fb-pixelHackers fooled Save the Children into sending $1 million to a phony account - The Boston Globe Skip to main content

Hackers fooled Save the Children into sending $1 million to a phony account

Save the Children Federation, one of the country’s best-known charities, said it was the victim of a $1 million cyberscam last year.

The Connecticut-based nonprofit said hackers broke into a worker’s e-mail, posed as an employee, and created false invoices and other documents, to fool the charity into sending nearly $1 million to a fraudulent entity in Japan. The con artists claimed the money was needed to purchase solar panels for health centers in Pakistan, where Save the Children has worked for more than 30 years.

By the time the nonprofit realized it had been defrauded, it was too late to stop the transfer. But Save the Children Federation, the US affiliate of the international relief organization, said it recouped all but $112,000 through insurance and tightened its security after discovering the theft in May 2017, according to a recent filing with the Internal Revenue Service.

Advertisement



“We have improved our security measures to help ensure this does not happen again,” said Stacy Brandom, chief financial officer of Save the Children Federation. “Fortunately, through insurance, we were ultimately reimbursed for most of the funds.”

In a separate incident, the charity reported that it was provided with a false bank account in Africa for a vendor whose e-mail had been hacked, causing the charity to mistakenly send $9,210 to the hacker’s account instead of the real one. In that case, the fraud was discovered in time for Save the Children to recover almost all of its money.

Experts say a growing number of organizations around the globe, including charities, businesses, and individuals, have been victimized by hackers who have cracked e-mail to fool people into making fraudulent bank transfers.

“I’ve seen this happen so many times in my career, it kills me,” said Scott Augenbaum, a former FBI agent who has written a forthcoming book titled “The Secret to Cybersecurity.” “I’ve seen millions of dollars worth of fraud.”

Advertisement



In 2016, the FBI issued a bulletin warning about a surge in reports about businesses that regularly make wire transfers that were defrauded after someone cracked their e-mail. The FBI said there had been reports of the scam in all 50 states and 100 countries, costing billions of dollars worldwide.

Earlier this month, Cape Cod Community College told employees that hackers had stolen $800,000 after infiltrating the college’s bank accounts through a “phishing” scheme.

The Massachusetts Clean Energy Center lost nearly $94,000 last year after hackers obtained access to a worker’s e-mail through a phishing attack and, then, posing as the employee, authorized a fraudulent wire transfer. The quasi-public agency said it has since recovered more than one-quarter of the funds and revamped its security.

And the American Museum of Natural History in New York City reported that it lost $2.8 million after an employee fell for a e-mail scam in 2015. Earlier this year, the Globe reported the museum was among more than 1,100 nonprofits that told the IRS they had suffered a major diversion of assets since 2011.

Augenbaum said it is increasingly common for hackers to try to get access to someone’s e-mail account and then use that information to fool people into wiring money to a phony account.

In one variation of the scam, hackers have broken into accounts for real estate brokers and then fooled homeowners into wiring their down payments to a fraudulent account.

Advertisement



Sandy Ross, an accountant and fraud examiner, said that most large nonprofits and businesses have procedures to prevent such scams, such as having a second person sign off on significant wire transfers and calling the recipient to verify the account numbers. In all but one instance Ross could recall, she said, the attacks have “been thwarted.”

“This happens on a regular basis,” said Ross, a partner with the accounting firm KLR in Boston.

Save the Children Federation, also known as Save the Children US, has since adopted similar measures, including making sure someone confirms all new vendors and bank account instructions via phone, as well as strengthening its technology systems. The organization handles dozens of wire transfers a year worth more than $1 million.

Another accountant, Richard Locastro, said cyberscams are an issue for all sorts of organizations.

“These schemes are getting pretty sophisticated,” said Locastro, a partner with Gelman, Rosenberg and Freedman in Bethesda, Md. “I think anybody could be vulnerable. It happens to accounting firms. It happens to law firms. It happens to charities.”


Todd Wallack can be reached at twallack@globe.com. Follow him on Twitter @twallack.