compass Community Trust, two days before the Thursday fundraising gala that supports 35% of annual operations. Chief Executive Helen Cartwright opens an emergency call after several donor emails were sent with unexpected links. IT Manager Raj Patel reports that volunteers installed tools named NonprofitSecure_Suite.exe and DonorProtect_Tool.exe after seeing urgent browser warnings. “These installs looked like compliance tools, but the signing information is missing and browser traffic is being rewritten in real time,” he says. Programs Director Sophie Greenwood adds that donor coordination pages now show injected advertisements during routine outreach work. “If this keeps spreading through shared volunteer laptops, we risk failed donor communication before the gala,” she warns.

Players investigate openly using role capabilities. Key discoveries include malvertising distribution paths, unsigned installers, extension abuse, credential theft indicators, and weak software governance on shared volunteer endpoints.

If team stalls: “Programs leadership needs a decision now: do we pause donor outreach channels for containment, or continue with manual safeguards while cleanup is still in progress?”

Facilitation questions:

• “What containment action gives the fastest risk reduction without destroying gala readiness?”
• “How do you justify your evidence threshold before informing donors that systems are safe again?”
• “Which role owns final approval for re-enabling volunteer endpoints tied to donor operations?”

Round 1→2 Transition

The team’s initial approach shapes investigation depth, communication credibility, and governance confidence. Regardless of path, the scenario shifts from technical cleanup to oversight-driven decision-making.

Round 2: Oversight, Reporting, and Trust Management (35-40 min)

Cross-functional pressure increases as board members demand defensible evidence of containment and a clear accountability path for donor communications.

Facilitation questions:

• “Do you prioritize fast donor updates with partial certainty, or delay until validation is complete?”
• “What is your minimum evidence package for leadership sign-off and external reporting?”
• “How do you prevent scope creep while maintaining credible forensic rigor?”

Round 2→3 Transition

Immediate technical risk stabilizes, but long-term trust and operating resilience now dominate. The final round focuses on building a sustainable nonprofit security model that can survive staff turnover and budget constraints.

Round 3: Trust Recovery and Security Architecture (40-55 min)

Opening: With immediate compromise contained, leadership asks how to preserve donor confidence while funding services that depend on the gala and ongoing contributions.

Pressure events:

• A grant funder delays the next $30,000 quarterly payment pending evidence of improved controls
• Leadership requests a formal assessment, but costs are estimated at $5,000-15,000
• Annual technology funding is only $3,000 annually, forcing prioritization choices
• The board requests a phased plan requiring at least $5,000 in security improvements in near-term controls

Opening: With immediate compromise contained, leadership asks how to preserve donor confidence while funding services that depend on the gala and ongoing contributions.

Pressure events:

• A grant funder delays the next £30,000 quarterly payment pending evidence of improved controls
• Leadership requests a formal assessment, but costs are estimated at £5,000-15,000
• Annual technology funding is only £3,000 annually, forcing prioritization choices
• The board requests a phased plan requiring at least £5,000 in security improvements in near-term controls

Victory conditions for full 3-round arc:

• Compromised tooling removed and donor-facing channels restored with verified controls
• Donor communication handled with consistent, evidence-based messaging
• Governance obligations documented and met without mission failure
• Sustainable security practices established for volunteer-driven operations

Debrief Focus

• How nonprofit mission pressure changes incident prioritization compared to commercial organizations
• Why software verification and endpoint governance matter most when volunteer endpoints are shared
• How to align leadership, technical teams, and donor communications under uncertainty
• How to build resilient security operations with limited budget and rotating staff

Advanced Challenge Materials (150-170 min)

Red Herrings and Misdirection

1. Legitimate software updates: A real CRM update occurred in the same window, creating overlapping performance symptoms.
2. Shared endpoint noise: Multiple volunteers used the same laptops, making infection timelines unreliable.
3. Hosting migration artifacts: Donor portal latency from a hosting change resembles malware-related disruption.
4. Training overlap: Legitimate data-protection extensions were installed recently and look suspicious during triage.

Removed Resources and Constraints

• No malware reference guide during gameplay
• No immediate external incident response retainer
• Limited logging from volunteer-managed endpoints
• Board approval required for emergency unplanned spending

Enhanced Pressure

• Gala logistics timeline compresses by 24 hours
• A board member pushes enterprise controls that exceed nonprofit operating realities
• A donor posts publicly about suspicious messages that may be linked to the incident
• A volunteer coordinator reports unusual sign-ins across shared accounts

Ethical Dilemmas

1. Mission services vs. security investment: “How do you justify urgent security spending when those funds could support direct community programs this quarter?”
2. Volunteer accountability: “How do you improve controls without alienating volunteers who acted in good faith?”
3. Disclosure timing: “What level of uncertainty is acceptable when notifying donors about potential data exposure?”
4. Public narrative control: “Is it better to confirm the incident early with partial facts, or wait for complete validation and risk appearing opaque?”

Advanced Debrief Topics

• Practical security governance for nonprofit operations with volunteer-heavy staffing
• Donor trust dynamics when technical details are uncertain but reputational stakes are immediate
• How to translate containment evidence into board-level decisions
• Building repeatable response playbooks that remain usable under resource constraints