A housing charity has said it is “frustrated and angry” after being targeted by cybercriminals and losing nearly £1m.
Red Kite Housing, a charitable community benefit society, posted a statement on its website revealing that it has been conned out of £932,000.
It said details have been passed to ActionFraud and police are investigating. No customer data was put at risk. The charity has also strengthened its processes and worked to minimise the impact of the loss.
At the end of January it posted a detailed statement, which said it was trying to “maintain our transparency and be open about our recent experience”.
“To be blunt, we were conned. A sophisticated cybercrime which had a devastatingly simple result: we have lost money. More importantly, it is the money that our tenants work hard to entrust us with, and that is what makes it hurt even more,” the charity said.
Red Kite’s turnover for the financial year ending 31 March 2019 was £34.9m and it employed 127 full time equivalent staff.
It has encouraged others not to make the same mistakes it made, and said: “So learn from our experience – believe us, it is a lesson painfully learned!”
‘Missed opportunity to prevent the fraud’
Red Kite Housing said that criminals “mimicked the domain and email details of known contacts that were providing services to Red Kite.
“Through this they managed to recreate an email thread that misled those who were copied into the email that it was a genuine follow up to an existing conversation.”
Staff then failed to follow a two-stage process to verify changes to payments, meaning there was a “missed opportunity to shut the door before the money was taken. This is the part that upsets everyone involved.”
In a follow-up statement, the charity said that it could not disclose whether any action had been taken against individuals.
But it said it has strengthened systems and processes in the wake of the incident.
“We have continued to build additional security measures into our IT and to review completely all our processes in relation to payments in order to minimise the chance of a single point of weakness occurring in the future,” it said.
“Most importantly, we have strengthened further our staff training in the risks.”
Red Kite brought in technology experts to help gather evidence to pass on to the police.
“ActionFraud, the dedicated police unit that responds to cyber-crime, has passed this on to the police, who are still actively investigating what happened,” it said.
“They have reported that they are on the trail of the criminals and we are therefore going to respect the integrity of their investigation and the lines of enquiry on which they are currently working. We are, however, intent on making sure that we support and take all necessary action to recover the money that was taken.”
Downgraded by regulator
Red Kite Housing is regulated by the Regulator of Social Housing, which has downgraded its governance score following the incident.
The charity is now rated as “G2”, meaning it complies with the rules but needs to improve some aspects. It was previously rated “G1”, which is the highest of four scores.
The charity said it was unable to publish details of the incident, which occured in the summer, until the regulator’s embargo had lifted.
In a statement, the regulator said: “Red Kite has experienced a significant financial loss as a result of a fraud due to a basic failure in its system of internal controls.
“Improvements are required to Red Kite’s control framework to ensure that key financial controls are robust, operating in line with established policies and procedures and with appropriate leadership oversight.
“The provider has met its co-regulatory obligations in self-referring the matter to the regulator. The regulator is working with Red Kite to address the weaknesses identified.”