Small charities and large risk – how scammers can hijack your identity to steal money all over the world

24 Nov 2017 Ryan Miller    Last updated: 24 Nov 2017

HAPANI's website
HAPANI's website

HAPANI is a small organisation based in Belfast that recent found itself an unwilling and unwitting vehicle in an international fraud. They speak to Scope about the need for better protections and how any organisation could fall foul.

Every organisation has a website.

An online presence is one of the main vehicles of both accessibility and publicity for all groups in the third sector.

When it comes to web security, charities are not as strong as they could be. But what about a different kind of hijacking? One for which there is currently not a proper course of remedy.

Very few small organisations worry about someone hijacking their identity wholesale and using it to trick people from all over the world out of cash.

Yet that is precisely what has happened over the past few months with HAPANI (Horn of Africa People's Aid NI), a small organisation that supports individuals living here who are originally from Somalia, Etiopia, Eritrea, Djibouti, and Sudan.

Completely unknown to them, the charity and its trustees were one of the public faces of an international fraud targeting wholesale businesses. This scam has left them concerned about the core functions of the charity, and also what the reputational impacts could be.

What is most worrying for them – and every other small charity in Northern Ireland, and beyond – is that they did nothing out of the ordinary and yet have not found an effective legal pathway to sort out the problem.

Through their own initiative they were able to push back against the fraud, only for it to spring back up again.

Online scam

HAPANI had no idea it was – or even could be – involved in a phishing scam until August, when it received a message from a business that was an intended victim.

This was a fruit-and-veg wholesaler based in Thailand, a husband-and-wife owned business that was delighted when it found out it had been offered a contract worth over €1,000,000. Delighted and, luckily for them, wary.

They had received an email purporting to be from Liz Griffith, who is the real secretary of HAPANI, which claimed they wanted to buy this enormous amount of fruit and veg to provide aid to people in war-torn countries.

The fake charity had copied HAPANI’s website – word for word, photo for photo and name for name – but with a different web address, set up on the domain

However, as the head of HAPANI Suleiman Abdulahi told Scope: “The couple running the company were very clever and they looked for us online and sent a message to me on Facebook, and asked if this email from us.

“This was really shocking for me - that someone can create a company using our details, get in touch with people saying that they have won a large tender, then ask for bank details and other information so a contract can be signed.”

That was the way of the scam; the people behind it added several layers on top of what is a basic phishing exercise to steal money from businesses, in order to build trust. They disguised themselves as a charity – in this case HAPANI – then got in touch with companies not, initially, to ask for money, but instead to say that they want to award that firm a contract.

It was the same story when, a few weeks later, Mr Abdulahi was contacted by a water wholesaler based in Spain, who had been contacted by the same fraudsters who again said they wanted to spend more than €1,000,000 on their goods to supply as aid to refugees.

Like he had done with the Thai firm, Mr Abdulahi warned them that this was nothing to do with HAPANI and that they must be a target for phishing. As that Thai firm had done, the water company backed off without losing any money. Not everyone was so fortunate.

No effective remedy

Mr Abdulahi and Ms Griffith went to see the PSNI in early September.

They were surprised that officers saw fit to reassure them they “had not committed an offence”, before warning that they should take more precautions with their website and ultimately telling them that, because the fake webpage had an IP address in the Netherlands, this was a matter for the Dutch police.

Mr Abdulahi visited the Dutch embassy and got in contact with the police in the Netherlands – who told him that he liked in the UK and, therefore, this was a matter for detectives over here.

Concerned about reputational damage to HAPANI, and being understandably galled by its use in criminal activity, he decided to carry out his own investigation. He already had an audit trail of the front face of the scam, because he had copies of the emails that had been sent to the Thai and Spanish wholesalers, so he looked into the registration of the fake website.

After finding out its domain hosting company, he contacted them and provided them with details of the attempted fraud and they closed the webpage down – but the matter didn’t end there.

When Scope went to speak with Mr Abdulahi in HAPANI’s offices on Botanic Avenue last week, he had recently discovered that the fraudsters had revived their scam on a new domain –, just one letter different than the previous page, and again a complete facsimile of HAPANI’s own website – this time using a different domain hosting company.

He got in touch with this new hosting company to voice the same concerns – but was told that they couldn’t just shut down a page on the basis of allegations, and he would have to obtain a court order.

That situation remained unchanged until the past few days. After Scope’s first interview with Mr Abdulahi he was contacted by a third business, this time based in Hong Kong, who had again been contacted by the fraudsters and who then tracked down the real HAPANI online.

Unfortunately, this third business had been scammed out of several thousand pounds. Mr Abdulahi sent this information on to the web hosting company and, although at the time of writing he had not heard back from them, the second fake website is no longer available online.

The fact that at least one business has been successfully fleeced only increases the likelihood that there will be a third fake HAPANI site sometime soon. Maybe it is online already.

Charity worries

Mr Abdulahi and Ms Griffith share myriad concerns about what has happened to them – and about how vulnerable all small charities are to this kind of fraudulent use.

Although the PSNI told them they had to take more precautions with their website, they do not know exactly what this means, because all the scammers did was copy it – and, if you can visit a website, you can copy it.

He said: “Are we supposed to go back to the stoneage and close down our website, because the risk is so high and we don’t have the resources to stop this? We cannot do that. We can’t stop crimes which are operating in Australia, Europe and the USA.”

Mr Abdulahi was able to discover information about the registration of the fake websites and they were linked to names, addresses and telephone numbers in Australia and the United States – which is probably just another layer of misdirection in the fraud, and definitely another layer of complication when you are trying to stop your good name from being used in financial crimes.

HAPANI relies on people volunteering their time – Mr Abdulahi himself is not paid for his work, and gave up his own time to carry out his own personal investigation, which led to a folder full of documents with email trails, correspondence with law enforcement in several countries, and registration details which outlines IP addresses and related addresses and phone numbers all over the world.

He said: “If you consider the long-term impact for the charity, there is real concern. Our trustees and the people who help us do this because of their own good will.

“They don’t get any return other than supporting people, but spent their time, skills and expertise helping vulnerable people in our community. But, at the same time, if data is being abused in this way, people will be hesitant to support us.”

The work of HAPANI itself could also be directly under threat. Ms Griffith told Scope: “One of the aims of HAPANI when it was set up was to raise money to transfer to the Horn of Africa to sponsor schools and get children into those schools. It occurred to me that if HAPANI was linked in any way to some fraud it might prevent us from doing that.

“There are already lots of restriction that prevent anyone transferring money to Somalia. There is a real risk that being linked to a scam like this might prevent us from fulfilling one of our charitable aims.”

A fix is needed

Mr Abdulahi told Scope: “I learned a lot when researching this and found out that they scammers can hijack an individual’s IP address and can register whatever they want using that. There is also no guarantee that the address and phone number that is linked to the IP will be correct.”

These fraudsters could be a very small number of people – even one person – sat in a room somewhere (Mr Abdulahi thinks they are based in the Netherlands because the only common link between the sites were IP addresses in The Hague) but the digital nature of the crime means it crosses all sorts of borders – victims in different countries, registered addresses in different countries, and HAPANI itself in the UK, a different country again.

“Small charities are very vulnerable to phishing. If they don’t have the expertise or if they don’t have the resources it is difficult to begin to look into these things – and even if they do have the resources there’s no finality. You can get all the information and the IP addresses and keep records of what happened but there is no-one specific there to shut it down.”

Mr Abdulahi would like to see an effective solution put in place to allow anyone to deal with misuse of information, misrepresentation or similar frauds.

The difficulty is that it is absolutely essential that this works over borders, which means different jurisdictions have to agree terms – but, if they don’t, it allows scammers to continue to easily evade proper investigation, let alone prosecution.

“If the NHS or big companies are targeted by scammers it gets into the headlines and there could be legislation passed, but that’s not the case for a small charity. Everyone puts up a website but they don’t necessary ask about the long-term impacts and it could be disastrous if this sort of thing is linked to your organisation.

“There has to be some sort of cross-border enforcement people can pursue, no matter where these websites are created.”

Both Mr Abdulahi and Ms Griffith wondered if the Charity Commission could provide an advocacy hub for organisations who find they are being abused in this way.

Ms Griffith said: “All the small charities have to register with the Charity Commission, perhaps in exchange for everyone doing all that paperwork they could take on incidents like this, but it’s totally beyond the scope of smaller organisations. For transparency charities should all be open - but they need to be protected.”

This should give pause for thought for any small third-sector organisation. HAPANI didn’t do anything wrong – they didn’t do anything at all, other than having a website as part of their normal organisational practice – and they were not even the ultimate intended victims of the fraud at hand.

Had some of the financial targets of the scam not happened to get in touch with them they would never even have know this was happening, and yet it has left their organisation with real risks for both their reputation and their core functions.

Who knows how many other victims are out there, having had money stolen from them under HAPANI’s branding? Who knows how many other organisations are being used in this same way? It is implausible that they are the only one being abused by this group of scammers, phishing being an exercise in spam, let alone the innumerable other digital fraudsters around the world.

Better protection is required.

Join the Conversation...

We'd love to know your thoughts on this article.
Join us on Twitter and join the conversation today.

Join Our Newsletter

Get the latest edition of ScopeNI delivered to your inbox.