Save the Children charity lost £800,000 to sophisticated BEC scam
14 December 2018
Well-known U.S.-based charity Save the Children Foundation lost as much as £800,000 to a clever business email compromise scam (BEC) last year after a hacker hacked into an employee’s email account and defrauded the charity into sending the funds to a fraudulent entity in Japan.
After gaining access to the employee’s email account, the yet-to-be-identified hackers created false invoices and fake documents to convince Save the Children Foundation to release as much as £800,000 in funds for the procurement of solar panels for health centres in Pakistan where the foundation operated for many years.
The hackers defrauded the foundation by providing it with bank account details of a fraudulent entity in Japan and by the time the fraud was unearthed in May this year, the funds had already been transferred. Save the Children has since strengthened its security to prevent the occurrence of similar attacks in future.
“We have improved our security measures to help ensure this does not happen again. Fortunately, through insurance, we were ultimately reimbursed for most of the funds,” said Stacy Brandom, chief financial officer of Save the Children Federation to Boston Globe.
Such e-mail compromise scams are quite widespread and are financially quite lucrative for malicious actors as many targeted victims fail to spot fraudulent emails or documents and trust all communications received via e-mail or texts, believing that such messages have been shared by colleagues, bosses, or vendors.
In December last year, an Australian millionaire lost $1 million to an e-mail scam after hackers impersonated him and tricked one of his account managers to transfer the sum to an account held by a British man.
Christine Campbell, who managed one of John Kahlbetzer, the Australian millionaire’s accounts, received an e-mail from him asking her to transfer $1 million from his account to one David Aldridge, a British citizen. Kahlbetzer was on Forbes’ list of Australia’s 50 richest people and had a net worth of $950 million when the fraud took place.
Campbell, who regularly received such e-mails from Kahlbetzer, complied. However, it later turned out that the sender of the e-mail wasn’t Kahlbetzer himself but an impersonator who made the e-mail look like it came from him.
“Often overlooked by information security providers, impersonation attacks are an easy and effective way to gain trust through a combination of social engineering and technical means. The only way to remain safe is to be cyber resilient. Businesses must help employees with role-specific behavioural conditioning and smarter email security technologies, to ensure they are vigilant and well equipped to report unusual activity,” said Steve Malone, Cyber Resilience Expert at Mimecast.
Major rise in the frequency of BEC scams
Earlier this month, security firm Agari revealed that a Nigeria-based cyber crime group called London Blue was preparing to launch spear-phishing attacks on more than 50,000 corporate executives, including 35,000 CFOs at firms based in the U.S., the UK, Spain, the Netherlands, Finland and Mexico.
The targeted executives are working at among the largest multinational corporations, several of the world’s biggest banks, large mortgage companies, and other small and medium companies across the globe, with over half of them being based in the United States.
“London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules),” the firm noted.