author photo
By Bruce Sussman
Thu | May 2, 2019 | 6:17 AM PDT

No one is immune from this type of cybercrime. If you have money in an account, you are a target.

Google has been fooled. Facebook has been fooled.

And now it has happened to Saint Ambrose Catholic Parish in Ohio.

Hackers used a Business Email Compromise (BEC) scam to get the parish to send them $1.7 million without the parish even knowing it.

Saint Ambrose is in the middle of a major construction and renovation project. Father Bob Stec typically writes about how well the project is going. It has been on-time and on-budget.

But this time he wrote an agonizing letter to the Saint Ambrose Parish, and announced in services, that nearly two million dollars was simply gone.

"On Wednesday, Marous Brothers [construction] called inquiring as to why we had not paid our monthly payment on the project for the past two months totaling approximately $1,750,000. This was shocking news to us, as we have been very prompt on our payments every month and have received all the appropriate confirmations from the bank that the wire transfers of money to Marous were executed/confirmed."

But in reality, those two payments went to hackers:

"Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions. The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened."

The deception involved a common theme in BEC cases.

Hackers get into someone's email account and start watching conversations for things like due dates, amounts due, and even the tone of emails.

They are then able to pose as a legitimate person, making a legitimate request. 

"... in short, the perpetrator (unbeknownst to us) gained access to two employee email accounts which were used to deceive the parish and perpetrate the fraud."

The parish has filed a claim with its insurer, however, we've seen many cases where insurers deny the claim since an unwitting employee authorizes transactions like these. So there is more to come on this story.

Our SecureWorld conference team has heard a lot about BEC, our digital resources team has developed webinars on the topic, and our media team has written repeatedly about some interesting (and heartbreaking) cases of Business Email Compromise.

Here are some of the stories that shed light on this type of cybercrime and the fallout from it. 

$18.6 Million in a Week: Employees Fired After BEC Scam

Google and Amazon Lose More than $100 Million to BEC Scams

Security Un-Awareness: Company Suing Employee After She Falls Victim to BEC Scam

Anything we can learn from these examples could help your organization from becoming a victim.

The stakes are high.

Because when hackers succeed in making millions, the motivation is there for them to keep finding new victims with this method of cyberattack.

[On Demand-Resource:]
Email Fraud Case Studies: Real-World Attacks and Defense Strategies 

Comments