A US church has been hit by a major Business Email Compromise (BEC) attack, losing almost $1.8m after fraudsters tricked staff into changing a contractor’s payment details.
Saint Ambrose Catholic Parish — based in Brunswick, Ohio — is currently renovating its church in a Vision 2020 project. However, BEC scammers recently targeted the large monthly payments it makes to a local construction firm.
“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totalling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed,” explained father Bob Stec.
“Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened. Needless to say, this was very distressing information.”
Hackers are said to have compromised two email accounts to “deceive the parish and perpetrate the fraud.” It’s unclear how, although phishing is the most likely tactic.
“After reviewing our systems, to the best of our knowledge, only the email system was breached/compromised,” said Stec. “Our parish database is stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information.”
The church has submitted an urgent insurance claim in order to recoup the funds and pay its construction company, although there’s no guarantee that the policy will pay out.
The news comes a few days after an annual FBI report revealed that BEC attacks caused more losses than any other cyber-threat reported to its Internet Crime Complaint Center in 2018: a total of nearly $1.3bn.
Corin Imai, senior security advisor at DomainTools, argued the Saint Ambrose case highlights that no organization is safe from such scams.
“In addition to email filtering systems, those responsible for organizational finances should take the time to cross reference any emails they receive with those from addresses known to be genuine,” she added. “It’s better to make a legitimate transfer late than a fraudulent one promptly.”