The St. Ambrose Cathedral in Des Moines, Iowa, became victim to an apparent cyber crime last month when unidentified hackers stole $680,000 by luring away critical electronic information.
CBS News, reporting on the incident, quotes law enforcement and cyber security experts about how the hackers did it:
The heist begins with a technique known as spear phishing. In it, hackers lure an organization's financial officer with an email–a note that appears to be from a friend or the IRS– enticing them to click on a link.
That click opens the door to a malicious software infection that allows vital information, like bank passwords, to be captured.
Criminal groups can then wipe out the account–ultimately transferring the cash to their own accounts, in places like Russia or the Ukraine–leaving victims high and dry.
CBS News also highlights other recent victims from around the country, including one public library in Florida, and two local governments in New York and New Jersey.
That makes these types of crimes all the more troublesome, said Verne Hargrave, who presented "Fraud in the Church: High-Tech Style," last week at the National Association of Church Business Administration's annual conference in Washington, D.C.
It means hackers are aware of financial sources big and small all over the country, including churches, he said.
"These guys in Eastern Europe know about you guys," said Hargrave, a certified public accountant and author of Weeds in the Garden. "They know about what's going on, and know it may be an easy target."
Hargrave offered these six tips for avoiding an attack like the one in Iowa:
- Dual controls. Have at least two people involved in every account, every cash collection, and every cash payment system. With electronic funds transfers, separate the three processes (bill approval, bill preparation, and bill transfer).
- Dedicate a stand-alone computer. Use it only for electronic funds activity. It shouldn't be tied to an individual and it shouldn't have access to other financial databases. Limit its online activity. Keep its antivirus and firewall protection updated.
- Limit administrative rights. Only those with specific needs for accessing electronic financial activity should have access to the computer used to do it.
- Reconcile daily. Reconcile your church's bank accounts daily.
- Change passwords. These need to be changed regularly, and preferably with a combination of upper- and lower-case letters, and one numeral and one symbol included.
- Don't e-mail files. Use secure connections for any electronic file transfers.
For more help on good electronic practices in church offices, check out Protecting Electronic Data.
This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is published with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations."