A devilish business email compromise (BEC) scam has created an unholy mess for one American Catholic diocese after scammers got away with $1.75m.
Cyber scams put the fear of God into many businesses, but now it seems not even the Lord himself is safe from the wave of cybercrime engulfing the globe. Hackers managed to steal more than a million pounds from an Ohio church diocese by posing as the contractors hired for church renovations.
The diocese is a big one, encompassing 5,000 families and 16,000 members in its congregation. In a letter to parishioners, Father Bob Stec explained the church had become aware of the scam after the actual contractors enquired about missing payments totalling approximately $1,750,000.
“This was shocking news to us,” Stec wrote, “as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to [contractors] Marous were executed/confirmed.”
An investigation by the FBI uncovered that the church’s email system had been hacked. The criminals, posing as the contractors, changed the bank account and wiring instructions for payment on the renovations.
“The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened,” confirmed Stec.
It’s a sad story for the diocese and its parishioners, especially only a few weeks on from the holy Easter period. But the case illustrates the simple yet brutal effectivity of BEC scams.
The entry route, in this case, was likely phishing: scammers send an email designed to trick an unsuspecting victim into accidentally downloading malware or divulging sensitive information. Often, the sender presents themselves as a trusted source: a bank or a supplier, perhaps. The diocese was a prime target because of the large renovations, a process entailing large payments to a construction firm.
To the church’s credit, it is far from the first entity to fall for a phishing scam. The infamous hacks of Hillary Clinton’s presidential campaign in 2016, for example, weren’t the result of elaborate hacking; instead, they were phishing attacks facilitated by poorly trained campaign workers.
After combing social media for names of Clinton employees, the hackers sent a link to an Excel document named ‘hillary-clinton-favorable-rating.xlsx from an email account meant to look like a member of the Clinton campaign team. Clinton staffers who opened the Excel document were directed to a dummy website that stole their personal data.
Two-factor authentication (2FA) is a tried and tested way to fight back against these attacks. This is an added layer of security beyond a password and username, usually involving a code sent to your mobile phone which you then enter before gaining access to a site.
“Use two-factor authentication for all services where possible,” Stewart Twynham, an information security expert, told AccountingWEB. “This should be mandatory for all administration controls, financial and other critical systems.”