Scammers tricked Save the Children Federation, a well-known U.S. charity, into sending them approximately one million dollars.
As reported by The Boston Globe
, digital attackers compromised the email account of a Save the Children Federation employee sometime in 2017. They then abused that access to issue a series of fake invoices and documents designed to trick the charity into sending one million dollars to a fraudulent entity in Japan. The scammers explained that the money would help outfit health centers in Pakistan with solar panels.
The organization didn't spot the fraud in time to stop the transfer. But with the help of insurance, it was able to recover all but $112,000.
Save the Children Federation suffered what's known as a business email compromise
(BEC) scam. In this type of ruse, a digital attacker seizes control of a business email. They subsequently leverage that access for secondary attacks. In some cases, they issue fraudulent wire transfer requests, but in other instances, they request personally identifiable information (PII) or W-2 forms for employees.
According to the FBI's Internet Crime Complaint Center
(IC3), organizations filed 78,617 reports of BEC incidents in the United States and abroad between October 2013 and May 2018. These attacks cost victims a collective total of $12.5 billion and leveraged various techniques, including gift card fraud
After discovering the incident in 2017, Save the Children Federation strengthened its computer systems and adopted several security measures designed to prevent BEC scams. It began enforcing a policy where an employee must verify new vendors and bank account instructions via phone, for instance.
Stacy Brandom, chief financial officer of Save the Children Federation, says that these and other changes will help protect the charity going forward. As she told The Boston Globe:
We have improved our security measures to help ensure this does not happen again. Fortunately, through insurance, we were ultimately reimbursed for most of the funds.
For additional guidance on how to defend against a BEC scam, click here