Warning: Email, text message, and phone call scams targeting church members by impersonating clergy
If you receive a communication that appears to be from the Bishop, or your clergy person, asking you to take some kind of unusual action – click a link or download an attachment you didn’t request, wire money to a specified account, purchase gift cards and reply with the serial numbers, or simply to reply quickly, watch out – it could be a form of email “phishing” known as “whaling.”
Whereas “phishing” involves sending a fraudulent email to a large group of people in the hope that a few will respond, “whaling” involves forging communications that look like they’re from the “big fish” in an organization, i.e. the “whale.” For us, this usually means the Bishop or a clergy person, although it could be someone else in authority.
The message will give some explanation of why the leader needs your help immediately. They may include some story about another person in dire circumstances whom the bishop or priest is trying to help. But instead of helping a needy person, if you respond you will actually be turning over money and possibly your identity information to a scammer.
Because these are usually crafted more carefully than your standard “phishing” email, they can be more difficult to detect.
Several of our clergy have received communications claiming to be from Santosh Marray. Some received emails, others fake text messages, and one even got a phone calls purporting to be from the Bishop. Similar instances have been reported where church members receive communications purporting to be from their own clergy.
Unfortunately, it’s difficult to stop these “whaling” attacks. The email accounts in question have not been hacked. Instead, they are being “spoofed” – that is, a fraudulent email account is cleverly configured to look at first glance like a legitimate one. Even if you block the fraudulent email, they’ll just use another. Same thing with text messages and calls from fraudulent phone numbers. It’s like playing “whack-a-mole.”
You can’t stop the senders of “whaling” emails, but what you can do – which is entirely free – is educate yourself and other potential recipients. Here are simple guidelines to help potential recipients avoid being tricked:
Email – Safe Practices:
The malicious actors behind “whaling” attacks are counting on people springing into action as soon as they see an important name on an email. You can outsmart them by looking beyond the name and checking the “from” email address or phone number to see if it matches what you know the alleged sender’s contact information.
If you only see a name, you can cause the “from” email address to be displayed by hovering the cursor over the name.
Bishop San is always firstname.lastname@example.org. No other variation of his email address is official.
Text or Phone Calls – Safe Practices:
Put trusted phone numbers in your cell phone’s address book. Make it a habit to let unknown numbers go to voicemail first. Don’t call back unknown numbers from caller ID (even if they leave a message with a name you recognize) – instead look the number up in a trusted directory or website.
Never give out any personal information! Legitimate companies do not ask for your social security number, national ID numbers, credit card numbers OR PIN’s via phone.
Hang up if you get a suspicious call. Call back the person via their legitimate number (use your church directory or call the office directly).
Confirm requests with a conversation
Even if an email or text seems legitimate, if a request seems even remotely “off,” don’t act on it until you confirm it with a phone call or face-to-face conversation.
In the case of an alleged message from the Bishop, you may want to reach out to a member of the bishop’s staff. DO NOT reply to the suspicious email or text. Likewise, if a member of your parish staff is asking you to do something unusual, confirm with a phone call.
Observing these steps will go a long way in identifying and avoiding “whaling” attacks before they get their hooks in you.
(Credit to the Dioceses of Newark & Rhode Island for composing versions of this email and allowing other dioceses to use it.)
You can report identity theft at: https://www.identitytheft.gov/