Cyber Incident Victim: Save the Children International
Date:
May 2017
Location:
United States of America
Summary
A nonprofit organization lost approximately $1 million in a business email compromise attack after cybercriminals accessed an employee's email account and impersonated staff to generate fraudulent invoices. The attackers directed funds to a fictitious Japanese charity under the guise of purchasing solar panels for health facilities in Pakistan. The scheme went undetected until after the transfer was completed, though insurance recovered nearly 90% of the stolen money. Following the incident, the organization implemented enhanced security protocols to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2017, Save the Children International fell victim to a business email compromise (BEC) scam that resulted in a $1 million loss. Attackers first gained unauthorized access to an employee’s email account, then impersonated the employee to create fraudulent invoices and supporting documentation. The fabricated materials falsely claimed the funds were intended for a charity in Japan to purchase solar panels for health centers in Pakistan. The organization processed the payment based on these deceptive communications. The transaction proceeded without immediate detection, and the funds were transferred to the attacker-controlled account. The incident remained undiscovered until after the transfer was completed, leaving no opportunity to halt the transaction.
The fraudulent transfer was identified post-completion, but recovery efforts through direct intervention were unsuccessful. Approximately 90% of the lost funds—around $900,000—were later recovered through the organization’s insurance policy. Save the Children’s Chief Financial Officer, Stacy Brandom, publicly confirmed the incident and stated the charity had enhanced its security measures to prevent recurrence. No additional operational disruptions or secondary financial impacts were disclosed in available reports. The organization emphasized that insurance mitigated the majority of the financial loss but did not specify the exact nature of the implemented security improvements.