“We’ve been cyber-conned” - British Charity Loses $1.8 Million

For your free ISO 27001 Information Security Management System Gap Analysis Checklist, Click here



“Learn from our experience- believe us, it is a lesson painfully learned”


Reports have emerged that a British charity has been scammed out of more than AUD $1.8 million in donations after cybercriminals successfully ‘spoofed’ a contractor’s domain, pulling off what’s known as a ‘contractor impersonation’ scam.


The Red Kite Community Housing charity announced in a statement last week that they were “cyber conned” after criminals were able to impersonate the website of one of its contractors and fell victim to emails appearing to be from one of its contractors that were actually scammers.


The charity confirmed in its statement that scammers were able to siphon £932,000 that would have otherwise gone toward subsidizing the cost of housing for those in desperate need of a roof over their heads.


In their statement, Red Kite said that the scammers were able to “expose a weakness using sophistication and human nature to carry out the theft of this money.” While the charity was proud to say that over the past eight years of operation they had implemented a range of processes and systems for its network security, all of this was undone with some social engineering when criminals pretended to be a contractor familiar to the charity.


“In essence, they mimicked the domain and email details of known contracts that were providing services to Red Kite. Through this, they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation.”


“We still have an additional safety net in place; a two-stage process to verify changes to payments and accounts which ordinarily would have caught this attempt,” the statement continued to explain. “This, however, proved to be our weak point, with an error being made by the clear process not be[ing] actioned, resulting in a missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved,” the charity wrote.


“What happened to us this time was different and it has brought home to us that you can never drop your guard for a moment, no matter how safe you think your systems are,” they wrote.


“Our sector is targeted by cyber-criminals on an almost daily basis, and we are no different. Our IT systems and teams detect and stop attempts to access information and steal data or money every day.”


According to reports, the manipulation took place in August of 2019, and the case remains under investigation from the relevant authorities. Sadly, Red Kite’s governance rating has been downgraded by the Regulator of Social Housing (RSH) in the wake of the con.


RSH wrote in a statement that Red Kite had been hit by a “significant financial loss as a result of a fraud due to a basic failure in its system of internal controls,” urging the charity to implement new and more secure processes internally to ensure there’s no repeating of the past.

© 2019 by Best Practice

  • White YouTube Icon
  • White LinkedIn Icon
  • White Instagram Icon
  • White Facebook Icon
  • White Twitter Icon