A Fright at the Museum

NYC’s Museum of Natural History loses almost $3 million in ‘phishing’ incident

An email phishing scam apparently hooked an employee of the American Museum of Natural History (AMNH) last year, resulting in an “erroneous” wire transfer of almost $3 million.

The Manhattan museum reported on its Internal Revenue Service (IRS) Form 990 that in May 2015 it became aware of a “diversion of assets” through an email phishing incident that resulted in the erroneous transfer. The 2015 information form was filed this past May.

The incident was initially reported to law enforcement and the appropriate museum trustees, and subsequently reported to the museum’s executive committee and the full audit committee, according to disclosures on the Form 990. An internal analysis conducted by the museum showed no other loss from the event.

The amount of the diversion was $2.826 million and the museum reported on its Form 990 that it continues to seek restitution. “After a thorough internal and external investigation, no malice was found on the part of the employee who effected the transfer, and it was determined that the individual believed the email instructions were authentic. The individual is no longer employed at the museum.”

There is nothing more the institution can disclose outside of what’s included in the Form 990 “as the museum continues to seek restitution,” a spokesman said.

The American Museum of Natural History is among the largest nonprofits in New York City, reporting total revenue of almost $284 million last year, including $205 million in contributions and grants.

Nonprofits have become prime targets for phishing, in part, because criminals know that they spend less money on IT security than for-profits. They’re perceived as “easier preys,” according to Jean-Louis Écochard, vice president and chief information officer for The Nature Conservancy (TNC) New Zealand.

TNC typically reports in the neighborhood of $1 billion in annual revenue so it’s no wonder that the organization has had its own run-ins with scammers in recent years. With more than 800 offices and working in 69 countries, that makes security a very complex job.

Last year, a staff member at one of The Nature Conservancy’s Australia program clicked a link and minutes later the machine and all the data the program needed to work on the server was encrypted. A ransom was demanded in cash.

“It was devastating to program staff who became instantly paralyzed from doing their work,” Écochard said via email. By the next morning, however, everyone was back to normal. They simply restored backup data and no ransom was paid.

“We learned that backups matter more than people think,” Écochard said. “Backups are like electricity. We complain about the bill and don’t realize the value until it is missing and we’re in the dark,” he said. “We also learned that backups that allow fast restore from the cloud are essential to speed up getting back to work.”

Calling a company to post backups overnight would have meant being incapacitated for a few days. Storage is cheap, Écochard said, suggesting nonprofits should use it to quickly restore data in case it’s locked by criminals.

One of the reasons why they prefer the “ignore-the-request-and-restore approach,” he said, was that once the data are decrypted, reasonable security procedures would advise not to trust the recovered information until thoroughly analyzed and scrubbed for malware. “This may mean putting the data under quarantine for a few days, further expanding the office downtime,” Écochard said.

Écochard recalled another incident that occurred a few years ago at the Arlington, Va., headquarters. An executive, following a campaign of awareness about malware, received in the mail a thumb drive from a party to a lawsuit said to contain evidence to be presented in court. “Instead of falling prey to the seduction of curiosity,” Écochard said they took the drive to security staff.

“The drive was plugged into a throwaway machine designed for this and seconds later, it was wiped out and crip pled” by a virus on the flash drive.

“We learned that awareness campaigns matter because they make people behave differently — more suspicious — and have continued with them as part of on-boarding staff and interns. We only have one IT policy — security — to make all of our staff aware that protecting our digital assets is their responsibility,” Écochard said.

“We expect to be a victim (even if we don’t know it yet) and thus prepare to deal with it, looking for patterns, planning response,” Écochard said. “We know it’s not a case of if, it’s a case of when, and when is now.”

Beth Givens, executive director of the Privacy Rights Clearinghouse (PRC), agreed that training is vital to avoid falling victim to any type of computer-or email-related scam.

“The message that should be delivered to all staff is that these phishing scams are becoming much more effective and if you ever receive an email asking for access to sensitive organizational information that appears to be from your superior, be very skeptical,” she said. Don’t click on any links or open any attachments and immediately get back to the individual the message appears to be from to confirm whether it’s legitimate.

Givens was taken aback by the size of the wire transfer at AMNH. “I would think it would be a dead giveaway as a phishing scam. It says to me the phishing message must have been extremely legitimate in appearance,” she said. The San Diego, Calif.-based organization has been tracking privacy issues and data breaches of all kinds for years. “This is happening more and more. Scam artists are becoming extremely clever in impersonating higher-ups within an organization,” said Givens.

In addition to examining the email address from which the message came, Givens suggested hovering your mouse over any links in the message. That might reveal that the underlying URL leads to a website outside of your organization.

“It used to be phishing messages were full of grammatical errors and misspellings. However, the crooks have become extremely sophisticated and their abilities to send phishing messages that look legit are improving all the time,” Givens said.

Some organizations even engage in very realistic tests, in which they send internal phishing emails to staff and monitor those who click on the links. They then use that as training exercise, Givens said.

Melanie Lockwood Herman, executive director of the Nonprofit Risk Management Center (NRMC), said fraud risk resulting from phishing is a growing concern among NRMC’s members. “We’re also seeing greater appreciation of best practices strategies to prevent being the victim of a phishing fraudster, and to respond quickly and appropriately when a potential or actual loss occurs,” she said.

Among her suggestions for nonprofits, Herman said review current wire transfer controls to ensure appropriate checks and balances are in place and followed in all cases. Wire transfers may be subject to review by someone in an unrelated role to the person requesting or approving it, she said. Those of large amounts or to first-time payees should be subject to extra careful, deliberate review, in addition to supporting documentation. Any urgent or immediate request should be treated as highly suspicious, Herman said.

Herman also said organizations should report fraud losses promptly to law enforcement and insurance carriers. Typical crime policies might limit or even exclude losses from phishing and other forms of social engineering. A growing number of nonprofits are purchasing or considering the purchase of policy endorsements for social engineering losses, she said.

“The most significant potential losses might be ones involving the participation — unintentional or inadvertent — of a trusted insider,” Herman said. “In the case of wire transfers made in response to criminal phishing, the loss begins when the trusted insider is tricked into believing that the request comes from a colleague at the nonprofit. A great rule of thumb for both cyber risk and physical safety risk is: If it seems suspicious, it is suspicious.”

The IRS And What’s Significant “Significant diversion of assets” is defined by the Internal Revenue Service (IRS) as embezzlement, theft, fraud or other improper use of funds exceeding the lesser of:

• 5 percent of the organization’s current annual gross receipts;
• 5 percent of the organization’s total assets at the end of the year;
• $250,000.

Thresholds apply to the initial amount diverted without taking into account restitution or insurance.

Nonprofits not only are required to report the diversion when it occurs but also provide additional information, including an explanation of the nature of the diversion, the amount or property involved, as well as any corrective action taken to address the incident.