Hackers scammed the Save the Children Federation out of almost $1 million in a business email compromise (BEC) scam.

Save the Children is a well-known U.S.-based non-profit group that offers charity services like fundraising and sponsorships. According to the company’s 2017 income tax returns, obtained by the Boston Globe and reported this week, in April 2017 an unknown hacker posing as a Save the Children employee tricked the firm into transferring $997,400 to a fraudulent entity in Japan.

“This crime was committed and investigated in 2017, and reported in our 2017 990,” a spokesperson told Threatpost on Friday. “We have improved our security measures to help ensure this does not happen again. Fortunately, through insurance, we were ultimately reimbursed for most of the funds that were stolen.”

The scam stemmed from hackers who were able to compromise the email account of an employee of the charity in 2017. They then utilized that access to send several documents and fake invoices within the organization.

These fake documents, which utilized social engineering tactics, asked for a sum of money to help install solar panels onto several health facilities in Pakistan. The charity was tricked into sending one million dollars to scammers in Japan.

The fraud was discovered in May 2017, after which the organization coordinated with the FBI and Japanese law enforcement to investigate the incident. While the transferred funds could not be recalled at that time, the charity was able to recover all except for $111,616.

Holiday Scams

Save the Children is not the first charity organization to become the target of cybercriminals – In November, the Make-A-Wish Foundation website fell victim to a cryptojacking attack. It’s a good reminder that scams and hacks in general are on the rise this holiday season, as more shoppers flock to the web hunting for gifts.

BEC-style email attacks that deliver malware targeting point-of-sale systems are booming this holiday season, as are phishing scams perpetrated via social media.

For instance, researchers reported a spate of Black Friday-themed email spam, often taking advantage of recipients’ desire to cash in on increasingly attractive deals. These emails created tempting clickbait for users or contained enticing messages with attachments that delivered malware, not holiday cheer.

BEC emails have proved dangerous enough to catch the eye of the FBI – earlier this year in June, the agency said that since the Internet Crime Complaint Center began formally keeping track of BEC, there has been a loss of over $3.7 billion reported.

The FBI suggested that to defend against BEC scams, companies should identify potential targets within their organization, increase education around the nature of BEC emails, and verify any payments or transfers.