A leading children’s charity was conned into sending $1m to a fraudster’s bank account this year, in another example of the dangers of Business Email Compromise (BEC).
Save the Children Federation, the US outpost of the world-famous British non-profit, revealed the incident in a recent filing with the IRS, according to the Boston Globe.
The attacker managed to access an employee’s email account and from there sent fake invoices and other documents designed to trick the organization into sending the money.
According to the report, the hacker pretended the money was needed to pay for health center solar panels in Pakistan. It was a well-researched ruse given the charity has had a base there for decades.
By the time it was realized the transfer was a scam, the money had already been deposited in a Japanese bank account, although the non-profit managed to recover all but $112,000 thanks to its insurance policy.
The charity said it has improved its security processes since. It was hit a second time by an email scam after a vendor’s email account was hacked and an impersonator requested the charity send money to a new bank account in Africa. Fortunately, the $9210 payment was reportedly recovered in time.
Javvad Malik, security advocate at AlienVault, said such attacks are increasingly commonplace.
“Because these are standard emails, there is little that [security] technologies can do to detect them. Therefore, raising user awareness is vital so they are less likely to fall victim to such attacks,” he said.
“Also, companies should have a two-person check process in place so that one person can't make a new payment without a colleague verifying the authenticity of the payment.”
According to the FBI, over $12.5bn was lost to BEC between October 2013 and May 2018.
UK government findings from earlier this year revealed that nearly three-quarters (73%) of charities with annual incomes over £5m had suffered a cyber-attack or breach over the previous 12 months.