A Catholic Diocese in Ohio was a recent victim of a major fraud perpetrated through the use of fake emails. According to news reports, fraudsters used emails that appeared to originate from church workers’ email accounts to convince other church workers to change the bank account routing information for the church’s construction company. The church was in the midst of a large construction project. As a result of changing the bank account information, wire transfers in the reported amount of $1.75 million intended for the construction company were never received by the construction company. Rather, the funds were misdirected to a separate bank account out of which the fraudsters swept the funds. The church discovered the theft when the construction company contacted the church and inquired about overdue payments.
Because news accounts and information issued by the church refer to both “hacking” and “spoofing,” it is not clear whether the perpetrators actually “hacked” the email accounts of church workers or “spoofed” them. Church officials did not return communications from BMWL (as we sought to learn whether the email accounts were actually hacked) as of the time this article was published. If the fraudsters actually hacked the church workers’ email accounts, then the emails instructing other church workers to change the bank account information were indeed from within the church’s internal email system (although not actually sent by the workers from whom they appeared to come). If the email accounts were spoofed, then the emails may have appeared to come from within the church’s system, but a closer look at the sender information should have revealed that they did not.
Either way, there are important lessons in this scenario. Any email communications that request or affect significant financial transactions or transfers should be independently verified using means other than email (personal conversations, phone calls to known phone numbers of the persons thought to be sending the messages, etc.). With electronic disbursements, it is also important to independently verify the accuracy of the recipient’s bank account information prior to sending funds – especially when the transfers are large in amount.
Here is a link to a news account of this incident.