New details have been released in the ongoing investigation of a sophisticated cyber theft that defrauded the Seventh-day Adventist Church of approximately US$500,000 during the span of a four-week period late last year.
Church leaders say a compromised password appears to have allowed online scammers to hack into the Gmail account of a church employee authorized to initiate instructions for money transfers. Impersonating the employee—and unbeknownst to him—the scammers sent emails to financial personnel at Adventist world church headquarters, approving the transfer of funds on behalf of a denominational entity. An elaborate filtration system set up by the scammers marked all responses from headquarters as “read” and “deleted,” thus bypassing the employee’s inbox.
Meanwhile, the scammers laundered funds from 16 fraudulent transactions through the personal bank accounts of five apparently unwitting victims, church financial officers said.
“We have modified procedures to do our best to prevent anything like this from happening again,” said Robert E. Lemon, treasurer of the Adventist world church.
Lemon said incidences of fraud in which scammers troll the Internet for emails giving instructions to “pay, transfer or send” funds are growing in occurrence. In such cases, scammers carefully study the account holder’s emails so they can send transaction requests that closely mirror the tone and content of legitimate emails. Some hackers may even include personal comments—often work or family details gleaned from actual emails—to make the transaction requests appear more genuine.
“We urge church employees and members to exercise extreme caution when acting on instructions for handling funds that come through an email without a second independent verification through another means, such as phone call, text message or fax,” Lemon said.
At headquarters, internal controls were in place that church leaders said should have alerted financial personnel of a problem with the first transaction, but several key employees who would have questioned the transactions were traveling or were otherwise out of the office at the time, Lemon said. Additionally, the transfer amounts and explanations were “within the normal scope” for the denominational entity in question, he said.
Church financial personnel discovered the fraud after growing suspicious of the high rate of transaction requests and an alert from one of the banks involved. The scammers quickly discontinued fraudulent activity associated with both the email account and the linked bank accounts.
While the church was able to recover some of the funds that were still in the bank accounts before they were frozen, Adventist financial officers said they’re unsure whether the remaining losses are recoverable. Cooperation with U.S. Federal authorities in the ongoing investigation is expected to continue, they said.
“There is no indication that any employees were involved in unethical behavior, and no church email servers or bank accounts were accessed or compromised in the scheme,” Lemon said.
“Having something like this happen on our watch is very difficult for those of us in treasury,” Lemon added. “We would like to thank each church member for their faithfulness and solicit their prayers that God will help us guard His funds in an ever-changing landscape of online fraud.”