Scammer targets local trust: E-mail scheme seeks data from Pulliam grant recipients

An Internet scammer borrowed the identity of a high-profile local foundation this month, blasting out an error-riddled e-mail message that solicited personal information from former grant recipients.

Leaders of the Nina Mason Pulliam Charitable Trust responded by sending its own e-mail to all 2,400 individuals on its electronic contact list, instructing them to disregard the fake missive that promised a $2.5 million grant.

Fallout from the so-called phishing attack appears to be minimal so far, trust CEO Harriet M. Ivey said, but repercussions are still possible if the original e-mail was widely circulated.

“My concern is if it gets into the hands of somebody who doesn’t understand philanthropy and grant-making,” she said. “There are people out there who sell lists of foundations that sup- posedly are giving away money. If it reaches that kind of audience, people could get very excited.”

Officials discovered the scam July 5 after hearing from former grant recipients in Indianapolis and Muncie who received a message from someone using a London address and identifying himself as Olubode Frank, president and executor of the “Nina Mason Pulliam Foundation.”

The e-mail, which includes boilerplate material obviously lifted from the real trust’s Web site, also refers to the organization as the “Nina Mason Grants Foundations.”

Recipients were told they were set to receive a $2.5 million grant from Pulliam, provided they respond with a variety of personal information, including telephone and fax numbers, address, age and occupation.

Although seemingly innocuous, such information is “gold” to skilled phishers, said Markus Jakobsson, associate director of Indiana University’s Center for Applied Cybersecurity Research. Scammers compile data and could use it for many purposes, including laundering funds through an individual’s bank account.

“They could do a lot without you ever realizing anything happened,” he said.

The real trust, which has offices in Indianapolis and Phoenix, was established in 1997 following the death of its namesake-a philanthropist, business leader and journalist who ran Central Newspapers Inc. in the late 1970s after the death of her husband, Eugene C. Pulliam. CNI published The Indianapolis Star before the company’s sale to Gannett Co. in 2000.

Trust leaders tap into an asset pool now worth $350 million to make three rounds of grants each year to support causes Pulliam loved in her home states of Arizona and Indiana.

The scammer took liberties with that, too, expanding the trust’s focus areas to include “the whole world and all humanitarian race.”

It’s not clear how many people received the fake e-mail, but the trust notified everyone on its mailing list, just in case. All its contacts know better than to buy into the obvious deception, Ivey said.

“People are fairly well-informed about our giving guidelines,” she said, and the scammer’s own missteps largely discredited the message. “[He] really took it to the nth degree, which should make people even more skeptical.”

Also, the original e-mail had a Yahoobased return address, raising further questions about its origins. Communications from the trust come from its nmpct.org domain.

The trust’s computer systems have sophisticated firewalls, Chief Financial Officer Bob Lowry said, and a review after the incident did not detect any signs the safeguards had been breached.

He nevertheless reported the incident to the Secret Service office in Indianapolis, since that agency investigates such scams. Assistant Special Agent in Charge Walter Burns said if no financial loss is involved, an investigation is unlikely.

“We get dozens of complaints a week,” he said, mostly from individuals who have received fraudulent e-mails.

Burns does not believe any other businesses have reported having their identities used for such schemes. But some experts don’t believe this incident will be the last.

“Attackers are becoming more and more dedicated to doing better research,” said Jakobsson, the IU cybersecurity expert. “They’re getting smarter.”

If individuals get e-mails from an institution-be it a bank or a charity-they already do business with, they may be more likely to make the desired response. For that reason, scammers will be trying harder to identify and exploit those relationships.

CACR researchers studied that theory recently, using a public database to identify people who knew one another, then sending an e-mail from a “friend” asking them to click on a link. A full 75 percent of recipients did-quite impressive considering the single-digit response to most phishing schemes.

“It was totally astonishing,” Jakobsson said. “If you get an e-mail from a bank you’ve never heard of, you know it’s fake. If you get it from your bank, that’s another question.”

Same goes for other organizations, he said, including the ever-expanding world of not-for-profits. And that could harm the charities themselves.

“Something like this could negatively impact their credibility if someone actually falls for it,” said Joe Baker, executive director of the San Francisco-based Nonprofit Technology Enterprise Network. “Just having to tell people it happened could raise questions in people’s minds.”

Response to the trust’s message about the scam has been supportive, Ivey said.

“People are very sympathetic, wondering, how could someone do something like this?” she said. “It does feel strange, seeing information about [Mrs. Pulliam] being manipulated this way.”

Still, the trust is luckier than other not-forprofit “victims” might be, since it doesn’t solicit funds from the public. If an operating charity went through the same experience, it could suffer a major setback.

“Our strength is our reputation, and anything that changes that could be quite damaging,” Baker said. “Nonprofits are raising more and more money online. Things like this could make that more difficult.”