The Philadelphia region’s largest hunger-relief group was nearing completion of its $12 million Philabundance Community Kitchen in July when the nonprofit’s finance office wired $923,533 to pay a construction bill.
At least employees thought they did.
“Weeks later we realized it was sent to a fraudulent account,” Loree Jones, who took over in June as Philabundance’s chief executive, said Monday.
Philabundance, which during the pandemic is seeing greater need for its services than ever before, was the victim of an elaborate and large cybertheft.
Sometime in the spring, the thieves infiltrated the group’s computer systems through a “phishing” scam and then put in controls that blocked legitimate emails from getting through, Jones said. The final step was a “spoofing” email that mimicked an invoice from the construction company.
Philabundance made the payment on July 6, and discovered the theft on July 24, after the company building the food-service training center in North Philadelphia asked where its money was.
“While I am aware of cybercrime and crime in general, I was disturbed to know that a beloved, respected organization literally feeding people in the midst of a pandemic was preyed on in this way,” Jones said.
The organization has since been able to make the construction payment using reserves, Jones said. She also said she is confident that thanks to “the generosity that we’ve seen in the community” Philabundance will meet is goal of distributing 50 million pounds of food in the fiscal year that started Oct. 1 — nearly twice as much as ever before.
Philabundance Community Kitchen, where low- or no-income individuals with little or no formal work experience receive food-service training, opened in September.
Philabundance employs 110 and had $58 million in revenue in the year ended Sept. 30, 2019, with more than $38 million coming from food donations. The attackers did not access employee or donor data, Jones said.
The nonprofit has distribution centers in North and South Philadelphia that supply food to partner agencies. From March through October, Philabundance provided aid to an estimated 134,807 people weekly, up from 54,739 in the 12 months ended Sept. 30, 2019.
Fraudulent transfers of the sort that struck Philabundance are the second most common type of cyberattack, according to the Insurance Information Institute, a New York nonprofit that aims to educate the public about insurance. Losses to insurers in these incidents have ranged from the low thousands to over $1 million per incident, with nonprofits accounting for 9% of financial cybertheft incidents, a spokesperson for the insurance institute said.
Overall financial losses from cybercrime complaints made to the FBI’s Internet Crime Complaint Center soared to $3.5 billion in 2019, up from $1 billion in 2015, according to the institute.
The most common type of cyberattack is ransomware, which the institute defined as a type of malware that denies access to an organization’s system. Typically, the perpetrators demand payment for the release of the data. This year, hospital systems, including Crozer-Keystone Health System in Delaware County and Universal Health Services Inc., a national hospital firm based in King of Prussia, have been targets for ransomware.
The FBI declined to provide any information on the status of an investigation into the theft from Philabundance, which recently completed its insurance claim. The nonprofit could recoup some of its losses.
Rob D’Ovidio, an expert in cybercrime at Drexel University, said the amount of the theft would likely attract the attention of law enforcement, which sometimes succeeds in identifying the thieves because they can often follow a money trail through the financial system.
Jones said that after the theft Philabundance hired a cybersecurity expert to help it increase controls. In addition to training employees and asking them to be more vigilant, the organization now requires additional executive approvals for large payments and has added protections to bank accounts.
The cybersecurity training Philabundance adopted entails more frequent, shorter sessions followed by testing with a fake phishing email to see if employees resist it. That’s the right approach, said D’Ovidio, an associate professor in Drexel’s Department of Criminology & Justice Studies.
“You hate to hear that an organization like Philabundance has to divert resources to dealing with these types of shenanigans and nonsense,” D’Ovidio said, “because that money is being taken away from the people who need it, especially now and at this time of the year.”