A recent threat to churches is impersonation scams targeting key personnel. The scheme involves cybercriminals mimicking clergy or other staff or colleagues. Criminals typically pose as personnel in positions of authority and ask victims to perform money transfers, pay invoices, or send the attacker sensitive data.

Phishing messages can come from a growing number of sources, including:

  • Email
  • Phone calls
  • Fraudulent software (e.g, anti-virus)
  • Social Media messages (e.g., Facebook, Twitter)
  • Advertisements
  • Text messages

What is spear phishing?

More sophisticated attacks, known as spear phishing, are personalized messages from scammers posing as people or institutions that you trust. They often collect identifiable information about you from social media or the compromised account of someone you know to make their messages more convincing. Never transmit sensitive information over email or social media, even if the message requesting information appears to be legitimate.

Examples

  • Ultimatum: An urgent warning attempts to intimidate you into responding without thinking. ‘Warning! You will lose your email permanently unless you respond within 7 days’.
  • Incorrect URLs: Scammers may obscure URLs by using hyperlinks that appear to go to a reputable site. Hover your mouse over any suspicious links to view the address of the link. Illegitimate links often contain a series of numbers or unfamiliar web addresses.
  • Incorrect Email Addresses: For example, you might receive an email from revkymlucas@gmail.com or BishopKym@yahoo.com. These are not emails from the Bishop and are fraudulent. Emails from Office of the Bishop staff will always come from an @episcopalcolorado.org email address.
  • No signature or contact information: Additional contact information is not provided.
  • Too good to be true offer: Messages about contests you did not enter or offers for goods or services at an unbelievable price are likely fraudulent.
  • Style inconsistencies: Pop-up windows that claim to be from your operating system or other software may have a different style or colors than authentic notifications. Messages that claim to be from a reputable organization may be missing branding aspects such as a logo.
  • Spelling, punctuation, or grammar errors: Some messages will include mistakes. ‘Email owner that refuses to update his or her Email, within Seven days’
  • Attention-grabbing titles: “Clickbait” titles (e.g., “You won’t believe this video!”) on social media, advertisements or articles are sensationalist or attention-grabbing and sometimes lead to scams.

Churches and dioceses across The Episcopal Church and across other denominations have been a target of these impersonation attacks. Scammers use a free email account (such as Gmail) and register it with an impersonated name, or set up a phishing phone number and use compromised contact lists to text. They then send a message to an unsuspecting recipient asking for immediate help in order to get a task done (such as purchasing a gift card or wiring money). Attention to detail can be a lot of help in combating cases of impersonation. Users should check sender details carefully. Any suspicious email message should be investigated before replying. Also, proper attention should be given to the message content, including attachments and URLs.

To combat these scams, please let your staff and congregation know that you will never request funds by email, text, social media, or another form of communication, or that any request must be verified by phone with the person involved. Email spam filters will intercept some fraudulent emails, but they are not foolproof. It is critical that you learn to identify phishing scams and take the appropriate steps to protect your computer and your information.

If your church receives any suspicious emails like this, please notify the United States Computer Emergency Readiness Team (US-CERT). For fraudulent text messages, you can report incidents to the Federal Trade Commission at ftc.gov/complaint.