Two recent reports have highlighted cybercriminals’ targeting of charitable institutions for cyberfraud schemes. On December 14, The Register reported that the Save the Children Federation disclosed to the U.S. Internal Revenue Service (IRS) that in 2017 it had lost nearly $1 million to a cyberfraud scheme. According to the IRS Form 990 tax return that Save the Children filed in August 2018,
IN APRIL 2017, AN UNKNOWN CRIMINAL HACKER OR HACKERS POSING AS A SAVE THE CHILDREN EMPLOYEE FRAUDULENTLY INDUCED THE ORGANIZATION TO TRANSFER $997,400 TO AN ENTITY IN JAPAN ON THE FALSE PRETEXT THAT THE FUNDS WERE NEEDED TO PURCHASE SOLAR PANELS FOR HEALTH CENTERS IN PAKISTAN. BY THE TIME THAT THE FRAUD WAS DISCOVERED, IN MAY 2017, THE TRANSFERRED FUNDS COULD NOT BE RECALLED, BUT SAVE THE CHILDREN WAS SUBSEQUENTLY ABLE TO RECOVER $885,784 FROM ITS INSURANCE CARRIERS TO MITIGATE THE FINANCIAL LOSS. IN ADDITION, SAVE THE CHILDREN COORDINATED WITH THE FBI, AND THROUGH THEM, JAPANESE LAW ENFORCEMENT TO ASSIST IN CRIMINAL INVESTIGATIONS RELATED TO THIS INCIDENT, AND WE HAVE TAKEN STEPS INTERNALLY TO STRENGTHEN CYBERSECURITY AND OTHER PROCESSES TO PREVENT CYBERFRAUD.
IN A SEPARATE INCIDENT, SAVE THE CHILDREN WAS PROVIDED WITH FALSE BANK ACCOUNT INFORMATION FOR A VENDOR, RESULTING IN A DIVERSION OF $9,210 TO AN ACCOUNT IN BENIN. FORTUNATELY, THIS DIVERSION WAS DISCOVERED IN TIME FOR SAVE THE CHILDREN’S BANK TO RECALL $9,090 OF THE FUNDS FROM BENIN, RESULTING IN A LOSS OF ONLY $120.
On December 19, The Times reported that the Wellcome Trust, a major funder of medical and other scientific research in the United Kingdom, disclosed details of two phishing attacks in its 2018 Annual Report. The technique in this case was a classic spear-phishing attack: four Trust senior executives received emails that purported to be from a colleague, but opening the emails enabled criminals to have access to their emails for a number of months. While the attacks reportedly did not result in financial losses, the Trust reported the breaches to the United Kingdom Information Commissioner’s Office and Charity Comission and stated that it was taking a number of mitigating actions
for this and other kinds of cyber threats.
Note: Information-security and compliance officers at nonprofit or charitable institutions of any kind should take note of these reports, and use them to educate senior officials and employees at their institutions about the willingness of cybercriminals – some of them the agents of North Korea and other state actors — to extort or defraud them, and in the process to risk causing them potentially costly damage.
Some people in the charitable and nonprofit sector might think that their organizations are unlikely to be targeted by cybercrime schemes, because their organizations are not profitmaking and are dedicated to helping others. In fact, various cybercriminals have shown that they are indifferent to the charitable or beneficial purposes of an organization in conducting their cyberfraud or cyberextortion schemes. If criminals are willing to inflict ransomware attacks on health-care entities, universities, and state and local governments to extort money from them, and as a consequence risk paralyzing critical operations at those institutions, foundations and charitable causes should not assume either that they are exempt from cyberattacks or that none of their counterparts are similarly being targeted. As Save the Children and the Wellcome Trust have learned, for some cybercriminals the road to wealth is paved with good intentions.