One of the facts of life in our modern digital world is there will be people trying to get money or goods fraudulently through phishing scams. This happens when an individual receives an email supposedly sent by someone they know and trust (their priest, or even the bishop). The email is sent to a number of people asking for assistance or a favor. This is now all-too common and seems to occur on a weekly basis at any one of the congregations in our diocese.
Spear phishing is especially difficult because the perpetrator has the name of the sender or the recipient of the email and uses this to gain trust.
There is no way to stop these scams from occurring. But by being vigilant, the risks can be minimized or averted. Here are some steps to take.
- Check the return email address. If the address doesn’t match the name of the sender, be wary.
- Never open attachments from unknown sources, especially those with .exe extensions.
- Be wary of generically addressed emails like Dear Friend or Dear Customer.
- If there are links in the email, hover over them without clicking on them. This will show where the link will actually take you.
- Look for grammatical or spelling errors in the text of the email.
- Check the address at the bottom of the email. If it says “Pastor Jim” and Jim never goes by “Pastor”, it’s fake.
Finally, if after all these steps it looks safe and the sender is asking for money or access to secure data, call the person directly to get verification.
If you are so inclined, you are welcome to alert the international Anti-Phishing Working Group by forwarding the message to reportphishing@apwg.org. However, your best defense for this is to simply delete the email, do not click on any links or reply to the sender.
A member of St. Antony in Silverdale just got a text message from someone posing as our priest. Has this ever happened before?
Thanks for letting us know. We’ve just received word from other dioceses that this has begun to happen. The best safeguard is to encourage parishioners to check any text messages they receive with the church office through the official church phone number.
As ++Melissa said, this has become more and more common. It happens all the time.
And I would not recommend hovering over w link. Some malicious apps use hovering as good enough for a click, so don’t tempt fate!
I have never been able to figure out the “hover over the link” procedure when viewing emails in an app. Nor am I able to verify the actual email address without opening up the email and clicking on it.
For these reasons, I only access church emails from the desktop computer in the church office. In addition, I use the email apps on my personal cell phone sparingly.
Thank you for these tips that I can pass along to others!
FYI – I’m a parish admin and have recently started getting more of these where they have been able to disguise the “from” address so that it shows the priest’s actual address, so seeing that address is not a guarantee that the email is legit. If you click “reply,” it will show the phisher’s address.
It has also become very common for people to contact us saying that they came to church on Sunday morning and someone told them to contact me for access to our online directory. The church I attend fell victim to this one and it resulted in texts to many parishioners asking for money.