St. Ambrose Catholic Parish lost nearly $2 million as the result of a combination email scam and social engineering phone call, and they may not get it back. This attack made use of a basic wire fraud technique that’s becoming all too common. The attacker contacted the church and claimed to be from the construction company that had been working on a renovation project. They convinced the church that the construction company had changed banks and instructed them to wire its payments to the “new” one.
According to the FBI, the criminals also breached the church’s email account, then began a waiting game during which the hackers sat back and read all of the conversations in the inbox. Eventually, they were able to glean enough information to convince the church to wire them money. Before the church realized, it was out $1.75 million in the middle of a major renovation, and all it took was a few emails, some Photoshop skills, and a phone call to derail the good intentions of the parish.
This type of attack underscores the importance of security awareness and integrity of communications. In any matter that involves changing where money is moved to—whether it’s a wire transfer, payroll direct deposit, online purchase, or anything else—it’s imperative to contact the requesting party in person to confirm the request. Don’t blindly trust an email message or phone call—those have been, and will continue to be, spoofed.
Read more here.