Frequently, members of churches throughout the diocese receive emails or text messages claiming to be from diocesan staff or church clergy and leadership. These are phishing attempts to try and get financial information or money by posting as a trusted person or organization. These attacks often increase during the seasons around Christmas and Easter, though they can happen at any time of the year.
Below are a few examples:
Phishing has been around for a long time but continues to grow increasingly sophisticated and persuasive. Phishers may perfectly mimic logos, use email addresses that sound legitimate, and include familiar-sounding language.
Unfortunately, it is impossible to stop these attacks. They are not the same as hacking, in which a person’s real email address is compromised; in phishing attempts, emails are sent through fake email addresses or phone numbers that look real and use complicated systems that hide the originating source. But by being vigilant, you can protect yourself from becoming a victim.
Let’s talk about ways to spot phishing emails:
- If anything about the message seems off, even just a little bit, stop and review it carefully before you reply or click anything in it.
- In the example above, though the “from” name shows as Michael Hanley, the email address is from a @roadrunner.com address. Diocesan staff only use email addresses that end with @diocese-oregon.org. If you are unable to see the actual email address, try to hover your mouse/cursor over the name to see what address is revealed.
- If a suspicious email includes a link, hover over it (without clicking on it) to see where the link will actually take you.
- Bishop Michael would never request you to purchase gift cards, share your bank account information, or make wire transfers. Similarly, your church priest, deacon, administrator, or financial officer would never make such a request of you.
- Phishing emails and texts frequently (but not always) include spelling mistakes and poor grammar. They also often claim to be “urgent” or have a task that needs done in a hurry.
- Never open attachments in suspicious emails or from unknown sources (especially zip files or those with .exe extensions, which are most likely to contain viruses or malware).
If you receive a suspicious email or text message and just aren’t sure if it’s real or not, the best option is to call the person or organization it claims to be from.
There are a number of resources available to educate yourself further:
- This article covers a number of things to look out for and shows how easy it can be to fall for a phishing attack.
- There is also an anti-phishing non-profit organization that tracks the data on phishing, and aggregates information on these scams from the FBI, Better Business Bureau, FDIC, and more on their resources page.
- Stay Safe Online, part of the National Cyber Security Alliance, covers all aspects of online safety, including all forms of phishing. Their whole website is very informative; this page covers phishing.
- The 2018 Phishing Trends & Intelligence Report may be found here.
- You can report Gmail addresses for abuse (such as in the first two example emails above) here.
Phishers are a fact of digital life, because they succeed often enough to make it worthwhile. Stay safe and use the tools available to be informed.