Philadelphia hunger-relief group Philabundance discloses that was the victim of a July 2020 cyber-attack when the nonprofit wired nearly $1 million to pay a fraudulent construction bill relating to the completion of its new Philabundance Community Kitchen. Excerpt of the Philabundance statement:
“This fraud was a one-time event and did not involve the day-to-day finances of our organization or any personal information of staff. Nor did it affect our online donation system. Our donors can trust that their donations through that online platform have reached us and will continue to reach us, and will be used to feed the hundreds of thousands of people in our area who do not get enough to eat on a daily basis. We have enhanced our IT security systems and financial controls to protect every single dollar we raise. We are being both thoughtful and aggressive in putting these safeguards in place to make sure this never happens again.“
In the last week alone, some 5.6 million households in the US struggled for food. Local food banks are struggling to get food and find the resources to feed those in need in this surreal year, and are also working hard to find volunteers in a time where the need for them has skyrocketed and human contact equates with potential safety risks.
Some statistics are saying that the 54 million families now facing food insecurity may well include 1 out of every 4 children in the US. Of the people receiving help from this organization, it’s estimated that 30% are children, and 16% are seniors. Those numbers may include veterans, single parents, disabled and working-class families who are experiencing unprecedented stress.
This attack is inexcusable and might serve as a call to action for those of us in the cybersecurity community. It\’s time for cybersecurity professionals to step up and volunteer their expertise as advisors and helpers for our local food banks. It’s up to us at the grassroots level, because right now, there’s no one else who is doing it. From system analysis to BEC and anti-phishing advice, we can contribute to society in an incredibly meaningful way. If experts can donate their time pro bono, it will help us all. For those cybersecurity professionals who may not feel highly skilled enough to help in that way, they can share thoughts online (provided of course that they NOT reference the name of any food bank whose defenses they suspect may not be up to par – there’s no need to put other food banks at risk).
The cyber theft from Philabundance follows the classic Business Email Compromise model. It\’s unfortunate that criminals would target a food bank during this time of need, but that is a reflection of their nature. Hopefully, Philabundance has improved their process and updated their user education to reduce the risk of a similar attack happening in the future. Adding appropriate tools to their security stack could also help, such as behavior analytics, that could have identified the initial intrusion and recognized the spoofed emails.