Even if they had never heard of Christopher Oechsli, a lot of people who read what landed in their inboxes on October 29 had every reason to believe he was a pretty generous guy.
In the message, Mr. Oechsli, president of Atlantic Philanthropies, said the New York foundation was planning to give away $1-million randomly.
"On receipt of this email, you should count yourself as the lucky individual," the email read.
So had the foundation, which has announced plans to cease operations by 2020, resorted to giving away its assets blindly to help it spend down?
Quite the contrary. The foundation was the victim of a phishing attack, a criminal attempt to use an established brand name to lure Internet users into providing personal information like Social Security or bank-account numbers. In the past 18 months, the foundation has dealt with seven such attacks.
When it happened late last month, the foundation was tipped off by emails from people asking, "Is this for real?" says Elizabeth Cahill, the foundation’s director of digital communications, and immediately posted a warning on its website.
In addition to listing seven emails that had been fraudulently sent out under the name of Mr. Oechsli or Charles Feeney, the philanthropy’s founder, the warning asked recipients of the scam to report the abuse to email@example.com.
During the first half of 2014, 6,271 phishing attacks targeted the "dot-org" Internet domain name often used by nonprofits, according to a study by the Anti-Phishing Working Group, a consortium of industry groups and international organizations. In total, there are more than 10 million dot-org domain names.
Other organizations have been frequent targets.
For instance, a message similar to the one that used Atlantic’s name was sent out this week using the Walton Family Foundation’s name.
In the email, an imposter posing as Buddy Philpot, who manages the philanthropic legacy of the Wal-Mart founder Sam Walton and his wife, Helen, asks readers to "get back to me at your earliest convenience" to claim $5-million.
The foundation has not identified where the emails originated, says Kevin Thornton, a spokesman for the Bentonville, Ark. philanthropy. Recipients of the email, he says, should not forward it, click on any links in it, or reply to it.
"If you receive that email, immediately delete it," he says.
The Nelson Mandela Foundation’s website lists dozens of scams over the past four years that used the South African civil-rights leader’s name, including attempts using text messages, Twitter, and a hoax using the William Jefferson Clinton Foundation’s name to get people to give up their personal information.
World Vision has also been phished on a regular basis, according to Stu Cozart, an information security analyst at the international humanitarian aid charity. The scams, he says, occur at least monthly and spike during high-profile disasters like the 2010 Haiti earthquake.
Sometimes the frauds involve emails claiming to be from a senior leader of the nonprofit, offering to hire the recipient to cash a cashier’s check and then send the money overseas using a wire service. Other times they offer employment or they directly solicit donations.
To assure their gifts are going to the right place, potential donors to the charity should type World Vision’s URL directly into their web browser to get accurate information instead of clicking on a link on an email, Mr. Cozart says.
Like Mr. Cozart, Ms. Cahill of the Atlantic Philanthropies reports phishing attempts to law-enforcement authorities.
So far, she says, reports to the U.S. Computer Emergency Readiness Team and the Internet Crime Complaint Center, an effort headed by the Federal Bureau of Investigation and the National White Collar Crime Center have gone without a response. In May, the Internet Crime Complaint Center reported that it had received 3-million complaints since it was created in 2000.
Although she trusts that the center will take action if and when it is appropriate, Ms. Cahill said the complaints sometimes seem like they’re "going into a black hole."
"We do our best to prevent these things," she says. "but we can’t control everything."