Frequently, members of churches throughout the diocese receive emails or text messages claiming to be from diocesan staff or church clergy and leadership. These are phishing emails, to try and get financial information or money by posting as a trusted person or organization. These attacks often increase during the seasons around Christmas and Easter, though they can happen at any time of the year.
Below is one example:
Phishing has been around for a long time but continues to grow increasingly sophisticated and persuasive. Phishers may perfectly mimic logos, use email addresses that sound legitimate, and include familiar-sounding language.
Unfortunately, it is impossible to stop these attacks. They are not the same as hacking, in which a person’s real email address is compromised; in phishing attempts, emails are sent through fake email addresses that look real and use complicated systems that hide the originating email address. But by being vigilant, you can protect yourself from becoming a victim.
Let’s talk about ways to spot phishing emails:
- If anything about the message seems off, even just a little bit, stop and review it carefully before you reply or click anything in it.
- In the example above, though the “from” name shows as Michael Hanley, the email address is from a @roadrunner.com address. Diocesan staff only use email addresses that end with @diocese-oregon.org. If you are unable to see the actual email address, try to hover your mouse/cursor over the name to see what address is revealed.
- If a suspicious email includes a link, hover over it (without clicking on it) to see where the link will actually take you.
- Bishop Michael does not need anyone to purchase gift cards or make wire transfers. He has a fabulous Canon for Administration who would handle such a task for him if it was for diocesan business. Similarly, your church priest, deacon, or financial officer would never make such a request of you.
- Phishing emails frequently (but not always) include spelling mistakes and poor grammar. They also often claim to be “urgent” or have a task that needs done in a hurry.
- Never open attachments in suspicious emails or from unknown sources (especially zip files or those with .exe extensions, which are most likely to contain viruses or malware).
If you receive a suspicious email or text message and just aren’t sure if it’s real or not, the best option is to call the person or organization it claims to be from.
There are a number of resources available to educate yourself further:
- This article covers a number of things to look out for and shows how easy it can be to fall for a phishing attack.
- There is also an anti-phishing non-profit organization that tracks the data on phishing, and aggregates information on these scams from the FBI, Better Business Bureau, FDIC, and more on their resources page.
- Stay Safe Online, part of the National Cyber Security Alliance, covers all aspects of online safety, including all forms of phishing. Their whole website is very informative; this page covers phishing.
- The 2018 Phishing Trends & Intelligence Report may be found here.
Phishers are a fact of digital life, because they succeed often enough to make it worthwhile. Stay safe and use the tools available to be informed.