Fraudulent Email Scheme Costs One Parish $1.75 Million

Two lessons for church leaders to draw from this unfortunate story.

A Catholic parish in Ohio was a recent victim of a major fraud perpetrated through the use of fake emails. According to news reports, the church was in the midst of a large construction project. Fraudsters used emails that appeared to originate from church workers’ email accounts to convince other church workers to change the bank account routing information for the church’s construction company.

As a result of changing the bank account information, the parish said wire transfers worth $1.75 million were never received by the construction company. Rather, the funds were misdirected to a separate bank account, out of which the fraudsters swept the funds. The church discovered the theft when the construction company contacted the church and inquired about overdue payments. The church said it immediately contacted local police, the construction company, and the bank. The Federal Bureau of Investigation (FBI) was later brought in.

Because news accounts and information issued by the church refer to both “hacking” and “spoofing,” it is not clear whether the perpetrators actually “hacked” the email accounts of church workers or “spoofed” them. Church officials did not return communications from BMWL (as we sought to learn whether the email accounts were actually hacked) as of the time this article was published. If the fraudsters actually hacked the church workers’ email accounts, then the emails instructing other church workers to change the bank account information were indeed from within the church’s internal email system (although not actually sent by the workers from whom they appeared to come). If the email accounts were spoofed, then the emails may have appeared to come from within the church’s system, but a closer look at the sender information should have revealed that they did not.

Either way, there are important lessons in this scenario.

One, any email communications that request or affect significant financial transactions or transfers for a church should be independently verified using means other than email (personal conversations, phone calls to known phone numbers of the persons thought to be sending the messages, and so on).

And two, with any electronic disbursements made by a church, it is also important to independently verify the accuracy of the recipient’s bank account information prior to sending funds—especially when the transfers are large in amount.

Here is a link to a news account covering this incident.

Adapted from a post originally published by Batts Morrison Wales & Lee (BMWL). Used with permission. Michael Batts, Jr. is the Director of Systems Innovation and Security for BMWL. Mike Lee is a partner and the National Director of Audit & Assurance services for BMWL. Mike Batts is the Managing Partner of BMWL and an editorial advisor for Church Law & Tax.

For more insights on information technology security, check out the following articles:

For general help with information technology and internal controls for financial activities, also check out the following resources on

This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations." Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.

ajax-loader-largecaret-downcloseHamburger Menuicon_amazonApple PodcastsBio Iconicon_cards_grid_caretChild Abuse Reporting Laws by State IconChurchSalary Iconicon_facebookGoogle Podcastsicon_instagramLegal Library IconLegal Library Iconicon_linkedinLock IconMegaphone IconOnline Learning IconPodcast IconRecent Legal Developments IconRecommended Reading IconRSS IconSubmiticon_select-arrowSpotify IconAlaska State MapAlabama State MapArkansas State MapArizona State MapCalifornia State MapColorado State MapConnecticut State MapWashington DC State MapDelaware State MapFederal MapFlorida State MapGeorgia State MapHawaii State MapIowa State MapIdaho State MapIllinois State MapIndiana State MapKansas State MapKentucky State MapLouisiana State MapMassachusetts State MapMaryland State MapMaine State MapMichigan State MapMinnesota State MapMissouri State MapMississippi State MapMontana State MapMulti State MapNorth Carolina State MapNorth Dakota State MapNebraska State MapNew Hampshire State MapNew Jersey State MapNew Mexico IconNevada State MapNew York State MapOhio State MapOklahoma State MapOregon State MapPennsylvania State MapRhode Island State MapSouth Carolina State MapSouth Dakota State MapTennessee State MapTexas State MapUtah State MapVirginia State MapVermont State MapWashington State MapWisconsin State MapWest Virginia State MapWyoming State IconShopping Cart IconTax Calendar Iconicon_twitteryoutubepauseplay