Faith-Based Daily Awareness Post 15 September 2023

These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against, and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.

Diocese of Virginia among victims in $400,000 cyberattack on church investment funds

The Episcopal News Service has reported that more than $400,000 was stolen in a cyberattack on the trust funds managed on behalf of the Diocese of Virginia and its churches, prompting the diocese’s fund manager to implement new security measures.

The fraud occurred in November and December 2022. After it was discovered, the diocese first released details in January, though the full scope of the attack wasn’t known until more recently, according to statements released on Sept. 8.

The cyberattack involved three transactions, two intended for parishes and one for the diocese. Cyber criminals were able to divert $412,868 in payments to unauthorized accounts. The fraud was discovered when the two parishes notified the diocese’s investments manager, known as Trustees of the Funds, that they had not received the $327,541 requested in withdrawals from their two accounts. Another payment of $85,327 intended for the diocese also was diverted, but that fraud was not detected until recently because it was part of a routine distribution.

Analyst Comments:

This is not the first of this type of cyber attack against faith-based organizations. FB-ISAO has written many reports to its members advising and warning of these types of incidents. The attack relies on social engineering to impersonate a trusted entity. This attack is a phishing-based tactic known as a Business Email Compromise (BEC) and is one of the most prolific types of cyber attacks today.

The success of this attack is in its ability to bypass technical email controls and engender the recipient that the stated request is legitimate by posing as someone they currently transact business with. The scam typically targets people who deal with finances and ultimately instructs them to change the account number where requested funds are to be sent – it is typically part of an expected payment, such as an invoice, or in this case the request of a distribution from an investment account.

Because this attack is purposefully designed to trick users, one of the best defense methods is cybersecurity awareness training and recurring refreshers to remind staff and volunteers of these types of scams. It is also important that strict security protocols be put in place to verify and validate such requests and that staff and volunteers closely follow established procedures.

To assist with greater cybersecurity awareness to protect your faith-based organization, visit Faith-Based ISAO’s Cybersecurity Resources page. Additionally, members are encouraged to check out this post (from Huntress) if your FBO deals with any sort of payments. The post discusses a BEC incident – it doesn’t use any fancy/techy language and is appropriate for all staff. As Huntress states and is typical for BEC attacks, this incident wasn’t flagged by a flashy security tool or even its own solution. This is a story of good ol’ fashioned security awareness training and security-focused business procedures.