Save the Children Foundation duped by hackers into paying out $1 million

The fraudsters broke into an email account to launch an elaborate scheme designed to scam the charity.
Written by Charlie Osborne, Contributing Writer

Save the Children Foundation has revealed that the charity was targeted by fraudsters last year, leading to the loss of $1 million.

Speaking to the Boston Globe, the US arm of the non-profit, which supports children worldwide, said that con artists managed to compromise an employee's email account in order to masquerade as the staff member in question.

Once access was gained to the account, the hackers behind the scam created a number of false invoices and related documents which described a need to purchase solar panels for health centers located in Pakistan.

The Connecticut-based charity organization fell for the ruse, conducted in May 2017, and approved the transfer of close to $1 million to an entity in Japan which was used as a front to rake in the proceeds.

By the time the foundation realized the invoice was false, it was too late and the money was gone.

The publication says that Save the Children possessed insurance which covered close to all of the lost funds, and in the end, the charity only lost $112,000.

CNET: Iran-linked hackers reportedly targeted activists and US officials

"We have improved our security measures to help ensure this does not happen again," Stacy Brandom, the chief financial officer of Save the Children told the Globe. "Fortunately, through insurance, we were ultimately reimbursed for most of the funds."

TechRepublic: 15 skills you need to be a whitehat hacker and make up to $145K per year

The scammers targeting the charity appeared to follow the rules of Business Email Compromise (BEC) attacks almost to the letter. These campaigns have a number of steps -- compromise a business email account via brute-force hacking or social engineering; pretend to be a legitimate staff member, and lure another individual to approve false invoices or fraudulent payments.

The FBI has previously warned that December 2016 and May 2018, there was a 136 percent increase in BEC scams, reported across 150 countries. Ill-gotten funds are often sent to entities in Asia and billions of dollars have been lost.

See also: Former Mt. Gox CEO could face 10 years behind bars in embezzlement case

In February, IBM said a single BEC scam originating in Nigeria led to the loss of millions of dollars belonging to Fortune 500 companies.

These types of scams are incredibly common and it can be difficult to track down the fraudsters responsible, who may be located in any country in the world. However, on rare occasion, a BEC scam artist is taken to task for their actions.

In September, a man from Nigeria was ordered to pay $2.5 million and serve five years in prison for conducting a variety of BEC scams against enterprise companies. Prosecutors estimate that the con artist defrauded victims out of hundreds of millions of dollars.

Affordable: Top tech, gadgets for under $100

Previous and related coverage

Editorial standards