Save the Children Federation was hit twice by cyber-scammers, according to the organization, with crooks getting away with more than $1 million. Much of the loss was recovered via insurance coverage.
The loss was reported on the organization’s most recent federal Form 900 filed with the Internal Revenue Service (IRS) in August but first reported yesterday by The Boston Globe.
Under the section significant diversion of assets, Save the Children reported “an unknown criminal hacker or hackers posing as a Save the Children employee fraudulently induced the organization to transfer $997,400 to an entity in Japan.”
The fraud was against the Fairfield, Conn., arm of the international charity, which is based in London. “We have improved our security measures to help ensure this does not happen again,” Chief Financial Officer Stacy Brandon said via a statement. “Fortunately, through insurance, we were ultimately reimbursed for most of the funds.” A spokesperson for the organization declined to be specific regarding the safeguards and stressed the events were in 2017 and that there have been no incidents since.
The transfer was fraudulently gained funds that were supposedly for the purchase of solar panels for health centers in Pakistan. False invoices were crafted and hackers broke into an employee’s email account to send the documents. The fraud was discovered in May 2017, too late to be recalled, according to information on the Form 990. Insurance covered $885,784 of the loss, according to information in the tax filing.
Save the Children worked with the FBI and Japanese authorities but no arrests have been made. The organization has taken undisclosed steps to tighten its cybersecurity.
In a separate instance, the organization reported it was given false information on a bank account that resulted in $9,210 being diverted to an account in Benin in West Africa. The organization was able to recall all but $120 of the diversion.
“This is a good example of how failing at cyber security can cost cold hard cash, said Lamar Bailey, director of security research and development at cybersecurity firm Tripwire. “Social engineering is one of the easiest and most effective ways for attackers to reach their goals. Emails that originate inside of a company are often just assumed to be legitimate and never questioned.”
Save the Children has an overall three-star rating from Charity Navigator of a possible four stars. It received four stars for accountability and transparency and three stars on financial evaluations.
Save the Children reported $759 million in overall revenue on its 2017 tax from. That ranked No. 28 in the 2018 NPT 100, a study of the largest nonprofits in the nation. It’s not the first time an organization in the NPT 100 was the victim of an email scam. The American Museum of Natural History in New York, which ranked No. 65 with $310 million last year, similarly reported a phishing scam on its 2015 tax form of $2.8 million.