“I was quite shocked given that we’ve had financial issues here before in the last few years,” Fr. Bogacki said of his reaction to the Aug. 19 phone call he received from the parish’s business manager, alerting him of the theft. “…I thought that, perhaps, it was a joke at first, but my first reaction after that was let’s figure out exactly what happened, let’s protect our funds and let’s respond to this very seriously.”
When Tri City National Bank, St. John Vianney’s commercial bank in Brookfield, contacted the parish’s accountant Aug. 19 of at least one unusual and unauthorized Automated Clearing House (ACH) withdrawal, or electronic transfer, from one of the parish accounts, she and the business manager checked the online accounts and found several unauthorized withdrawals that amounted to $121,000.
“The bank immediately froze the account and started an investigation which revealed that the withdrawals were fraudulent and that we had been the victim of a sophisticated crime that involved the ACH network,” Fr. Bogacki’s statement said. “All our bank accounts were immediately closed, as standard operating procedure whenever there is a potential security violation to accounts, and all our accounts were opened with new account numbers.” Because the bank and parish were alert to what was happening in the account, they recovered as much money as they did, according to Fr. Bogacki, noting they were able to “catch some of the money in transit.”
Fr. Bogacki, who informed the two parish trustees and the parish council chair about the investigation into the missing funds, said Secret Service agents spent a few hours at the parish later that day interviewing people including him, a few parish staff members, trustees and council chair.
“It was difficult as we didn’t want to alert the parish or even the larger staff to the fact that something had happened until we had gathered all the facts and realized exactly what had happened and that we were protected, so we were as quiet as possible with the interviews with the Secret Service agents,” said Fr. Bogacki, who was ordained in 2008 and has been temporary administrator at the parish since its pastor, Fr. Kenneth Knippel, went on sick leave a few weeks ago for reasons unrelated to the cybercrime.
The bank assured Fr. Bogacki and the church staff involved “that the electronic banking information of individual parishioners, specifically stewardship contributions and tuition payments through EFT (Electronic Funds Transfer), were in no way compromised during this theft,” he said in the bulletin.
|If you think your parish is a victim of cybercrime, Jay Frymark, parish and school financial services director for the archdiocese, suggests contacting your bank – not the local police department – and alerting them of suspected fraud.
“The bank will most likely then contact the treasury department and the FBI if they think that something’s going on,” he said, noting that while police can write a report, “that’s not going to stop your money from disappearing quickly. … Once the bank knows, their fraud department can start investigating and making the appropriate calls.”
Fr. Bogacki said that advice bankers and police have been giving the parish the last several years still applies, “which is to use common sense; to watch, carefully, your bank accounts; to monitor, carefully, what’s going on with your finances; and to be aware of anything suspicious.”
Fr. Bogacki said the archdiocese supported him and the parish from the beginning with help from Jay Frymark, parish and school financial services director, who spoke with Fr. Bogacki several times to assure him that the central offices would provide whatever assistance the parish needed, made sure that the parish was in contact with Catholic Mutual Group, and discussed the timing of communication, including the need to communicate with parish leadership about the events – especially the trustees (corporate officers) – before making general announcements. The priest was also in contact with Julie Wolf, communications director for the archdiocese, with whom he discussed how to best and most honestly disclose the information to the parish.
“That’s one of the reasons we’re here,” Wolf said in an interview with your Catholic Herald, “to support the parishes. … we take very seriously the stewardship of donations that are given to our parishes and to the archdiocese.”
Fr. Bogacki said they’ve since adjusted the parish’s ACH agreement with the bank by placing a permanent debit block on the account prohibiting electronic withdrawals. It’s a feature that John Marek, treasurer/chief financial officer for the archdiocese, said the archdiocese has on its accounts, and something he would recommend other parishes to discuss with their banks. “There may be a fee attached, but it then does not allow funds to be transferred out without approval from an authorized person at the parish,” Marek said in an interview with your Catholic Herald, explaining that there’s a possibility that a debit block could have helped in preventing the cybercrime at St. John Vianney.
“I don’t know if you can ever be totally confident, but you can utilize what the banks do make available to try to make it much harder for criminals to target you,” Marek said. He also said that parishes should take caution when they access online banking, never accessing it from a public computer, “because you don’t know how secure that is.”
Frymark, upon Marek’s request, will be sending an e-mail about St. John Vianney’s situation and what parishes can do, to send to parish finance staff, council chairs, trustees, directors of administrative services and others. “I think our take is going to be they need to speak with their individual bankers about their banking relationships, and find out what additional securities and controls they can put on that, because if someone really wants to break into someone’s account, these people (criminals) have the organization and the sophistication to do that kind of thing,” Frymark said, explaining that parishes need to be prepared as best they can, especially parishes like St. John Vianney. “I just think it’s because of the size of the parish and the fact that that’s the one they (criminals) were picking on,” Frymark said of why he thought the parish with 8,307 members and an annual budget of $4 million was a target of cybercrime. “…organized crime goes after the bigger dollars. They don’t pick on our $2,000 parishes.”
Fr. Bogacki told parishioners in his bulletin statement that police in Orange County, Calif., arrested at least one person involved in the theft. It is unknown whether this cybercrime case is related to the Diocese of Des Moines, Iowa, which was notified Aug. 17 that $600,000 of diocesan funds was transferred to numerous recipients across the United States on Aug. 13 and 16. An Aug. 26 statement released by the diocese stated that $180,000 had been recovered at that time, and that the Federal Bureau of Investigation took possession of several diocesan computers. “The diocese remains in communication and full cooperation with the FBI,” it said, explaining that the insurance carrier and legal representative have been notified and consulted; law enforcement had been advised; no diocesan or bank staff is suspected; and that they, too, anticipate full restoration of the funds.
Anne Cox, director of communications for the diocese and editor of the diocesan newspaper, The Catholic Mirror, said that the diocese has also placed stricter controls to try to prevent this kind of theft in the future.
John Hirt, Secret Service Resident Agent in Charge, could not comment on the ongoing investigation with St. John Vianney, but offered advice on how parishes can help to prevent similar situations. “If you get some sort of an e-mail and you don’t know who it’s from, don’t respond to it,” Hirt said in an interview with your Catholic Herald. “Don’t open up an e-mail that you weren’t expecting from someone.”
Hirt also suggests that people stay away from unfamiliar Web sites. “If there’s something that seems a little suspicious claiming to be your bank, confirm that it is coming from the source it should be and that it isn’t somebody that’s trying to hack into your computer.”
As they wait for results of the investigation, Fr. Bogacki said they expedited the hiring of an outside auditor to conduct the financial review that the archdiocese is asking all parishes to do, so that the auditor can then additionally look at the parish’s electronic controls so they can “close up any gaps if any are discovered.” “But the most immediate step is to continue to pray, and it’s to continue to move forward with our mission,” Fr. Bogacki said. “We have a mission to proclaim the Gospel and to teach and to preach and to celebrate the Eucharist, and while we do have setbacks and while, unfortunately, we rely on financial resources to do this, we continue to go on with our mission, and we don’t become distracted by this, and we continue to do what it is that we do best, which is to be a good, Catholic parish.”
In light of everything, Fr. Bogacki said he’s thankful to the parishioners for their resilience and faithfulness. “They have responded so well to this news and they’ve been through so much, but are so faithful and so good, and I know that they will understand no matter what happens in the future – I know they’ll understand,” Fr. Bogacki said. “Even if we were to sustain this loss or some other tragedy in the future, our parish will come together. We’re a faith-filled community, and I’m so thankful to them for exhibiting that again in this situation and keeping this whole thing in the proper context.”