British Charity Loses Over $1m in Domain Spoofing Scam

Written by

A British community housing charity was conned out of more than $1m in a domain spoofing and contractor impersonation scam.

Red Kite Community Housing announced on Tuesday that it had fallen victim to a cyber-scam in which criminals posed as genuine service providers to steal a staggering £932,000.

In a statement issued on January 28, Red Kite described the heavy financial loss as "absolutely galling."

The charity described how criminals not only spoofed the domain of a genuine contractor but also sent emails to Red Kite that appeared to be from contacts who had already won the charity's trust. 

Detailing how the criminals got the better of the charity, Red Kite wrote: "What they managed to do was to expose a weakness using sophistication and human nature to carry out the theft of this money.

"In essence, they mimicked the domain and email details of known contacts that were providing services to Red Kite. Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation."

Unfortunately, a payment verification process put in place to prevent fraudulent transactions proved ineffective when the error it flagged was not actioned.

Red Kite wrote: "We still had an additional safety net in place; a two-stage process to verify changes to payments and accounts which ordinarily would have caught this attempt.

"This, however, proved to be our weak point, with an error being made by the clear process not been actioned, resulting in a missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved."

The con was carried out in late August 2019 and is still under investigation by the police. As a result of the incident, Red Kite's governance rating has been downgraded by the Regulator of Social Housing (RSH). 

In a regulatory judgement made public last week, the RSH wrote that Red Kite experienced "a significant financial loss as a result of a fraud due to a basic failure in its system of internal controls"—and urged them to make improvements.

Red Kite, which is based in the southeastern county of Buckinghamshire, owns and manages around 6,500 homes across the town of High Wycombe.

What’s hot on Infosecurity Magazine?