St. Ambrose Catholic Parish in Brunswick, Ohio was hit with a business email compromise scam that conned the church out of $1.75 million, the church said in a letter to parishioners.
The threat actors tricked church officials into believing the construction firm contracted to repair and restore the church had not been paid in two months and convinced the church to wire money to a fraudulent account.
“Upon a deeper investigation by the FBI, we found that our email system was hacked and the perpetrators were able to deceive us into believing Marous Brothers had changed their bank and wiring instructions,” Father Bob Stec said in a letter to his congregation. “The result is that our payments were sent to a fraudulent bank account and the money was then swept out by the perpetrators before anyone knew what had happened.”
The scam occurred on April 15 after the threat actor gained access to two employees accounts that were then used to commit the fraud. The parish said it is reviewing its systems and strategies to ensure that these attacks don’t take place in the future and will be returning to sending manual checks instead of wire transfers to address future financial obligations.
In addition, an outside IT security firm will be hired to assess their systems and policies.
The FBI said the incident is still under investigation and that additional details can’t be provided by law enforcement at this time.