There was big business security news out of Brunswick, Ohio (a part of the Cleveland metro area) last month, this time involving a church. According to local reporting, the St. Ambrose Catholic Parish recently announced to parishioners that they had been swindled out of a whopping $1.75 million. The attackers’ methods have real implications for churches and businesses alike. We’ll look into their methods, but first a little more detail on this fascinating story.
St. Ambrose is in the middle of a fundraising and building campaign. As with many older church buildings, repair and restoration are needed. The parish’s Vision 20/20 campaign was supposed to be the answer. This campaign called for raising $4 million needed for repair and restoration, and the fundraising efforts were well underway.
The church only discovered there was a problem when the construction firm they’d hired, Marous Brothers Construction, started inquiring about unpaid bills totaling $1.75 million. The church leadership had been prompt in paying its bills, so they thought, and even had receipts and confirmations for funds transfers. They didn’t understand how the accusation of nonpayment could be true. The funds had left the account, after all.
After involving the Brunswick police and eventually the FBI, an explanation surfaced. The church had indeed been hacked in a business email compromise attack, or BEC. An unknown attacker gained control over two church staff member email accounts. From there it was mostly social engineering.
The bad actors in control of these email accounts managed to convince (via email, of course) the rest of the relevant staff members that the construction company had changed its account information. The “new” account was, of course, controlled by the criminals. The most likely explanation from this point is that an actual, on-site staff member changed over the payment information, having been duped by very real emails that appeared to come from trusted colleagues.
The criminals kept the ruse going very effectively, apparently sending (bogus) confirmation emails so that the church staff thought they were paying the right people. Only when the construction company came calling was the breach finally discovered.
The church reported to local media that no other components of their IT infrastructure were compromised, including parishioner databases or stored financial information used for the church’s electronic giving service. The hack was isolated. All the hackers got was access to two email accounts. Yet they leveraged this small hack into a $1.75 million payday.
Stories like these underscore the importance of strong IT security, even in houses of worship. They also underscore the importance of training staff on recognizing the signs of phishing, social engineering, and other bad behavior.
Most BEC attacks don’t start as brute-force attacks. Rather, they start as phishing expeditions. Hackers lure credentialed people to give up their login information by presenting a sometimes extremely realistic fraudulent login page. The first step to preventing such attacks, then, is to educate your staff about how to spot phishing and other similar tactics. Teach staff not to assume that email is from who it appears to be from, especially emails that seem out of context or that ask for unexpected actions. At the enterprise level, implementing a better email authentication protocol like DMARC is an effective way to combat this kind of fraud.
Does your business need help preparing for BEC, phishing, or social engineering hacks? Contact us today for more information.