A Catholic parish in Ohio was a recent victim of a major fraud perpetrated through the use of fake emails. According to news reports, the church was in the midst of a large construction project. Fraudsters used emails that appeared to originate from church workers’ email accounts to convince other church workers to change the bank account routing information for the church’s construction company.
As a result of changing the bank account information, the parish said wire transfers worth $1.75 million were never received by the construction company. Rather, the funds were misdirected to a separate bank account, out of which the fraudsters swept the funds. The church discovered the theft when the construction company contacted the church and inquired about overdue payments. The church said it immediately contacted local police, the construction company, and the bank. The Federal Bureau of Investigation (FBI) was later brought in.
Because news accounts and information issued by the church refer to both “hacking” and “spoofing,” it is not clear whether the perpetrators actually “hacked” the email accounts of church workers or “spoofed” them. Church officials did not return communications from BMWL (as we sought to learn whether the email accounts were actually hacked) as of the time this article was published. If the fraudsters actually hacked the church workers’ email accounts, then the emails instructing other church workers to change the bank account information were indeed from within the church’s internal email system (although not actually sent by the workers from whom they appeared to come). If the email accounts were spoofed, then the emails may have appeared to come from within the church’s system, but a closer look at the sender information should have revealed that they did not.
Either way, there are important lessons in this scenario.
One, any email communications that request or affect significant financial transactions or transfers for a church should be independently verified using means other than email (personal conversations, phone calls to known phone numbers of the persons thought to be sending the messages, and so on).
And two, with any electronic disbursements made by a church, it is also important to independently verify the accuracy of the recipient’s bank account information prior to sending funds—especially when the transfers are large in amount.
Here is a link to a news account covering this incident.
Adapted from a post originally published by Batts Morrison Wales & Lee (BMWL). Used with permission. Michael Batts, Jr. is the Director of Systems Innovation and Security for BMWL. Mike Lee is a partner and the National Director of Audit & Assurance services for BMWL. Mike Batts is the Managing Partner of BMWL and an editorial advisor for Church Law & Tax.
For more insights on information technology security, check out the following articles:
- “Six Ways Churches Can Thwart New Email Threat”
- “Churches and Cybersecurity Risks”
- “Navigating Church IT to Protect the Church”
For general help with information technology and internal controls for financial activities, also check out the following resources on ChurchLawAndTaxStore.com: