Diocese of Virginia among victims in $400,000 cyberattack on church investment funds

By David Paulsen
Posted Sep 14, 2023

[Episcopal News Service] More than $400,000 was stolen in a cyberattack on the trust funds managed on behalf of the Diocese of Virginia and its churches, prompting the diocese’s fund manager to implement new security measures.

The fraud occurred in November and December 2022. After it was discovered, the diocese first released details in January, though the full scope of the attack wasn’t known until more recently, according to statements released on Sept. 8.

The cyberattack involved three transactions, two intended for parishes and one for the diocese. Cyber criminals were able to divert $412,868 in payments to unauthorized accounts. The fraud was discovered when the two parishes notified the diocese’s investments manager, known as Trustees of the Funds, that they had not received the $327,541 requested in withdrawals from their two accounts. Another payment of $85,327 intended for the diocese also was diverted, but that fraud was not detected until recently because it was part of a routine distribution.

St. George’s Episcopal Church in Fredericksburg, Virginia, is one of about 120 churches with money invested through Trustees of the Funds. Photo: St. George’s, via Facebook

The Trustees of the Funds manages investments for about 120 churches in Virginia and more than 80 affiliated institutions. Its core fund was valued at more than $122 million as of June 30,  according to information on its website. Participating parishes can make withdrawals to cover a range of expenses, such as charitable giving, building maintenance, construction and operations.

“We know that this is a disturbing matter, and we want to assure everyone that the staff and board are taking this very seriously,” the Trustees of the Funds said in its Sept. 8 message. While the diocese was fully reimbursed for its missed payment, the Trustees of the Funds sustained a total uninsured loss of $388,000 from the cyberattack and was forced to make a one-time reduction in its investment performance of 0.06%.

The Trustees of the Funds’ message also said the fraud has been reported to the FBI and local police. Security upgrades have included new software, computer monitoring, scam testing, new withdrawal processes and increased security for internal emails. Officials suspect the breach happened because the perpetrators were able to access internal emails and used that access to divert payments.

“We take the safe stewardship of diocesan and congregational investments seriously and we are grieved by this criminal breach,” the diocese said in a statement released Sept. 8 by the office of Bishop E. Mark Stevenson. “We are thankful that this breach did not occur after the increased security measures were put in place. It is encouraging that these increased measures are working to prevent future attempts by cyber criminals. As always, the Diocese of Virginia is committed to full transparency with all members of the diocese regarding data security issues.”

– David Paulsen is a senior reporter and editor for Episcopal News Service. He can be reached at dpaulsen@episcopalchurch.org.