A church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise (BEC) attack.
St. Ambrose Catholic Parish, which has around 16,000 members, has been working on a massive $4 million church renovation, dubbed “Vision 20/20” – but attackers figured out a way to hack into the church’s email system, take control of two church employee accounts, and eventually divert payments related to the project to a fraudulent account owned by them.
According to local reports, the church said in a letter to parishioners over the weekend that it was notified of the issue on April 17, after the construction company behind the renovations contacted the church saying it had missed payments on the project.
“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months, totaling approximately $1,750,000,” according to an email sent by the church to parishioners. “This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”
After involving the Brunswick police and the FBI, the church discovered that their email system was hacked and that bad actors had taken control of two employee email accounts.
Using these two hacked accounts, the attackers were able to pretend they were the email accounts’ real owners, and deceived other employees into believing Marous Brothers had changed their bank and wiring instructions. The $1.75 million in church payments for two months were then sent to a fraudulent bank account owned by the cybercriminals.
“The money was then swept out by the perpetrators before anyone knew what had happened,” according to the church. “Needless to say, this was very distressing information.”
The church said it is currently working with the FBI and its insurance company to try to recover the stolen funds. Meanwhile, it said, no other data – such as databases with parishioner information or church financial information – has been compromised.
According to the FBI’s annual Internet Crime Report (IC3) for 2018, BEC scams ultimately drained victims of over $1.2 billion last year. For contrast, in 2017, BEC attacks resulted in adjusted losses of $675 million.
St. Ambrose Catholic Parish isn’t the first high-profile community case, either. The FBI in its report said it received a complaint from a town in New Jersey that fell victim of a BEC scam — and transferred over $1 million to a fraudulent account (the FBI was able to freeze the funds and return the money to the town). Individuals suffer too: In another case, a BEC victim received a email purporting to be from their closing agent during a real-estate transaction — resulting in the person initiating a wire transfer of $50,000 to a fraudster’s bank account located in New York.
Ronnie Tokazowski, senior threat researcher at Agari, told Threatpost there are several steps that firms – and individuals – can take to protect against BEC scams.
“For BEC protections, there are several things that organizations and individuals can do to not fall victim,” he said. “Firstly, implementing a DMARC [which stands for Domain-based Message Authentication, Reporting and Conformance and is an email authentication protocol] solution can help organizations look at the reputation of senders who may be spoofing their CEO’s, asking for wire transfers or gift card. For individuals, being informed about the different types of scams that actors are using can be helpful as well.”