Save the Children Charity Org Scammed for Almost $1 Million

If certain crooks have some sort of moral compass that keeps them away from certain victims, others ditch such boundaries for the right amount of money. A perpetrator from the latter category was able to fool the charitable organization Save the Children into misdirecting close to $1million.

The scam occurred in May 2017 but remained unknown to the larger audience until today. It was a matter of creating false payment documents and sending them to people authorized to make money transfers from an email account belonging to someone working for the organization.

Typical business email compromise fraud

Close to $1 million was sent this way to an entity in Japan, allegedly for purchasing solar panels for health centers in Pakistan, a country where Save the Children has been present for over 30 years.

Stopping the money wire was no longer possible by the time the organization learned about the fraudulent activity. However, the entity was able to get most of the money through insurance, losing $112,000.

There are no details about how the cybercriminal was able to take control of a Save the Children employee's inbox, but this type of incidents is so common that it has its own name: business email compromise (BEC) scam; the above scenario is typical of this type of fraud.

BEC fraud is a lucrative activity

An announcement from the FBI in July reported that BEC scams between June 2016 and May 2018 impacted over 19,000 victims in the US and caused them losses of more than $1.6 billion.

The fraud was uncovered by data journalist and investigative reporter Todd Wallack of the Boston Globe. He found it after going through the organization's annual filing of the 990 form (Return of Organization Exempt From Income Tax) with the IRS (Internal Revenue Service).

Since information in 990 forms is now available in electronic format, Wallack used a Python tool to download them and identify the reports with a major "diversion of assets."

So I wrote a program a while ago to download all the 990s and flag ones that reported a major "diversion of assets." https://t.co/htF7fEoTCy

— Todd Wallack (@TWallack) December 13, 2018

Save the Children is not the first charity hit by cybercriminal activity. In November, BleepingComputer reported that the Make-A-Wish website was compromised by a cryptojacking campaign.

The attack leveraged the Drupalgeddon 2 security bug the 'worldwish.org' website was vulnerable to.