This DAP highlights – Congratulations to 2023 SC Media Women in IT Security honorees, including Gate 15’s Jennifer Lyn Walker. Every DAP also has More Faith-Based Stories and Select All-Hazard Stories. These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.
Faith-Based Security Headlines
These updates are shared to help raise the situational awareness of Faith-Based organizations to best defend against, and mitigate the impacts from all-hazards threats including physical security, cybersecurity, and natural disasters.
The Episcopal News Service has reported that more than $400,000 was stolen in a cyberattack on the trust funds managed on behalf of the Diocese of Virginia and its churches, prompting the diocese’s fund manager to implement new security measures.
The fraud occurred in November and December 2022. After it was discovered, the diocese first released details in January, though the full scope of the attack wasn’t known until more recently, according to statements released on Sept. 8.
The cyberattack involved three transactions, two intended for parishes and one for the diocese. Cyber criminals were able to divert $412,868 in payments to unauthorized accounts. The fraud was discovered when the two parishes notified the diocese’s investments manager, known as Trustees of the Funds, that they had not received the $327,541 requested in withdrawals from their two accounts. Another payment of $85,327 intended for the diocese also was diverted, but that fraud was not detected until recently because it was part of a routine distribution.
This is not the first of this type of cyber attack against faith-based organizations. FB-ISAO has written many reports to its members advising and warning of these types of incidents. The attack relies on social engineering to impersonate a trusted entity. This attack is a phishing-based tactic known as a Business Email Compromise (BEC) and is one of the most prolific types of cyber attacks today.
The success of this attack is in its ability to bypass technical email controls and engender the recipient that the stated request is legitimate by posing as someone they currently transact business with. The scam typically targets people who deal with finances and ultimately instructs them to change the account number where requested funds are to be sent – it is typically part of an expected payment, such as an invoice, or in this case the request of a distribution from an investment account.
Because this attack is purposefully designed to trick users, one of the best defense methods is cybersecurity awareness training and recurring refreshers to remind staff and volunteers of these types of scams. It is also important that strict security protocols be put in place to verify and validate such requests and that staff and volunteers closely follow established procedures.
To assist with greater cybersecurity awareness to protect your faith-based organization, visit Faith-Based ISAO’s Cybersecurity Resources page. Additionally, members are encouraged to check out this post (from Huntress) if your FBO deals with any sort of payments. The post discusses a BEC incident – it doesn’t use any fancy/techy language and is appropriate for all staff. As Huntress states and is typical for BEC attacks, this incident wasn’t flagged by a flashy security tool or even its own solution. This is a story of good ol’ fashioned security awareness training and security-focused business procedures.
More Faith-Based Stories
“Deepfakes” Are AI-Produced Digitally Manipulated Media (Churchleaders.com)
Select All-Hazards Stories
Hurricane Watches and Tropical Storm Warnings as Hurricane Lee continues moving north towards New England and the Atlantic Canada National Weather Service
The Cybersecurity 202 – DHS warns about 2024’s cyberthreats
CISA Adds One Known Vulnerability to Catalog (for Adobe Acrobat and Reader)
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023)
More Security-focused Content
The FB-ISAO’s sponsor Gate 15 publishes a free daily newsletter called the SUN. Curated from their open source intelligence collection process, the SUN informs leaders and analysts with the critical news of the day and provides a holistic look at the current global, all-hazards threat environment. Ahead of the daily news cycle, the SUN allows current situational awareness into the topics that will impact your organization. To sign-up for The SUN, please sign up below.