Save the Children, a U.S. based non-profit organisation that supports children worldwide, has revealed that it has fallen victim to a sophisticated email scam costing performed by hackers. Based on the Boston Globe’s report last week, the scammers managed to access an employee’s email account based in the U.S. office. After the scammers gained access to the account, they posed as an employee and created fake invoices and documents to convince the non-profit organisation to pay USD $997,400 to an illegal entity in Japan. To make the scam even more convincing, the hackers created the invoices said to be for the purchase of solar panels for health centres in Pakistan, a country where they have been actively helping for decades.
The hackers used a form of social engineering attack, known as a Business Email Compromise (BEC) scam. In such scams, the attacker usually impersonates an employee and tries to manipulate another employee or customer into performing a payment or sharing confidential information.
When the fraud was discovered in May 2017, Save the Children worked with the FBI and Japanese law government to investigate the incident. However, it was already too late as the funds has already been transferred. Fortunately, they were able to recover all except for USD $111,616 of the stolen funds with the help of insurance.
This sort of social engineering attack has been on the rise. According to the FBI, there was a 136 percent increase in such scams between December 2016 and May 2018 reported across 150 countries. A high-profile group based in Nigeria, known as the Gold Galleon, has attempted to steal at least USD $3.9 million by intercepting business transactions in emails within seven months in multiple countries around the world.
Since the attack, Save the Children’s Chief Financial Officer, Stacy Brandom said that the non-profit organisation has taken preventive measures to improve their cybersecurity and ensure the public that it will not happen again. They are not the first non-profit organisation to fall victim to cybercrimes. Make-A-Wish Foundation’s website was infected by a crypto mining malware in November last year.
Organisations can advise their employees to take the following steps to avoid falling into such scams.
- Take pre-caution when opening email attachments, especially from unknown senders
- Block requests for password changes or for financial information
- Do not follow URL in suspicious emails
- Secure work devices with up to date anti-virus softwares, firewalls and email filters
Written by: Liwen