Secret Service investigating cyber-theft of $120,000 from Brookfield parish

United States Secret Service agents are investigating how criminals stole $121,000 electronically last month from a Brookfield parish in the Archdiocese of Milwaukee.

St. John Vianney Parish was the victim of cybercrime or Internet crime, where individuals – no parish or bank employees are suspected of wrongdoing or involvement – made several unauthorized withdrawals from the parish’s general checking accounts, stealing money used for general parish operations. Several banks throughout the country have recovered and returned $84,000 of the funds that had been distributed into valid bank accounts of individuals under various names that appeared to be heading overseas, Fr. Phillip Bogacki stated in the Sept. 19 bulletin. The parish’s theft policy with Catholic Mutual Group, the administrator of the Archdiocese of Milwaukee participants insurance program, should cover the remaining $37,000 that wasn’t recoverable, minus its $1,000 deductible.

“I was quite shocked given that we’ve had financial issues here before in the last few years,” Fr. Bogacki said of his reaction to the Aug. 19 phone call he received from the parish’s business manager, alerting him of the theft. “…I thought that, perhaps, it was a joke at first, but my first reaction after that was let’s figure out exactly what happened, let’s protect our funds and let’s respond to this very seriously.”

When Tri City National Bank, St. John Vianney’s commercial bank in Brookfield, contacted the parish’s accountant Aug. 19 of at least one unusual and unauthorized Automated Clearing House (ACH) withdrawal, or electronic transfer, from one of the parish accounts, she and the business manager checked the online accounts and found several unauthorized withdrawals that amounted to $121,000.

“The bank immediately froze the account and started an investigation which revealed that the withdrawals were fraudulent and that we had been the victim of a sophisticated crime that involved the ACH network,” Fr. Bogacki’s statement said. “All our bank accounts were immediately closed, as standard operating procedure whenever there is a potential security violation to accounts, and all our accounts were opened with new account numbers.” Because the bank and parish were alert to what was happening in the account, they recovered as much money as they did, according to Fr. Bogacki, noting they were able to “catch some of the money in transit.”

Fr. Bogacki, who informed the two parish trustees and the parish council chair about the investigation into the missing funds, said Secret Service agents spent a few hours at the parish later that day interviewing people including him, a few parish staff members, trustees and council chair.

“It was difficult as we didn’t want to alert the parish or even the larger staff to the fact that something had happened until we had gathered all the facts and realized exactly what had happened and that we were protected, so we were as quiet as possible with the interviews with the Secret Service agents,” said Fr. Bogacki, who was ordained in 2008 and has been temporary administrator at the parish since its pastor, Fr. Kenneth Knippel, went on sick leave a few weeks ago for reasons unrelated to the cybercrime.

The bank assured Fr. Bogacki and the church staff involved “that the electronic banking information of individual parishioners, specifically stewardship contributions and tuition payments through EFT (Electronic Funds Transfer), were in no way compromised during this theft,” he said in the bulletin.

Fr. Bogacki said the archdiocese supported him and the parish from the beginning with help from Jay Frymark, parish and school financial services director, who spoke with Fr. Bogacki several times to assure him that the central offices would provide whatever assistance the parish needed, made sure that the parish was in contact with Catholic Mutual Group, and discussed the timing of communication, including the need to communicate with parish leadership about the events – especially the trustees (corporate officers) – before making general announcements. The priest was also in contact with Julie Wolf, communications director for the archdiocese, with whom he discussed how to best and most honestly disclose the information to the parish.

“That’s one of the reasons we’re here,” Wolf said in an interview with your Catholic Herald, “to support the parishes. … we take very seriously the stewardship of donations that are given to our parishes and to the archdiocese.”

Fr. Bogacki said they’ve since adjusted the parish’s ACH agreement with the bank by placing a permanent debit block on the account prohibiting electronic withdrawals. It’s a feature that John Marek, treasurer/chief financial officer for the archdiocese, said the archdiocese has on its accounts, and something he would recommend other parishes to discuss with their banks. “There may be a fee attached, but it then does not allow funds to be transferred out without approval from an authorized person at the parish,” Marek said in an interview with your Catholic Herald, explaining that there’s a possibility that a debit block could have helped in preventing the cybercrime at St. John Vianney.

“I don’t know if you can ever be totally confident, but you can utilize what the banks do make available to try to make it much harder for criminals to target you,” Marek said. He also said that parishes should take caution when they access online banking, never accessing it from a public computer, “because you don’t know how secure that is.”

Frymark, upon Marek’s request, will be sending an e-mail about St. John Vianney’s situation and what parishes can do, to send to parish finance staff, council chairs, trustees, directors of administrative services and others. “I think our take is going to be they need to speak with their individual bankers about their banking relationships, and find out what additional securities and controls they can put on that, because if someone really wants to break into someone’s account, these people (criminals) have the organization and the sophistication to do that kind of thing,” Frymark said, explaining that parishes need to be prepared as best they can, especially parishes like St. John Vianney. “I just think it’s because of the size of the parish and the fact that that’s the one they (criminals) were picking on,” Frymark said of why he thought the parish with 8,307 members and an annual budget of $4 million was a target of cybercrime. “…organized crime goes after the bigger dollars. They don’t pick on our $2,000 parishes.”

Fr. Bogacki told parishioners in his bulletin statement that police in Orange County, Calif., arrested at least one person involved in the theft. It is unknown whether this cybercrime case is related to the Diocese of Des Moines, Iowa, which was notified Aug. 17 that $600,000 of diocesan funds was transferred to numerous recipients across the United States on Aug. 13 and 16. An Aug. 26 statement released by the diocese stated that $180,000 had been recovered at that time, and that the Federal Bureau of Investigation took possession of several diocesan computers. “The diocese remains in communication and full cooperation with the FBI,” it said, explaining that the insurance carrier and legal representative have been notified and consulted; law enforcement had been advised; no diocesan or bank staff is suspected; and that they, too, anticipate full restoration of the funds.

Anne Cox, director of communications for the diocese and editor of the diocesan newspaper, The Catholic Mirror, said that the diocese has also placed stricter controls to try to prevent this kind of theft in the future.

John Hirt, Secret Service Resident Agent in Charge, could not comment on the ongoing investigation with St. John Vianney, but offered advice on how parishes can help to prevent similar situations. “If you get some sort of an e-mail and you don’t know who it’s from, don’t respond to it,” Hirt said in an interview with your Catholic Herald. “Don’t open up an e-mail that you weren’t expecting from someone.”

Hirt also suggests that people stay away from unfamiliar Web sites. “If there’s something that seems a little suspicious claiming to be your bank, confirm that it is coming from the source it should be and that it isn’t somebody that’s trying to hack into your computer.”

As they wait for results of the investigation, Fr. Bogacki said they expedited the hiring of an outside auditor to conduct the financial review that the archdiocese is asking all parishes to do, so that the auditor can then additionally look at the parish’s electronic controls so they can “close up any gaps if any are discovered.” “But the most immediate step is to continue to pray, and it’s to continue to move forward with our mission,” Fr. Bogacki said. “We have a mission to proclaim the Gospel and to teach and to preach and to celebrate the Eucharist, and while we do have setbacks and while, unfortunately, we rely on financial resources to do this, we continue to go on with our mission, and we don’t become distracted by this, and we continue to do what it is that we do best, which is to be a good, Catholic parish.”

In light of everything, Fr. Bogacki said he’s thankful to the parishioners for their resilience and faithfulness. “They have responded so well to this news and they’ve been through so much, but are so faithful and so good, and I know that they will understand no matter what happens in the future – I know they’ll understand,” Fr. Bogacki said. “Even if we were to sustain this loss or some other tragedy in the future, our parish will come together. We’re a faith-filled community, and I’m so thankful to them for exhibiting that again in this situation and keeping this whole thing in the proper context.”
 Milwaukee Herald



Dad29 said...

The Secret Service recovered ~$84K from various places around the country and the parish' insurer will cover all the rest of the loss except (IIRC) $1,000.00

Another way to prevent ACH problems, of course, is to use CHECKS and make PERSONAL visits to the bank to transfer funds.

But that's so..........1980's.

Anonymous said...


But....simply using checks would not prevent ACH problems, as only the bank routing number and account numbers are needed for ACH transfers, and they are, indeed, SHOWN on the face of the check.

So it's even possible that the thief or thieves obtained those numbers from an actual *check*!