Scammers who hacked into an email account used it to steal $25,000 from a Virginia charity, a sum that would have been enough to feed 100 children for a year.
The charity, Crossroads Connection, is providing weekend meals to 90 students in Prince William County this year.
“There are kids that come to school on Monday who haven't had any food,” David Gifford of Crossroads Connection said. “I can't imagine that.”
Gifford was emailing with two churches, one that currently handles the charity's finances and another set to take over at the end of the year. Scammers hacked into one of their email accounts, learned about the transition and sent an email from that account asking for $25,000 to be wired to a bank in California.
The hackers made it appear Gifford was copied on an email by slightly changing his email address.
“Somebody had inserted an ‘I’ between the ‘D’ and the ‘R,’” Gifford said. “I didn't get the email as a result.”
“It's becoming all too common,” said Adam Levin, founder of Cyberscout. “It's called business email compromise, or BEC.”
Over the summer, the Department of Justice and the FBI arrested 74 people in a worldwide BEC scheme.
Cybersecurity experts say the hackers depend on the oldest trick in the book — deception — and they're using current information from your email account to trick you.
“And they're doing something that seems completely logical, ‘cause in this case, it was logical,” Levin said. “They were in a transition, and the hacker took advantage of the transition.”
Gifford said the community rallied since the theft, and while not all of the money has been replaced, Crossroads Connection is committed to providing bags of food to the 90 students who need the meals.
“This is a bold act of faith, and somehow we'll manage,” he said.
Crossroads Connection reported the scam to the FBI and local law enforcement. No arrests have been made.
Here are four ways to protect yourself from this type of scam:
- If someone emails you asking for money, double check the sender's email address.
- Call the person to verify, especially if wiring money.
- Be suspicious if they want to change the usual payment type or location.
- Set up multifactor authentication on your email account to help keep the hackers out.