Hackers Stole $650,000 From Nonprofit and Got Away, Showing Limits to Law Enforcement’s Reach

Sherry Williams, One Treasure Island’s executive director, discovered something was wrong on Jan. 27, when she spoke by Zoom with the intended loan recipient, who hadn’t received the first installment as planned.

“It was absolutely devastating,” said Ms. Williams, who said she filed reports with the Federal Bureau of Investigation and other organizations immediately after learning about the theft.

Ransomware and nation-state hacks dominate public discussions of cybersecurity. The world watched when fuel pipelines shut down after an attack at Colonial Pipeline Co. and when corrupted software spread to companies and government agencies through incidents at

SolarWinds Corp.

and

Microsoft Corp.

One Treasure Island was hit by a relatively low-tech hacking technique: an email-compromise attack. Hackers broke into the email system of the nonprofit’s third-party bookkeeper, then inserted themselves into existing email chains by using similar email addresses to pretend to be people associated with the nonprofit.

Email-compromise attacks don’t grab the spotlight, though they cause substantial economic damage. The FBI estimated these attacks accounted for about $1.87 billion in losses in 2020, up from about $1.78 billion in 2019—the costliest category of crime reported to its Internet Crime Complaint Center, or IC3.

These are just the email compromises companies disclosed, meaning the true figures are likely larger, said Kelvin Coleman, executive director of the National Cyber Security Alliance, a nonprofit that promotes cyber partnerships between the public and private sectors.

Formed in 1994, One Treasure Island is part of an effort to build about 8,000 new homes on its namesake island, including about 2,000 affordable-housing units. About 2,000 people already live on the island.

The nonprofit works to create jobs for formerly homeless people, ex-prisoners and others who struggle to find work in the Bay Area.

The stolen money was intended to kick-start new building projects, providing a loan to a member organization of One Treasure Island for hiring architects and engineers. The nonprofit had around $2.4 million in revenue and $4 million cash in savings at the end of its 2019 fiscal year, according to its most recent tax filing.

After the hackers infiltrated the bookkeeper’s email system, they posed as Ms. Williams in an email to an employee of the member organization that was expecting the loan. In the email, the hackers said that an agreed-on December payment would be delayed.

Then the hackers took a legitimate invoice that the member organization had emailed to Ms. Williams and sent it to her again, changing the accompanying wire-transfer instructions to a bank in Odessa, Texas, from a California bank.

After that, the hackers sent two fake invoices to Ms. Williams, who transferred the $650,000 to the Odessa bank in three increments, for the legitimate invoice and the two made-up ones.

Nothing seemed amiss to Ms. Williams. “It wasn’t like they were using weird language or using terminology that you wouldn’t use in these circumstances,” she said.

One Treasure Island didn’t have cyber insurance, she said.

Immediately after discovering the fraud in late January, Ms. Williams filed reports with the FBI’s IC3 and the nonprofit’s bank in San Francisco, as well as a branch of

Cullen/Frost Bankers Inc.

in Odessa where the money was sent.

On Feb. 25, nearly a month later, the FBI assigned a special agent to the case. On March 3, the agent emailed Ms. Williams to say the U.S. attorney’s office in San Francisco had declined to open an investigation. He didn’t explain and the FBI hasn’t been in contact since, she said.

Doree Friedman, president of One Treasure Island’s board, was hoping the nonprofit would get help. “We’ve been disappointed in the lack of response by law enforcement and we are pessimistic about recovering these funds,” she said.

A spokeswoman for the FBI in San Francisco said its handling of complaints is confidential. She referred questions about the decision not to prosecute to the U.S. attorney’s office, which declined to comment.

Many factors play into a decision to take a case, said John Bennett, a managing director in consulting firm Kroll Inc.’s cyber risk unit. Authorities are unlikely to pursue a case unless the loss is at least half a million dollars and leads haven’t dried up, said Mr. Bennett, who was the special agent in charge of the FBI’s San Francisco field office until August 2020.

“That’s because tomorrow we’re going to get a $15 million one and that one’s going to take a lot of time and effort,” he said.

Such triage helps the FBI deal with thousands of complaints. Last year, more than 19,300 reports of email-compromise crimes came in nationwide, IC3 data shows.

Reports made within 72 hours of a money transfer improve the odds of recovery, said Sounil Yu, chief information security officer at cybersecurity firm JupiterOne Inc. Longer than that and prospects fade, said Mr. Yu, a former chief security scientist at Bank of America Corp., where he dealt extensively with such cases. Once criminals move money abroad, it’s harder to trace. “Timing is of utmost importance,” he said.

Reporting the theft as soon as she found out about it didn’t get results for Ms. Williams. Frustrated by the FBI’s response, she launched her own investigation. Using her personal air miles, she booked flights to Texas for herself and One Treasure Island’s administrative director, Vinicio Castro.

The pair arrived in Odessa, near the border with New Mexico, on April 15, to cold, drizzly weather. In a meeting the next day, they learned from a detective at the Odessa Police Department that she could investigate only what had happened in her jurisdiction. The detective told them she would focus on the person who opened the Frost Bank account. It was up to the FBI to find the stolen funds, she said.

Ms. Williams and Mr. Castro then drove to the Frost branch, which had frozen the swindlers’ account when Ms. Williams made the initial report. The branch manager put Ms. Williams in touch with a fraud investigator at Frost Bank, she said.

Of the $650,000 missing, One Treasure Island has recovered around $37,000 from the frozen account. That sum was likely the cut for the money mule who moved the rest of the cash out of the country, Ms. Williams said the Odessa detective told her.

The pair flew home the next day.

“Ultimately, I was discouraged by our trip because I didn’t feel like we accomplished very much,” Ms. Williams said.

The Odessa Police Department and Frost Bank declined to comment.

A maze of rules affecting local, state and federal agencies can hinder investigations, said Joseph Neumann, a cyber executive adviser at cybersecurity firm Coalfire Systems Inc. who works with victims of business email compromise.

“The legal system in the U.S. is not known to be fast or agile, and is currently trying to chase technology in the 21st century with 19th-century process and tactics,” he said.

Ms. Williams worries that the cybertheft might hurt One Treasure Island’s fundraising. The loss puts new housing construction behind, she said. But she and Ms. Friedman, the board president, hope discussing the episode will prompt change.

“There is this whole element of people just not willing to come forward and necessarily be the face of fraud and I’ll tell you that I’m not really relishing that myself,” Ms. Williams said. “I’d rather be the one telling all the great stories of people getting out of prison and getting construction jobs and building a new life.”

Write to James Rundle at [email protected]