Several unfortunate events were used together to defraud a 501(c)(3) of nearly all their operating funds during a transition from one managing group to another, highlighting the needs for stronger controls in a wider spectrum of organizations than usually considered.
The Scenario
The attacker gained control of a person’s email account at a large consulting firm, presumably because the company’s high-profile name and contracts made them a more important target for attackers. The employee using the compromised account was using the company account for personal purposes, one of which was as a team member working to transition an unrelated 501(c)(3) from one managing group to another.
The attacker monitored this individual’s email communication and began to piece together the intended transition plan. When the outgoing head of the 501(c)(3) communicated to the employee (and the attacker) that she was going on an extended and remote vacation, the attacker put their plan into motion.
The outgoing head was using a common public email platform and the attacker created a similarly-spelled email address that was then used to spoof the outgoing head.
The spoofed email address was used to create confusion around the timing of the funds transfer and the attacker used this supposed “change in plans” and their control of both the spoofed email address and the team member’s compromised corporate email address to misdirect the funds from the intended account to the attacker’s.
The intended recipients, unaware of the change in plans, didn’t know the funds were arriving early and so didn’t miss them when they didn’t arrive. By the time the senders started asking questions and the outgoing head returned from vacation, the funds had been transferred from the attacker’s account to other accounts and not even the FBI was able to recover the misdirected funds.
The leaders of the 501(c)(3) disclosed the fraud to their supporters and were able to raise almost twice the amount lost, ensuring the continued operation of their charity for another year.
The attackers, meanwhile, left us with several valuable lessons that we can benefit from.
Lessons Learned
Even in a small non-profit organization run by part-time people, a few extra security controls might have led to a completely different outcome.
- Require that personal email be used for personal purposes.
The large consulting firm had a high-profile name and contracts, making them a big target for the attackers. It’s doubtful that their purpose was to defraud the 501(c)(3) when they compromised the corporate email account—but the attackers took advantage of the situation when it presented itself. - Require standard email account security measures.
Use two-factor authentication and uniquepasswordspassphrases that are hard-to-guess and easy-to-remember. - Verbally confirm both payment amounts and destinations.
Implement a dual-control policy where a wire-transfer request won’t be initiated without verbal confirmation from another person, while ensuring that the parties are talking to the right persons.
Additionally, employing some best-practice security tips would have helped.
- Pay attention to email addresses—sometimes the changes can be subtle—and spoofing an address or even a domain is quite easy.
- Be aware of changes in grammar, spelling, word usage and even formatting from frequent correspondents. When looking back, the spoofed emails had tell-tale signs that they weren’t from the outgoing head.
Conclusion
The funds your organization deals with may not have many digits, but even if you’re not a large target, you can still become collateral damage in someone else’s attack. Without building a full security department or adopting onerous and complicated security policies, your organization’s security posture can benefit from periodic risk analysis and the implementation of the right controls to address the concerns.
