Skip to Content
Security & privacy

How low can they go? Global charity institution scammed by hackers for $1 million

Cybercriminals have been coming up with different ways of stealing our personal information and money for years. Data breaches, ransomware and phishing scams are constantly in the news. 

Scammers are not only targeting individuals, they also go after businesses and institutions. In fact, cybercrimes against businesses have been increasing at a steady pace. According to a recent FBI report, exposed losses due to business scams can reach $12.5 billion in 2018! It’s a lucrative scheme for fraudsters, for sure.

But how low can a cybercriminal go? Judging by the latest institution that was scammed by these thieves, they can go as low as their swindled profits take them. Read on see how this charity was victimized and learn how you can protect your company from similar schemes.

Save the Children scammed

The charity institution Save the Children has recently revealed that it was hit by cyber fraudsters earlier this year to the tune of $1 million.

The scam was carried out in May 2017 by hackers who managed to take over an employee’s email account so they can send out fake false invoices and payment requests to Save the Children executives who are authorized to make money transfers.

In this case, the payments were supposed to be for solar panels for health centers in Pakistan. Unfortunately, the organization took the bait and around $1 million was wired to an entity in Japan.

By the time the organization realized that it was a scam, alas, it was too late and the money was already siphoned out of the dummy account, leaving Save the Children with a million-dollar hole in its pocket.

All’s not lost, though. Save the Children got most of the money back via insurance. At the end of the day, they only lost $112,000 – still a sizable chunk, but it’s better than being out a million bucks.

Fun fact: Save the Children is a non-profit organization that aims to improve the living conditions of children worldwide. It was founded in 1919 in the U.K.

Although Save the Children has not revealed how the crooks compromised the employee’s email account, based on the characteristics of the attack, the organization was definitely hit by a technique that’s commonly known as the Business Email Compromise (BEC) scam.

What exactly is BEC?

Here’s how it works. Basically, a BEC scammer attempts to trick employees into sending money transfers by impersonating executive email accounts.

These attacks are initiated either by social engineering tricks, email spoofing or malware, targeting upper management executives, accounting and HR departments. The emails appear so legitimate it’s easy for people to get taken.

BEC scams range from simple fake invoice schemes to elaborate impersonations aimed to siphon money out to the cybercriminal’s bank accounts.

Methods vary, but it only takes one compromised email in a chain to deploy an attack. Common methods are phishing scams, where an attachment or a link gets sent via email and if opened, keylogging malware is deployed discreetly to the victim’s computer.

The cybercriminal, having access to email credentials, then cases the victim’s business patterns, studying financial contacts and correspondence, gathering vital information to finally launch the scheme.

Attacks even have evolved to a point where the criminals monitor a target’s social media account to case behavioral patterns. If you know anyone with a business or works in IT, it’s important they are aware this is happening.

How to protect your organization from BEC attacks

So how do we protect ourselves from this costly cyber menace? Here are a few tips:

  1. Be vigilant with email communication -Check email addresses carefully, especially those coming from executives demanding financial transactions. A missing character on the address could spell the difference between safety and compromise.
  2. Use 2FA – Think of using two-factor authentication for fund transfers and corporate email accounts. Use known phone numbers for verification and avoid displaying these phone numbers on email correspondence.
  3. Watch out for social engineering scams – Curate your social media feeds and avoid posting vital corporate workflow details.
  4. Be careful with links – Be wary of email links and attachments. Scrutinize the link address before clicking and do not open attachments from untrusted email accounts.
  5. Keep your computers up to data – Regularly scan and protect your computer from malware, keyloggers and rootkits with trusted virus protection. Install the latest security patches for your systems as soon as you can,

If you are a BEC victim, the FBI recommends that you contact your financial institution immediately so they could track and coordinate where the transfer was sent. Next, contact the FBI to report the crime and file a complaint with the Internet Crime Complaint Center (

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out