NewsLocal NewsCuyahoga County


Saint Ambrose Catholic Parish victim of sophisticated business email scheme, FBI says

Posted: 12:12 PM, Apr 30, 2019
Updated: 2019-04-30 18:43:29-04
Saint Ambrose Catholic Church in Brunswick.

CLEVELAND — Following a hack that left Saint Ambrose Catholic Parish in Brunswick out of nearly $2 million, the Cleveland Division of the FBI has weighed in on the hack Tuesday, revealing the parish was a victim of a business email compromise (BEC) scheme.

Federal investigators became involved in the investigation after Saint Ambrose notified them of a scam. The FBI said a BEC scam is a sophisticated scam targeting both businesses and individuals performing wire transfer payments, which is how the parish paid the construction company for its renovation work.

"There have been hundreds of instances where business email compromise complaints have been called in,” said Cleveland FBI Assistant Special Agent in Charge Bryan Smith.

In a letter to the parish on April 27, Father Bob Steck said while his Vision 2020 Team was working with Marous Brothers Construction during church renovations, he received news that email hackers had stolen $1.75 million from the parish.

The parish noticed the hack when Marous Brothers questioned them as to why they had not paid the monthly payment for the past two months, totaling $1.75 million. The payments were sent to a fraudulent bank account and the money was then depleted from those accounts before anyone knew what happened.

The scam is carried out when someone compromises a legitimate business email account through social engineering or computer intrusion techniques that allow the unauthorized transfer of funds.

Scammers use several methods, including a spoofing email account and website that have a slight variation on legitimate addresses and spear phishing, bogus emails believed to be sent from a trusted sender that prompts victims to reveal confidential information.

The FBI said there are several ways to avoid becoming a victim. A person should verbally verify requests to send money by talking to a financial manager of a CFO's office. A company or business can create intrusion detection system rules that flag emails with extensions that are similar to company names you associate with, the FBI said.

Users are recommended to keep a firewall turned on, install updates regularly to your antivirus software and be careful, in general, what you download.

RELATED: Email hackers steal nearly $2 million from Saint Ambrose Catholic Parish in Brunswick