One of Philadelphia’s largest hunger relief organizations was scammed out of nearly $1 million in an elaborate online phishing campaign.
Lorree Jones, who took over as CEO in June, told media outlets that thieves infiltrated the charity’s computer systems “through a phishing scam and put in controls that blocked legitimate emails.” The thieves then created a spoof email that mimicked an invoice from the construction company.
Philabundance made a payment of $923,533 on July 7 and discovered the theft on July 24 after the company building the food service training center inquired about the status of its payment.
The $12-million Philabundance Community Kitchen opened in September, training people with little or no formal work experience in the food service industry.
Founded in 1984, Philabundance distributed more than 26 million pounds of food in 2019. It serves 90,000 people weekly in nine counties in Pennsylvania and southern New Jersey. The organization reported $58 million in total revenue, including $39 million in noncash contributions of food, on its Form 990 for the fiscal year ending September 2019. Total assets were almost $21 million.
“We have conducted an internal investigation and are collaborating with the FBI and the Philadelphia Police Department in an attempt to identify the perpetrator(s) of this crime,” the organization announced via a statement posted on its website today.
“This fraud was a one-time event and did not involve the day-to-day finances of our organization or any personal information of staff. Nor did it affect our online donation system,” the statement continued.
“We have enhanced our IT security systems and financial controls to protect every single dollar we raise. We are being both thoughtful and aggressive in these safeguards in place to make sure this never happens again.”
Phishing scams are becoming more sophisticated, especially with mimicking an organization’s emails. The American Museum of Natural History in New York City made an erroneous wire transfer of $2.8 million in 2015 after an email phishing scam apparently duped an employee.
“Significant diversion of assets” must be reported to the Internal Revenue Service (IRS) via a nonprofit’s annual Form 990. Diversion of assets is defined as embezzlement, theft, fraud or other improper use of funds exceeding 5 percent of current annual gross receipts, 5 percent of total assets, or $250,000.
“It is increasingly difficult for any operation — nonprofit or for-profit — to protect itself from cybercrime,” the statement continued. “And it’s unfortunate that we have been preyed upon as a social philanthropic organization and must increase our security efforts.”