Commentary by:

Jim Tiller, Vice President, Security Professional Services, North America, BT

       Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global

       Services, PCI QSA, CISSP, CISA, CISM, BS 7799 Lead Auditor

The Haitian earthquake sent a tremor far deeper than across the country lines.  Around the world, hearts went out to the people of Haiti and organizations and governments came together to support relief efforts.  At the same time, scammers were at work trying to profit from the disaster. 

Whenever there is a natural disaster, there is a wave of generosity from the people and a wave of scammers who are trying to take advantage of the situation. 

We poised this question to two of our experts at BT – Jim Tiller and Sushila Nair – to get their thoughts on what are the biggest security threats associated with donating to relief efforts.  What was new this time?  What should people and businesses be aware of? Here is what they had to say:

Jim: What’s new is that today’s technology makes it easier to give.  For example, you can donate $10 with a simple text message from your phone.  Ease promotes philanthropy and helps charity organizations capture a larger community.  Moreover, there is a sense of trust, which in turn is enhanced in the mind of the donor, given the positive nature of the act.  Ultimately, this lowers people’s natural defenses, making them prime targets for scammers. 

Sushila: I think there are issues with the model.  Diffused giving results in a greater number of risks, vulnerabilities, etc.  If 60 million people have to get a dollar to Haiti, then it is more complex if this is 60 million transactions versus one transaction.  You have 60 million possible scams you can pull versus just a single scam.  The fact that those 60 million transactions are subject to different risk analysis (some have none) and vulnerabilities means that we have an issue.  We like choices. We want to choose where our dollar goes, but we are notoriously bad at doing risk analysis, investigating the charity and so on.

Jim: Today we have phishing attacks, such as the one this month allowing hackers to acquire 250,000 carbon credits and reselling them to unsuspecting buyers for more than $4 million.  It, represented traditional low-tech attacks, but with 21st Century logic.  It’s truly a renaissance period for threats, and where there is money, you will find even more.

For people, the devil is truly in the details.  For example, a message to donate via an SMS to 454545 to feed hungry children may simply be a scammer, when the real charity’s number is 45454.  People need to make the extra effort to ensure they are donating through verified channels.  Businesses will find many layers of abstraction and interaction that will complicate verification, processing and open companies to fraudulent activities. 

Sushila: There is a fundamental difference in the approach to charity in the United States than in other developed countries in the world.  Where the U.S. ranks last in the list of 22 developed nations on charitable giving at the state level, as individuals, Americans give more to charity, per capita and as a percentage of GDP than any other country.  The complexities of individual-level giving versus a unified country-based approach is that charities need to compete to encourage individual donations.  The large amount of money that is given to charities by individuals also makes it a focus for scams and fraud. 

Jim: Businesses implementing solutions with others to promote donations must take a close look at the technical integration and processes to ensure the business and the public are not being exposed to attack.  There are many examples of affiliate models where scammers manipulate gaps in complex technology to exploit valid processes, which allows them to skim millions without detection.  Businesses need to interrogate the model technically and procedurally from donation to collection; otherwise, even the smallest gap will be exploited.  And, frankly, the only ones who truly lose are the ones who need it the most.

Sushila:  But there are some easy ways to mitigate your exposure to risk — sites such as CharityNavigator.org, an independent, nonprofit organization that evaluates and rates thousands of charity groups based on effectiveness and financial stability that helps people evaluate the effectiveness of charities.  I will not parrot the many suggestions on how to differentiate between fraudulent and real charities, but rather suggest that when we have this approach to providing money to charities — the charity that advertises the most, the charity that uses the saddest pictures, the charity that is simply most effective at collecting money versus spending it, is always the winner of a diffused approach to giving.

I am not convinced the innocent and the naïve will not constantly be a focus of mercenary scam artists for as long as we want the luxury of individual choice when it comes to giving.  The alternative is that government makes the choice of how to best help other countries.  However, this leaves us to the machinations of bureaucracy and political maneuvering, rather than charity being at the center point of helping those in need.

Interested in joining this debate?  Post your comments and thoughts on charitable giving scams below.