FakeBat - Community Outreach Foundation Crisis

Volunteer Technology Under Fundraising Pressure

Malware & Monsters

2025-12-04

Welcome to Malware & Monsters!

What You’re About to Experience

You’re part of Community Outreach Foundation’s volunteer technology team, responding to a security incident days before the organization’s critical annual fundraising gala.

Your Mission

Investigate and contain a malware outbreak affecting volunteer systems while protecting donor information, maintaining community trust, and preserving Thursday’s fundraising event.

Quick Start for Incident Managers

New to facilitating Malware & Monsters? Start here:

IM Quick Start Guide - Everything you need to run this scenario in one concise document

The Hook

Monday Morning, 10:30 AM - Gala Week Begins

Your nonprofit is in final preparation for Thursday’s annual fundraising gala—the event that funds 60% of your community assistance programs serving 500 underserved families.

Then volunteers start reporting problems:

Initial Volunteer Reports

“My computer keeps showing ads when I’m trying to email donors about the gala.”

“I installed that security update popup that said our donor data needed protection—but now everything’s running weird.”

“There’s new software on my computer I don’t remember installing. Something called ‘DataProtect Pro’?”

“The browser keeps redirecting when I try to access our fundraising database.”

Mike’s Discovery

Your IT Volunteer Coordinator investigates and finds:

Fake security software installed across multiple volunteer computers
Browser hijacking affecting donor communications
Persistent advertisements disrupting program coordination
Fundraising database access showing unusual behavior patterns

Thursday’s gala is in 72 hours. Your donors, your volunteers, and 500 families depending on your programs are all counting on you.

Organization Context

Community Outreach Foundation: Charitable Mission Under Pressure

Organization Profile

Type: Charitable nonprofit serving underserved populations
Size: 35 volunteers (15 regular, 20 occasional), 3 paid staff
Mission: Food assistance, housing support, job training, family services
Impact: Serving 500 families across three-county region
Technology: Volunteer-managed systems, donor database, fundraising coordination tools

Current Critical Context

Thursday Fundraising Gala:

Importance: Generates 60% of annual program funding ($240,000)
Attendees: 200 donors, community partners, local officials
Preparations: Final donor outreach, auction coordination, program presentations
Volunteer Coordination: 25 volunteers supporting event logistics
Community Stakes: Funding directly supports 500 families’ essential services

Nonprofit Technology Environment

Volunteer Technology: Non-technical users with diverse skill levels (ages 19-73)
IT Support: Part-time volunteer coordinator (Mike) with limited security training
Resources: Minimal technology budget, donated equipment, public cloud services
Security: Relies on volunteer education and awareness, limited technical controls

Why This Matters

You’re not just fixing computers—you’re protecting community trust that sustains charitable programs serving vulnerable populations. Donors give because they trust you to protect their information while serving the community effectively.

Initial Symptoms

What You’re Seeing - Monday Morning

Browser & System Behavior

Redirections: Browsers automatically redirect during donor communications
Advertisements: Persistent popups interfering with volunteer productivity
Performance Issues: Volunteer computers running slowly
Unexpected Software: Unfamiliar programs appearing on systems

Volunteer-Installed Fake Software

Volunteers report installing programs that appeared necessary:

“DataProtect Pro” - Claimed to secure donor information
“SecurityEssentials.exe” - Appeared to be antivirus software
“PrivacyShield” - Promised to protect confidential data
“DonorSafe” - Specifically mentioned nonprofit data protection
“VolunteerProductivity Tools” - Collection of utilities for charitable work

Volunteer Concerns

“I thought DataProtect Pro would help us keep donor information safe—did I make a mistake?”
“The popup said our donor database was at risk if we didn’t install the security update immediately”
“I’m not very good with computers—how do I know what’s safe to install?”
“Are our donors’ credit card numbers okay? I’ve been working with the gala donation records”

Fundraising Impact

Rebecca (Development Manager) reports: “I need to finalize auction donor communications this week. If we can’t reliably access our donor database or send professional communications, Thursday’s event could fail. These donors fund our entire assistance program.”

NPCs: Your Key Contacts

People Who Need Your Help

Maria Santos - Executive Director

What They Care About: Community trust, program funding, mission continuity, volunteer safety

Current State: Worried about gala success and donor confidence in nonprofit data protection

Helpful For: Community context, mission priorities, donor relationships, organizational values

Potential Barrier: May prioritize gala proceeding over thorough volunteer system remediation

David Park - Volunteer Coordinator

What They Care About: Volunteer safety and confidence, diverse skill level support, community service effectiveness

Current State: Concerned volunteers feel responsible for security problems, worried about non-technical volunteer protection

Helpful For: Volunteer skill assessment, education approaches, coordination logistics, community sensitivities

Potential Barrier: May resist technical solutions that overwhelm volunteers with diverse technology experience

Rebecca Foster - Development Manager

What They Care About: Donor trust, fundraising success, gala preparation, financial sustainability

Current State: Managing gala final preparations, reporting donor security concerns, worried about funding impact

Helpful For: Donor communication strategies, fundraising timeline, financial implications, relationship priorities

Potential Barrier: May pressure for donor non-notification to avoid fundraising damage

Mike Johnson - IT Volunteer Coordinator

What They Care About: System functionality, volunteer technology support, learning nonprofit security

Current State: Part-time volunteer investigating compromise scope, overwhelmed by security incident scale

Helpful For: Technical investigation, system restoration options, volunteer technology architecture

Potential Barrier: Limited security training, volunteers between regular jobs, may need guidance on nonprofit-specific approaches

NPC Hidden Agendas

Character Secrets & Development Arcs

Maria Santos - Executive Director

Hidden Agenda: Last year’s gala underperformed—this year must succeed or programs face cuts affecting 500 families

Secret Fear: Donor notification about data security will trigger fundraising collapse, forcing program closures

Character Arc:

Initial: “We cannot tell donors about security issues before the gala—it would destroy fundraising”
Mid-Game: Realizes transparent handling can strengthen rather than damage community trust
Resolution: Understands that protecting donor information demonstrates organizational integrity supporting mission

Roleplay Notes: Start fixated on gala success at any cost, gradually recognize that community trust is foundation of charitable mission

David Park - Volunteer Coordinator

Hidden Agenda: Feels personally responsible for volunteer technology safety—recommended open software installation to support mission flexibility

Secret Guilt: Worried he failed to protect volunteers, especially less tech-savvy community members who trusted his guidance

Character Arc:

Initial: Defensive about volunteer access decisions, feels guilty about compromise
Mid-Game: Proposes volunteer education program, recognizes safety and flexibility can coexist
Resolution: Designs volunteer technology framework that supports diverse skill levels while maintaining security

Roleplay Notes: Transform from guilty and defensive to proactive educator as team demonstrates focus on solution

Rebecca Foster - Development Manager

Hidden Agenda: Major donors have already questioned nonprofit data security practices—breach disclosure could lose key supporters

Secret Knowledge: Three major donors (providing 40% of gala funding) are corporate executives concerned about data protection

Character Arc:

Initial: “If we disclose this to donors, we’ll lose the corporate supporters who are our foundation”
Mid-Game: Learns that corporate donors value transparent security more than perfection
Resolution: Understands demonstrating responsible data protection builds donor confidence

Roleplay Notes: Use her corporate donor knowledge to explore how transparency can strengthen rather than damage professional relationships

Mike Johnson - IT Volunteer Coordinator

Hidden Agenda: Volunteers between regular IT jobs, trying to build nonprofit technology experience—worried security incident will damage reputation

Secret Pressure: Hoping nonprofit experience leads to paid position or strong reference—fears incident response failure

Character Arc:

Initial: Overwhelmed and worried about being blamed for volunteer compromise
Mid-Game: Recognizes team support, proposes creative nonprofit security solutions
Resolution: Realizes nonprofit security requires different approaches than corporate IT, demonstrates adaptive thinking

Roleplay Notes: Use him to explore nonprofit-specific security challenges and how resource constraints drive creative solutions

The Complete Technical Picture

What’s Really Happening - FakeBat Nonprofit Attack

Attack Timeline

Friday-Sunday (Previous Week): Volunteers working gala preparation, targeted by nonprofit-focused phishing ads

Friday, Various Times: Initial FakeBat installations across volunteer computers via fake security software

Saturday-Sunday: FakeBat establishes browser hijacking, begins donor database reconnaissance

Monday, 8:00 AM: Volunteer reports trigger investigation

Monday, 10:30 AM (Current): Mike confirms multiple volunteer systems compromised

Technical Mechanisms

Initial Access:

Attack Vector: Fake security software (DataProtect Pro, SecurityEssentials.exe, PrivacyShield, DonorSafe)
Social Engineering: Exploited volunteer desire to protect donor information and charitable mission
Delivery Method: Targeted advertisements on nonprofit resource websites, fake security warnings
User Behavior: Non-technical volunteers trust “data protection” messaging, install software believing it protects community

Browser Hijacking:

Browser homepage modifications to fundraising-themed advertising networks
Search engine redirection harvesting nonprofit-related searches
Injected advertisements during donor communication work
New browser extensions focused on “donation tracking” and “fundraising tools”

Donor Database Reconnaissance:

Stage 1 (Completed): Browser monitoring capturing donor database access patterns
Stage 2 (In Progress): Keystroke logging targeting donor contact information
Stage 3 (Pending Tuesday Evening): Information stealer activation harvesting donor database credentials and saved donor payment information

Data at Risk:

Donor Information: Names, contact details, donation history, payment methods
Program Beneficiary Data: Family information for 500 served households
Volunteer Personal Information: Contact details, availability schedules
Fundraising Data: Gala auction items, donor pledges, event coordination

Current Threat Status

Immediate Danger: 12 volunteer systems (out of 35 volunteers) actively compromised with browser hijacking

Escalating Risk: Donor database credentials being harvested through keystroke logging

Critical Threat: Information stealer scheduled to activate Tuesday 8 PM—would harvest complete donor database including payment information 48 hours before gala

Attack Objective: Donor identity theft, credit card fraud, fundraising database manipulation for financial gain

Investigation Progress Tracking

Session Worksheet - Mark Progress as Team Discovers

Round 1: Discovery Phase

Malmon Identification:

Team recognizes nonprofit-targeted fake security software pattern
Team identifies browser hijacking mechanisms
Team discovers volunteer-installed suspicious programs
Team analyzes volunteer behavior patterns and trust exploitation
Team recognizes FakeBat downloader signatures

Initial Containment Actions:

Sample volunteer system analysis
Fake software behavioral examination
Donor database access monitoring
Volunteer compromise scope assessment

Key Discovery: Nonprofit mission focus and volunteer trust in “donor protection” software created infection vector

Round 2: Investigation Phase

Scope Assessment:

Team confirms 12 volunteer system compromise (out of 35 total volunteers)
Team discovers donor database credential harvesting
Team identifies information stealer timeline (Tuesday 8 PM activation)
Team recognizes Thursday gala deadline constraints
Team assesses volunteer skill diversity challenges

Stakeholder Management:

Communication with Maria about gala timeline vs donor protection
Coordination with David on volunteer education approaches
Assessment of donor notification impact with Rebecca
Technical restoration planning with Mike

Critical Decision Point: Team must decide between volunteer system restoration vs education priority, donor notification vs silent cleanup, gala proceeding vs postponement

Debrief Discussion Points

Technical Learning:

How does nonprofit environment differ from corporate IT security?
Why is volunteer education more effective than just technical cleanup?
What nonprofit-specific malware delivery methods did attackers exploit?

Collaboration Insights:

How did team balance gala pressure with donor data protection?
What communication strategies worked for volunteer education?
How did team manage community trust priorities across different stakeholders?

Reflection Questions:

“How do nonprofit resource constraints require different security approaches?”
“What would you design for volunteer technology safety with diverse skill levels?”
“How can security incident response strengthen rather than damage community trust?”

Type Effectiveness Matrix

FakeBat (Downloader/Social) - Response Effectiveness

Highly Effective (+3 Bonus)

Volunteer Education Program:

Teaches diverse skill levels to recognize fake security software
Provides nonprofit-specific security guidance
Builds ongoing volunteer awareness culture
Why Effective: Addresses social engineering vulnerability and volunteer behavior patterns, prevents reinfection

System Restoration:

Restores all volunteer computers to clean baseline
Implements consistent security configuration
Removes all malware variants
Why Effective: Downloader requires comprehensive removal across volunteer systems

Moderately Effective (+2 Bonus)

Donor Data Protection:

Enhanced monitoring of fundraising database access
Credential rotation for donor systems
Network segmentation protecting sensitive data
Why Effective: Protects critical assets but doesn’t remove malware from volunteer systems

Fundraising System Isolation:

Separates donor database from general volunteer network
Limits malware lateral movement
Protects gala coordination systems
Why Effective: Reduces damage scope but doesn’t address existing infection

Somewhat Effective (+1 Bonus)

Antimalware Deployment:

Scanning tools detect some FakeBat variants
Removes known malware signatures
Provides ongoing monitoring
Why Effective: Useful supplemental tool but insufficient alone for constantly evolving downloader

Volunteer System Reset:

Quickly restores individual volunteer computers
Removes immediate infection
Gets volunteers working again
Why Effective: Addresses immediate problem but without education, reinfection likely

Neutral Effectiveness (No Bonus)

Donor Communication:

Transparent notification about potential data exposure
Builds trust through honesty
Demonstrates organizational integrity
Why Neutral: Critical for trust but doesn’t remove malware or prevent reinfection—must combine with technical remediation

Ineffective (-1 or -2 Penalty)

Individual Volunteer Cleanup (-1):

Manually removing malware from each volunteer system
Inconsistent results across different volunteers
Time-intensive with limited IT resources
Why Ineffective: 12 affected systems require systematic approach, not individual fixes

Postponing Gala (-2):

Delaying fundraising event for extended cleanup
Losing donor engagement momentum
Damaging community confidence and sponsor commitments
Why Ineffective: Event postponement harms mission without significantly improving security outcome—better to restore systems within timeline

Minimizing Donor Risk (-2):

Assuming donor data exposure is limited
No notification to potentially affected donors
Continuing with compromised systems until after gala
Why Ineffective: Information stealer Tuesday activation would create confirmed data breach, ethical violation, and potential legal consequences

Facilitator Notes

If team is stuck:

Mike can propose volunteer education vs technical-only cleanup trade-offs
Maria can share community trust importance and mission impact
David can clarify volunteer skill diversity challenges
Rebecca can highlight donor relationship primacy

If team rushes to conclusions:

Emphasize volunteer skill diversity (“David warns one-size security doesn’t work”)
Introduce information stealer Tuesday activation deadline
Present donor questioning from Rebecca (“Major donors already asking about data security”)
Highlight community trust dependency (“Maria explains nonprofit operates on trust”)

Common mistakes to address:

Technical fixes without volunteer education (reinfection inevitable)
Silent remediation without donor notification (ethical and legal failure)
Gala postponement instead of restoration within timeline
Ignoring volunteer skill diversity in security approach

Round 1: Discovery Phase

Investigation & Initial Findings

Starting Information

What Team Knows:

Multiple volunteer reports of browser redirects and ads
Fake security software installed on volunteer computers
35 total volunteers (15 regular, 20 occasional)
Thursday fundraising gala in 72 hours
Volunteer-managed technology with diverse skill levels

Available Actions:

Interview affected volunteers and staff
Analyze fake software behavior and installation sources
Check compromise scope across volunteer systems
Review donor database access patterns
Research nonprofit-targeted malware delivery

Investigation Challenges

Fake Software Analysis (DC 8):

Success: Identify FakeBat downloader signatures in fake nonprofit security tools
Critical Success: Discover donor-focused targeting, trace delivery to nonprofit resource websites, identify keystroke logging

Volunteer Scope Assessment (DC 10):

Success: Confirm 12 volunteer systems compromised through manual checking
Critical Success: Map volunteer skill levels affected, understand installation timeline during gala preparation, discover donor database access patterns

Donor Data Review (DC 12):

Success: Identify unusual donor database access patterns
Critical Success: Discover keystroke logging targeting donor credentials, recognize Tuesday information stealer activation schedule

Key Discovery Moments

The Volunteer Trust Exploitation:

When team investigates how infections spread:

“Volunteers installed ‘DataProtect Pro’ and ‘DonorSafe’ because they wanted to protect the community we serve. The software specifically mentioned nonprofit donor protection. Our volunteers—especially those less comfortable with technology—trust anything that says it will help our mission. That trust is what attackers exploited.”

The Skill Diversity Reality:

When David explains volunteer technology environment:

“Our volunteers range from 19-year-old college students to 73-year-old retirees. Some are IT professionals volunteering their skills; others have never used a computer outside our office. We need security approaches that work for everyone—not just tech-savvy volunteers.”

The Community Trust Stakes:

When Maria explains nonprofit context:

“Our donors don’t give because of sophisticated technology—they give because they trust us to serve the community responsibly while protecting their information. If we lose that trust, we lose the funding that feeds 500 families. This isn’t just about fixing computers; it’s about maintaining the community confidence that makes our mission possible.”

The Malmon Identity:

When team pieces together attack pattern:

“This is FakeBat—a Downloader/Social malmon that exploits nonprofit mission focus and volunteer trust in ‘donor protection’ software to establish browser hijacking, then stages secondary payloads targeting fundraising data.”

Round 1 Conclusion

What Team Should Discover:

Attack Vector: Fake nonprofit security software exploiting donor protection concerns
Malmon Identity: FakeBat (Downloader/Social)
Infection Scope: 12 volunteer systems compromised
Current Activity: Browser hijacking, keystroke logging, donor database reconnaissance
Critical Context: Volunteer skill diversity, community trust dependency, Thursday gala timeline

Stakeholder Reactions:

Maria (Executive Director): Worried about gala impact—“We serve 500 families with this funding, we can’t fail”
David (Volunteer Coordinator): Feeling responsible for volunteer safety—“I should have taught them better”
Rebecca (Development Manager): Concerned about donor confidence—“Major donors are already questioning our data security”
Mike (IT Volunteer): Overwhelmed by scope and nonprofit security challenges

Transition to Round 2:

“You’ve identified FakeBat across 12 volunteer systems and understand the nonprofit trust exploitation. But as Mike digs deeper into the malware staging, he discovers something alarming: An information stealer is scheduled to activate Tuesday evening at 8 PM—48 hours before your gala. It’s configured to harvest your complete donor database, including saved payment information. The question now becomes: How do you protect donor data, educate diverse volunteers, and preserve Thursday’s fundraising—all simultaneously?”

Round 2: Investigation Phase

Scope Assessment & Critical Decisions

Expanded Investigation Findings

Information Stealer Discovery:

Activation Schedule: Tuesday 8 PM (48 hours before gala, 40 hours from now)
Target Data: Complete donor database (names, contact info, donation history, saved payment methods)
Harvest Method: Automated credential theft and database exfiltration
At-Risk Donors: 800 donors in database, 200 gala attendees

Volunteer System Analysis:

Compromised: 12 volunteer systems across diverse skill levels
Critical Systems: 5 volunteers work directly with donor database
Gala Coordination: 8 volunteers using infected systems for event planning
Skill Distribution: Mix of tech-savvy and non-technical volunteers affected

Community Trust Implications:

Rebecca reports: “I just spoke with one of our major corporate donors. He asked directly: ‘How does Community Outreach protect donor data?’ If we have to tell him about a breach before Thursday, he’ll pull his $40,000 sponsorship—and probably influence other corporate donors to do the same.”

Stakeholder Pressure Intensifies

Maria Santos (Executive Director):

“Last year’s gala only raised 75% of our goal. We had to reduce food assistance programming. This year must succeed—500 families depend on it. If we tell donors about security problems and lose corporate sponsors, we’ll have to cut programs when people are already struggling. Can we just fix this quickly and quietly?”

Present choice: Silent remediation protecting gala vs transparent donor notification

David Park (Volunteer Coordinator):

“Our volunteers are community members giving their time to serve others. They feel terrible about installing software that put donor data at risk. Some are ready to quit volunteering. We need to address this in a way that educates rather than blames—but also prevents it from happening again. How do we teach security to volunteers with such different skill levels?”

Present choice: Technical fix only vs comprehensive volunteer education

Rebecca Foster (Development Manager):

“I need to finalize gala communications by Wednesday. If volunteer systems aren’t reliable, I can’t send professional donor outreach. But if we notify donors about potential data exposure before Thursday, we’ll create panic that destroys fundraising. Which matters more—donor data protection or program funding?”

Present choice: Gala communication proceeding vs donor safety notification

Mike Johnson (IT Volunteer):

“I can do quick system restoration on the 12 affected volunteers—have them clean by Tuesday morning. Or I can build a comprehensive volunteer education program and implement better security controls, but that takes until after the gala. We need to decide: Fast fix for the event, or thorough fix for long-term safety?”

Present choice: Emergency restoration vs comprehensive volunteer security program

The Tuesday Deadline

Critical Timeline Update:

“It’s now Monday, 2:00 PM—30 hours until information stealer activation. Your options:

Option A: Emergency Restoration (18 hours)

Restore all 12 volunteer systems by Tuesday morning
Implement temporary donor database isolation
Gala proceeds normally but no volunteer education
High reinfection risk post-event

Option B: Comprehensive Security Program (4 days)

Complete volunteer system restoration + education program
Donor database security enhancement
Volunteer technology safety training for all skill levels
Gala postponed to following week

Option C: Hybrid Approach (2.5 days)

Emergency restoration for gala-critical systems (Tuesday morning)
Information stealer prevention across all systems
Donor notification with transparency about protection measures
Post-gala volunteer education implementation (Friday-Monday)
Enhanced monitoring through Thursday event

“Which approach balances donor protection, volunteer education, community trust, and mission continuity?”

Investigation Challenges

Information Stealer Analysis (DC 12):

Success: Identify activation timeline and target data scope
Critical Success: Discover prevention methods, map donor exposure risk precisely, understand attack infrastructure

Volunteer Education Design (DC 15):

Success: Design security training appropriate for diverse skill levels
Critical Success: Create ongoing volunteer technology safety program that maintains mission flexibility while improving security

Stakeholder Communication (DC 20):

Success: Gain agreement on balanced approach across competing priorities
Critical Success: Position security response as strengthening community trust and demonstrating organizational integrity

Round 2 Conclusion

What Team Must Decide:

Restoration Strategy: Emergency vs comprehensive vs hybrid approach
Donor Notification: Transparent vs delayed vs silent
Volunteer Education: Immediate vs post-gala vs technical-only
Gala Decision: Proceed vs postpone vs modify

The Central Tension:

Nonprofit mission focus created volunteer trust vulnerability—now that same mission pressure tempts team to prioritize gala over donor data protection and volunteer education.

Transition to Round 3:

“You have complete technical information about FakeBat’s timeline and impact. The question now is: What kind of nonprofit do you want to be? One that protects its community through transparent, responsible data handling? Or one that prioritizes single events over the trust relationships that sustain your mission?”

Round 3: Response Phase

Critical Response Decision

The Situation

Technical Status:

FakeBat downloader on 12 volunteer systems
Keystroke logging harvesting donor database credentials
Information stealer activating Tuesday 8 PM (30 hours)
800 donors in database, 200 Thursday gala attendees
Diverse volunteer skill levels (19-73 years old, varying technical abilities)

Stakeholder Positions:

Maria (Executive Director): Wants gala success—500 families depend on program funding
David (Volunteer Coordinator): Advocates volunteer education for diverse skill levels
Rebecca (Development Manager): Worried donor notification will destroy corporate sponsorships
Mike (IT Volunteer): Proposes emergency restoration vs comprehensive program trade-offs

Timeline Pressure:

Information stealer activation: 30 hours
Wednesday donor communications deadline: 42 hours
Thursday gala: 72 hours
Current time: Monday 2:00 PM

Response Option Paths

Path A: Community Trust Priority (Comprehensive Response)

Actions:

Immediate donor notification about potential data exposure (Monday evening)
Complete volunteer system restoration (Tuesday)
Information stealer prevention across all systems
Comprehensive volunteer education program launch
Gala postponed one week with transparent sponsor communication
Enhanced donor database security implementation

Consequences:

Some donors appreciate transparency, corporate sponsors respect integrity
Gala proceeds following week with strengthened community trust foundation
Volunteer education prevents reinfection
Short-term fundraising impact offset by long-term trust building
Outcome: Programs temporarily reduced but sustainable community trust established, organizational integrity demonstrated

Type Effectiveness: Volunteer Education +3, System Restoration +3, Donor Data Protection +2

DC Requirements: Donor communication (DC 20), Volunteer education design (DC 15), Sponsor negotiation (DC 18)

Path B: Balanced Mission Approach (Hybrid Response)

Actions:

Emergency restoration of gala-critical volunteer systems (Tuesday morning)
Information stealer prevention deployment across all systems
Targeted donor notification (those whose information was actively accessed)
Gala proceeds Thursday with enhanced security monitoring
Comprehensive volunteer education implemented Friday-Monday post-gala
Donor database security enhancement ongoing

Consequences:

Gala proceeds successfully with protected systems
Targeted donors notified responsibly before data theft
Volunteer education begins immediately after event
Community trust maintained through balanced transparency
Outcome: Mission continuity with responsible data protection, volunteer safety addressed systematically

Type Effectiveness: System Restoration +3, Donor Data Protection +2, Volunteer Education +3 (post-gala), Fundraising System Isolation +2

DC Requirements: Emergency restoration (DC 12), Targeted communication (DC 15), Volunteer education (DC 15)

Path C: Event Priority (Minimal Response)

Actions:

Quick malware removal on affected systems
No donor notification to avoid fundraising panic
Gala proceeds normally Thursday
Delayed comprehensive cleanup until after event
Information stealer activates Tuesday 8 PM (accepted risk)

Consequences:

Information stealer harvests complete donor database Tuesday evening
800 donor payment methods and personal data stolen
Data breach notification required post-gala
Major donors discover nondisclosure, pull future support
Volunteer reinfection occurs within weeks
Community trust destroyed when breach becomes public
Outcome: Gala revenue obtained but organizational integrity damaged, donor relationships collapsed, programs face closure from lost trust

Type Effectiveness: Individual Cleanup -1, Minimizing Donor Risk -2, Postponing Education -2 (ineffective approaches compound failure)

DC Requirements: All DCs increased +5 due to data breach aftermath, trust collapse, potential nonprofit closure

Response Execution Challenges

Volunteer System Restoration (DC 12 for emergency, DC 15 for comprehensive):

Success: All volunteer systems restored to clean baseline with appropriate security
Failure: Incomplete cleanup leaves information stealer active, donor data stolen

Donor Notification (DC 15 for targeted, DC 20 for complete):

Success: Transparent communication maintains donor trust despite security incident
Failure: Poor communication creates panic or perceived cover-up damages trust

Volunteer Education Design (DC 15):

Success: Education program works for diverse skill levels, builds ongoing safety culture
Failure: Training too technical alienates volunteers or too simple fails to prevent reinfection

Community Trust Management (DC 20):

Success: Response demonstrates organizational integrity strengthening donor relationships
Failure: Response perceived as prioritizing event over donor safety, trust collapse

Outcome Determination

Victory Conditions Met:

FakeBat completely removed from all volunteer systems
Donor information protected from information stealer
Gala proceeds (possibly modified) successfully
Volunteer education prevents reinfection
Community trust maintained or strengthened

Partial Success:

Malware removed but volunteers not educated (reinfection likely)
Gala successful but trust damaged by delayed donor notification
Complete cleanup but organizational credibility harmed by event cancellation

Failure:

Information stealer activates, donor data stolen
Data breach notification reveals nondisclosure
Major donors withdraw support citing trust violation
Volunteer morale collapses from blame culture
Programs face closure from funding loss and damaged community relationships

Round 3 Conclusion

Success Narrative Example (Path A or B):

“By Tuesday morning, all volunteer systems are restored with enhanced security. You’ve notified affected donors about the security incident and your proactive protection measures. Most donors appreciate the transparency—several corporate sponsors specifically commend your responsible data handling.

“Thursday’s gala proceeds (or is rescheduled with sponsor support) with strengthened community trust. During donor speeches, several attendees mention appreciating an organization that prioritizes their safety. One major donor increases their contribution, citing ‘the integrity Community Outreach demonstrated by being transparent about challenges.’

“Over the following week, you implement comprehensive volunteer education designed for diverse skill levels. Volunteers feel supported rather than blamed. The nonprofit becomes known as the charitable organization that chose community trust over short-term convenience—exactly the values donors want to support.”

Failure Narrative Example (Path C):

“The gala proceeds successfully Thursday—you raise $240,000. But Tuesday evening, the information stealer harvested your complete donor database. By Friday, donors report fraudulent charges using their Community Outreach saved payment methods.

“When your required data breach notification reveals you knew about the risk but chose not to warn donors, your major corporate sponsors withdraw support publicly. Local media covers ‘Nonprofit prioritized fundraising over donor data protection.’ Within two weeks, donors file complaints, volunteers resign, and the board faces crisis management.

“The $240,000 raised becomes $240,000 owed in legal costs and notification requirements. Community Outreach—built on 15 years of trust—faces closure because one decision prioritized a single event over the community relationships sustaining your mission.”

Debrief Framework

Learning Consolidation & Reflection

Technical Debrief

What Just Happened (Technical Summary):

Attack Vector: Fake nonprofit security software exploiting donor protection concerns and volunteer mission focus
Malmon Behavior: FakeBat downloader established browser hijacking, keystroke logging, staged information stealer
Volunteer Context: Diverse skill levels (19-73, varying technical abilities) required tailored security approaches
Detection Method: Volunteer reports led to discovery, volunteer education became primary prevention
Response Challenge: Balancing emergency restoration with comprehensive volunteer education under gala timeline pressure

Type Effectiveness Review:

Why Volunteer Education +3? Addresses social engineering root cause and diverse skill levels, prevents reinfection
Why System Restoration +3? Downloader requires complete removal across volunteer systems
Why Individual Cleanup -1? 12 systems with diverse volunteers require systematic approach

Technical Learning Question:

“How would you design nonprofit technology security that supports volunteer mission flexibility while protecting donor data across diverse skill levels?”

Collaboration Debrief

Stakeholder Management Review:

Maria (Executive Director): How did mission pressure affect security decisions? What changed her perspective on community trust priority?
David (Volunteer Coordinator): What volunteer education approaches addressed skill diversity? How did team transform guilt into proactive safety?
Rebecca (Development Manager): How did team balance donor relationships with data protection? What communication strategies maintained trust?
Mike (IT Volunteer): What nonprofit-specific security challenges emerged? How did resource constraints drive creative solutions?

Communication Strategies:

What worked for donor notification while maintaining fundraising relationships?
How did team design volunteer education for 19-73 age range and diverse technical abilities?
What approaches positioned security as strengthening rather than threatening mission?

Collaboration Learning Question:

“How does nonprofit community trust dependency require different incident response approaches than corporate reputation management? What unique challenges does volunteer technology create?”

Reflection & Real-World Connection

Scenario Themes:

Community Trust Dependency: How charitable mission operates on donor confidence requiring transparent data protection
Volunteer Technology Diversity: How non-technical users with varying skills need tailored security education
Resource-Limited Security: How nonprofit constraints drive creative approaches prioritizing education over expensive technical controls

Personal Reflection Questions:

“Have you seen mission pressure override responsible data protection in organizations? How did you navigate that tension?”
“How would you design security education for diverse user populations in your workplace?”
“What surprised you about nonprofit security challenges compared to corporate IT environments?”

Real-World Context:

Nonprofits operate on community trust sustained through transparent, responsible practices
Volunteer technology environments require education-focused security, not just technical controls
Resource constraints drive creative approaches (education more sustainable than expensive tools)
Charitable mission focus can create exploitable urgency that bypasses security judgment

Facilitator Self-Reflection

Session Assessment:

Pacing: Did community trust themes emerge naturally?
NPC Development: Did characters demonstrate realistic nonprofit mission vs security tension?
Challenge Balance: Were DCs appropriate for volunteer diversity complexity?
Learning Moments: What insights about community trust and volunteer education emerged organically?

Adaptation Notes for Next Time:

Easier: Reduce volunteer count, extend gala timeline, simplify donor data complexity
Harder: Add confirmed donor fraud cases, include media investigation, expand to program beneficiary impact
Industry variations: Religious organization (congregation trust), advocacy group (supporter protection), educational foundation (student privacy)

Victory Celebration

If Team Succeeded:

Acknowledge specific excellent decisions:

“Choosing volunteer education alongside technical fixes showed excellent understanding that nonprofit security requires behavior change, not just malware removal.”
“Communicating transparently with donors about data protection demonstrated the community trust values that sustain charitable missions.”
“Designing security approaches for diverse volunteer skill levels showed mature understanding of nonprofit technology challenges.”

What This Victory Means:

“You protected 800 donors from identity theft. You demonstrated that nonprofit organizations can prioritize community data protection even under fundraising pressure. You showed volunteers that security supports mission rather than restricts it. Community Outreach Foundation will be known as the nonprofit that chose donor safety over event convenience—exactly the organizational integrity that builds sustainable community trust.”

Resource Links

Continue Your Learning

Scenario Resources

Malmon Profile: Complete FakeBat technical details and behavior patterns
Scenario Card: Quick reference for this scenario variant
Planning Guide: Detailed facilitation guidance and customization options

Facilitation Support

Session Preparation: Template for preparing your next game session
Facilitation Philosophy: Core principles for running Malware & Monsters
Type Effectiveness Guide: Deep dive on Downloader type and strategic counters

Real-World Context

Nonprofit Technology Security: Best practices for charitable organizations
Donor Data Protection: Protecting supporter information
Volunteer Technology Training: Resources for diverse user education

Thank You for Playing!

Continue the Adventure

Explore More Scenarios

FakeBat Small Business: Limited resource constraints and operational pressure
FakeBat Gaming Cafe: Public customer systems and mass-scale remediation
FakeBat Coworking: Shared workspace security across multiple organizations

Keep Learning

Players Handbook: Deepen your understanding of Malware & Monsters
IM Handbook: Advanced facilitation techniques and scenario design

May your community trust remain strong and your mission continue serving those in need!