BEC Hack Cons Catholic Church out of $1.75 Million

An Ohio parish lost a whopping $1.75 million after attackers breached two employees’ email accounts – and then tricked other employees into sending wire transfers to a fraudulent bank account.

A church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise (BEC) attack.

St. Ambrose Catholic Parish, which has around 16,000 members, has been working on a massive $4 million church renovation, dubbed “Vision 20/20” – but attackers figured out a way to hack into the church’s email system, take control of two church employee accounts, and eventually divert payments related to the project to a fraudulent account owned by them.

According to local reports, the church said in a letter to parishioners over the weekend that it was notified of the issue on April 17, after the construction company behind the renovations contacted the church saying it had missed payments on the project.

“On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months, totaling approximately $1,750,000,” according to an email sent by the church to parishioners. “This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”

After involving the Brunswick police and the FBI, the church discovered that their email system was hacked and that bad actors had taken control of two employee email accounts.

Using these two hacked accounts, the attackers were able to pretend they were the email accounts’ real owners, and deceived other employees into believing Marous Brothers had changed their bank and wiring instructions. The $1.75 million in church payments for two months were then sent to a fraudulent bank account owned by the cybercriminals.

“The money was then swept out by the perpetrators before anyone knew what had happened,” according to the church. “Needless to say, this was very distressing information.”

The church said it is currently working with the FBI and its insurance company to try to recover the stolen funds. Meanwhile, it said, no other data – such as databases with parishioner information or church financial information – has been compromised.

BEC scams continue to plague companies as attackers become more advanced – particularly as infamous BEC groups like London BlueScarlet Widow and others continue honing their techniques.

This article was written by Lindsey O’Donnell and originally appeared in ThreatPost

Human error is the main cause of most successful corporate cyber attacks. Training your employees to be more aware is the best defense an IT department can implement. Contact an MDS cyber security expert today for more information!

Take Back Your Day

Learn how the latest technologies can free up your time so you can focus on your business