Share this content

Email scam creates unholy mess for Catholic diocese

9th May 2019
Church
iStock_Kavunchik_AW

A devilish business email compromise (BEC) scam has created an unholy mess for one American Catholic diocese after scammers got away with $1.75m.

Cyber scams put the fear of God into many businesses, but now it seems not even the Lord himself is safe from the wave of cybercrime engulfing the globe. Hackers managed to steal more than a million pounds from an Ohio church diocese by posing as the contractors hired for church renovations.

The diocese is a big one, encompassing 5,000 families and 16,000 members in its congregation. In a letter to parishioners, Father Bob Stec explained the church had become aware of the scam after the actual contractors enquired about missing payments totalling approximately $1,750,000.

“This was shocking news to us,” Stec wrote, “as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to [contractors] Marous were executed/confirmed.”

An investigation by the FBI uncovered that the church’s email system had been hacked. The criminals, posing as the contractors, changed the bank account and wiring instructions for payment on the renovations.

“The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened,” confirmed Stec.

It’s a sad story for the diocese and its parishioners, especially only a few weeks on from the holy Easter period. But the case illustrates the simple yet brutal effectivity of BEC scams. 

The entry route, in this case, was likely phishing: scammers send an email designed to trick an unsuspecting victim into accidentally downloading malware or divulging sensitive information. Often, the sender presents themselves as a trusted source: a bank or a supplier, perhaps. The diocese was a prime target because of the large renovations, a process entailing large payments to a construction firm. 

To the church’s credit, it is far from the first entity to fall for a phishing scam. The infamous hacks of Hillary Clinton’s presidential campaign in 2016, for example, weren’t the result of elaborate hacking; instead, they were phishing attacks facilitated by poorly trained campaign workers.

After combing social media for names of Clinton employees, the hackers sent a link to an Excel document named ‘hillary-clinton-favorable-rating.xlsx from an email account meant to look like a member of the Clinton campaign team. Clinton staffers who opened the Excel document were directed to a dummy website that stole their personal data.

Two-factor authentication (2FA) is a tried and tested way to fight back against these attacks. This is an added layer of security beyond a password and username, usually involving a code sent to your mobile phone which you then enter before gaining access to a site.

“Use two-factor authentication for all services where possible,” Stewart Twynham, an information security expert, told AccountingWEB. “This should be mandatory for all administration controls, financial and other critical systems.”

Replies (4)

Please login or register to join the discussion.

avatar
By supremetwo
09th May 2019 13:01

Far too easy for the scammers to open and use bank accounts for the fraudulent transfers.

How about making any bank that allowed an unidentifiable fraudster to open a receiving account being made to repay the fraud?

Thanks (3)
Lone Wolf
By Lone_Wolf
09th May 2019 16:41

It astounds me that God lets his followers suffer in such a way. Surely as He is all knowing and all powerful, He could put some of that power towards stopping these scam emails targeting his faithful followers. Almost defies belief.

Thanks (0)
Replying to Lone_Wolf:
avatar
By pauljohnston
16th May 2019 10:39

Perhaps God decided that if he changed it all the Church would not bother to beef up security.

Taking a hit this size will mean that all religious organisations are on notice that their bank accounts can be effected by poor credit control.

Thanks (0)
Replying to Lone_Wolf:
avatar
By Dandan
17th May 2019 16:39

Perhaps the Catholic church needs to get its bite back. Maybe rekindle its link with Cosa Nostra and go hunt for the culprits and get medieval on them

Thanks (0)