Criminals Steal $650,000 from Non-profit Organization.
It was a heartbreaking discovery. A non-profit organization paid out an amount equating to 26 percent of its annual revenue over a month in what the organization thought was legitimate project payments. When the executive director later spoke to the group that was to hire architects and engineers for a low-income housing project, she expected confirmation that things were underway. But the contractor had not received any of the payments made—only an email from the non-profit the previous month stating that it had to delay payment.
The three payments had gone elsewhere. By the time the executive director reported the loss to the FBI, the U.S. Attorney’s office would not investigate. The trail was already cold, and the amount was relatively small. After all, the FBI received 19,300 such reports in 2020. The non-profit managed to recover only a pittance remaining in a shell account in a bank in another state.
How did it happen? The bookkeeper, in this case, a third-party serving the non-profit, was the initial victim of business email compromise (BEC). Once the hackers had gotten into the bookkeeper’s email system, they infiltrated existing email chains. Then they gathered the information needed to imitate the parties and redirect payments.
The criminals, posing as the executive director, had sent that “payment delay” email to the contracting company. They also had intercepted an email from the contracting company with an invoice to the executive director. They resent the legitimate invoice to the director, but altered the wire-transfer instructions for the payment. In the next few weeks, they emailed two more phony invoices modeled on the legitimate one.
Based on these three invoices from the contractor, which she expected, the executive director made three wire transfers totaling $650,000. According to the director, there was not any poor grammar, strange language or unusual expressions in any of the communications. Everything appeared normal and legitimate. It was not until her conversation directly with the contract group that she realized her organization was victim of a sophisticated BEC fraud.
What To Do
How do organizations prevent BEC fraud from happening? First, understand that email, while hugely convenient and valuable, is not secure. Train your staffs in the fundamentals:
- Create and use strong passwords – 12 or more characters, with upper and lower case, numeric and symbols. Avoid complete words (including in foreign languages—they’re not foreign to hackers’ programs). Substituting numbers for letters like zero for “o” is not a unique idea—the hackers are way ahead of you.
- Do not use the same password across systems and accounts.
- Do not share your passwords.
- Do not open any email attachments unless you are sure of their origin and legitimacy.
- Do not open any email attachments with .bat, .exe, or .vba extensions, or with unknown file extensions.
- Beware “fraud alerts” that urge clicking a link in the email.
- Make sure web connections are secure, i.e., “HTTPS,” not “HTTP” only.
- Do not collect or transmit sensitive information via email, e.g., vendor tax ID numbers or bank account numbers.
- Create control processes to verify all communications regarding payments to vendors independently.
Solicit help from IT on additional security measures you can take.
Business email compromise occurs frequently, though it does not grab headlines the way larger security breaches do. Nevertheless, BEC is costly. According to the FBI, BEC accounted for $1.87 billion in losses last year. And the trend continues steadily upward. Organizations must educate their people, create an alert environment and employ technological and process controls. Often it is not technology that fails but the people using it. In the case of email, the hazards are considerable.
A safe way to gather sensitive vendor information is via a secure vendor self-service portal. To learn how VendorInfo can help, contact us.
