Cyber Security Is a Growing Issue for Nonprofit Organizations 

Save the Children, an international nonprofit children’s relief and development organization, revealed that a cyber attacker or attackers tricked the organization into paying out almost $1 million.

The cyber incident on Save the Children shows that cyber security isn’t only the concern of profit organizations, but also by not-for-profit organizations.

While the Save the Children’s cyber incident disclosure was done via the organization’s 2017 tax report, this cyber incident only came to light with the recent report of the Boston Globe.

In its tax report, Save the Children said that in April 2017, an unknown cyber attacker or attackers posing as an employee of Save the Children tricked the organization to transfer $997,400 to a fraudulent entity in Japan on the belief that the money was needed to purchase solar panels for health centers in Pakistan.

By the time the fraud was discovered in May 2017, Save the Children said, the transferred funds couldn’t be recalled. The organization said its financial loss was mitigated down to only $111,616 as it was able to recover $885,784 from its insurance carriers.

Save the Children told the Boston Globe that attackers broke into the email account of an employee of the charity and created false invoices and other documents, deceiving the charity into transferring almost $1 million to a fraudulent entity in Japan.

Save the Children said it coordinated with the Federal Bureau of Investigation (FBI) and the Japanese law enforcement, and it has since taken steps to strengthen its cyber security to prevent another cyber fraud.

Cyber Threats 

Business Email Compromise (BEC) scam

The fraud committed on Save the Children is typical of the cyber threat called “business email compromise” (BEC) scam. In BEC scam, an attacker impersonates a high-ranking official like a chief executive officer or a representative of the organization’s supplier to trick lower-ranking personnel, typically an employee with access to company finances, into sending money or sensitive information.

BEC fraudsters make use of money mules, individuals who witting or unwitting, receive the stolen money and then transfer the funds as directed by the fraudsters. A fraction of the money is kept by the mules for their trouble. According to the FBI, between October 2013 and May 2018, BEC scammers defrauded different organizations worldwide of nearly $12.5 million.

It’s worthy to note that cyber insurance isn’t the cure-all solution for cyber threats. In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Alberta Court of Queen’s Bench was made to decide on whether the business email compromise attack exposure of Brick Warehouse falls within the terms of the insurance policy issued by Chubb Insurance Company of Canada.

In the said case, a fraudster or fraudsters tricked a Brick employee to transfer over $338,000 to a fraudulent account believing that said account was owned by one of Brick supplier. The fraudster or fraudsters, posing as a representative of Brick supplier, successfully convinced the Brick employee that payment to the Brick supplier should be made to a new bank account number (which turned out to be fraudulent).

The Alberta Court of Queen’s Bench ruled that a supplier impersonation didn’t fall within the terms of the insurance company’s crime policy coverage.

“Even if the Brick did not consent to the funds transfer, there is still the issue of whether the transfer was done by a third party,” the Alberta Court of Queen’s Bench said. “Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.”


Last month, another nonprofit organization, the Make-A-Wish Foundation fell victim to another cyber threat, this time via cryptojacking. In cryptojacking, the computing power of another, for instance, a website visitor, is used to mine cryptocurrency.

Simon Kenin, researcher at Trustwave’s SpiderLabs, reported that attackers compromised the official website of Make-A-Wish by embedding a cryptojacking script into the website, which allows the use of the computing power of the visitors to the site to mine cryptocurrency, with the proceeds of the cryptocurrency mining going straight into the pockets of the attackers.

After Trustwave reached out to Make-A-Wish Foundation, the embedded cryptojacking script was removed from the website.

According to Kenin of Trustwave’s SpiderLabs, attackers compromised the Make-A-Wish website to mine cryptocurrency by exploiting the security vulnerability dubbed as “Drupalgeddon 2” – a security vulnerability that allows attackers to perform remote code execution on default or common Drupal installations.

In remote code execution, an attacker makes changes, in this case to a website, irrespective of the location the attacker. Drupal, meanwhile, refers to an open source content management system (CMS) that’s used by more than 1 million sites worldwide. In March 2018, Drupal security teamcalled on Drupal users to upgrade to Drupal 7.58 or Drupal 8.5.1.

It’s important, therefore, to keep all your organization’s software up-to-date. Patches, also known as security updates or upgrades, contain security fixes of known security vulnerabilities. By failing to install these patches in a timely manner, your organization’s IT system is vulnerable to cyber-attacks specifically from attackers exploiting known security vulnerabilities.

Cyber Security Best Practices

The cyber incidents on Save the Children and Make-A-Wish Foundation show that nonprofit organizations aren’t immune to cyber-attacks. Cyber attackers employ no moral compass in their attacks. 

Contact ustoday if you need assistance in protecting your organization from cyber threats.

Leave a Reply

Your email address will not be published. Required fields are marked *