The hackers have successfully stolen $1.75 million from the church Saint Ambrose Catholic Parish using a successful BEC(Business Email Compromise) in which hackers trick email users to send the money in wrong banks. The attack was discovered on April 17 after contractor of Vision 2020 project inquired church for not receiving monthly installment .
BEC which is also known as Email Account Compromise (EAC) are very common among hackers where not much technical skills are required, it just rely on tricking people into wiring money to trusted bank while bank accounts are usually controlled by the hackers.
The Parish’s website posted, “With 16,000 members made up of 5,00 families, Saint Ambrose is the second largest church in the Diocese of Cleveland and the largest church in Brunswick, Ohio."
Pastor Father Bob Stec sent a letter to the Parish saying “On Wednesday, Marous Brothers called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed.”
After an FBI investigation of the cyber attack incident, it was found that the hackers hacked the the parish's email system through phishing attack and were able to trick the staff convincing them that the contractor had changed their bank account and making them transfer money to the fraudulent bank account.
According to the investigation only email system of the Parish was hacked while the database that is "stored in a secure cloud-based system. This allows for many layers of security/protection of our parish database information."
According to the reports of cleveland.com, Father Stec's letter also states “We are now working closely with the Diocese, legal counsel, the insurance program, and the FBI to investigate the situation further and file the appropriate insurance claims. At the same time, we brought in information technology consultants to review the security and stability of our system, change all passwords, and verify the integrity of our databases and other pertinent information. They have determined the breach was limited to only two email accounts. “.
The parish has submitted an insurance claim to pay to the contractor in timely manner for the project 2020.