New Brunswick charity hit by online banking fraud

A Woodstock charity that provides meals, transitional housing and a drop-in centre has been hit by online fraud.

Harvest House was bilked of about $3,500 in e-transfer donations, said Joel Demerchant, the organization's director.

"It hurts," and the community is shocked and concerned, said Demerchant.

The lost funds represent a sizeable chunk of regular monthly bills, he said. Harvest House's most recent power bill alone was about $1,000.

The theft went on for about a month this fall before the charity realized it wasn't just a typical slow period, said Demerchant.

Around Remembrance Day, an observant tenant, who was making a rental payment online, noticed the name of the recipient had changed, he said.

Harvest House contacted its financial institution, Brunswick Credit Union, which confirmed somebody had rerouted auto-deposits to a different account as of Oct. 3, said Demerchant.

They still don't know how it happened, but police are investigating, he said.

As of publication time, the Woodstock police had not responded to a request from CBC for an interview. 

Police don't have enough resources to deal with the amount of fraud going on in Canada, said cybersecurity expert David Shipley of Fredericton-based Beauceron Security.

Canadians reported $570 million in losses last year and the RCMP estimate that's only 5 to 10 per cent of the actual amount, he said.

A case involving the theft of $9.5 million from a national non-profit called Factor, which supports musicians, has yet to even have an investigator assigned to it, he said.

If auto-deposits are attached to an email account that's been bombarded by scammers or has a weak or reused password, they're especially vulnerable, Shipley said.

Once a hacker gets into the email account, it's easy for them to divert auto-deposits by changing the destination bank account, he said.

"As long as I control the email, I can rerun the approval process with a new bank account and you're none the wiser," he said. "You won't even see it because I'm controlling the email account."

It's a design flaw that banks are aware of, said Shipley.

They could prevent more of this from happening but don't want to inconvenience customers by making them log in, he said. 

Information Morning - Fredericton8:34Harvest House loses thousands to scam

​It's a hard time of year for charities. A postal strike, donor fatigue, and now a scam is going around that targeted Harvest House in Woodstock. Jeanne Armstrong spoke to Joel DeMerchant, executive director of Harvest House.

Ottawa should force banks to lock an email address to a bank account for auto-deposit or similar features, he said.

Auto-deposit is still generally safer than the alternative of exchanging a security question and answer with the recipient of an e-transfer, said Kelly Burchill, senior vice-president of operations for Brunswick Credit Union.

"This is when most fraudsters are successfully intercepting and able to gain unauthorized access to the funds," Burchill said.

She wouldn't comment on the specific incident involving Harvest House but said people have to be very vigilant because fraudsters are often one step ahead of technology.

In many cases, people are lax about protecting their personal information, Burchill added.

Regarding the idea of locking an e-mail address to a bank account, she noted that not all auto-deposits even use e-mail, but Brunswick does offer the option of signing up for notifications and strongly suggest these are turned on.

"That way, if anything is changed or added to your account you are notified either by email or text to say, 'Hey, this has been changed on your account. If you did not authorize this, please contact your financial institution as soon as possible."

Charities and small businesses can help themselves by requiring multi-factor authentication to get into their email and other accounts, said Shipley.

This can reduce digital lock picking by about 99 per cent, he said.

However, not just any kind of authentication will do, said Shipley.

For example, anyone processing thousands of dollars in payments should avoid relying on text messages to receive security codes, he suggested. 

Information Morning - Fredericton10:08Etransfer scam

After hearing about an e-transfer scam at Harvest House in Woodstock, David Shipley tells us more about how these scams work, and what scams to watch out for over the holidays.

That's because phone numbers can be hijacked to intercept the codes, he said. 

Shipley recommended using an app such as Google or Microsoft Authenticator.

These require the entry of a series of digits when trying to log in. 

When dealing with even larger sums, Shipley suggests having a YubiKey plugged into your device. 

Even that won't necessarily keep out a dedicated attacker, he said.

"It's still not foolproof. … You have to keep a close eye on any online transaction system."

IT experts looked at Harvest House's computers and didn't find any problems, said Demerchant.

All the devices used to access the account had protective software, he said, adding that double-layer verification was being used to sign in and he was the only one with email password. 

Demerchant later learned that other individuals and charities were hit by a similar scam, including the Carleton County animal shelter.

Taylor Williams, shelter manager, said their email was targeted by fraudsters in November.

Luckily, their email provider noticed some weird login attempts and sent a security alert, she said.

They changed their address and no funds were lost, said Williams. 

Meanwhile, Harvest House recently got the go-ahead to resume online banking through a new email address, said Demerchant.

But no one has received refunds for the misdirected donations and the charity is unable to issue tax receipts because it didn't get the money, he said.