Please be on the lookout for “Phishing” emails from Church members and staff

Beware of Phishing Emails

Over the past several months, there have been a number of phishing attempts perpetrated against board members and officers of our church. Everyone in our community needs to be educated about these attempts at deception in order to prevent them from doing any harm. Unfortunately there is nothing the church web team can do to prevent these attacks except educate people about spotting them before they do damage. Please read on for a quick explanation of phishing scams and how to avoid falling victim to them.

First of all, phishing is different from hacking, though they can look very similar. If someone's email account is hacked, the hacker is able to log into that person's account, read all their email, and have access to their address book. This is obviously a very dangerous situation that could result in theft of personal information from both the account owner and his or her contacts. The only way to prevent a hack is to use a hard-to-guess password for your email account and change it regularly. If an account is still hacked, it may be necessary to contact the email service provider to have the account frozen and the password reset.

In a phishing scam, instead of logging into a victim's account, the attacker tries to impersonate the victim. He or she learns enough details about the victim, such as their work title and work address. The attacker sets up an email address in the victim's name and creates a signature including the title and address. The attacker finds people and their email addresses who are connected to this victim, and emails them, masquerading as the victim. If they succeed in deceiving someone, they will try to extract something from them. In the case of our church, all of the phishing emails have involved trying to talk people into buying various kinds of gift cards.

An organization like our church is vulnerable to this kind of attack because we have information on our website about who is on our board and how to reach them. An attacker reads about our board of directors, sets up a fake email address as our minister or board president, and emails other board members. An organization like ours is built on trust and friendship, so no one opening an email from a fellow church member is expecting to be deceived. Unfortunately, we are all going to have to be a bit more suspicious about church-related emails.

With the recipients' permission, I have attached screenshots of an actual phishing emails. There are several telltale signs that they are not legitimate.

  1. They are vague. In the first email below, Mike is asked for a favor, with no elaboration on what it concerns. It is unlikely that our real minister would send an email without more details on what it concerns. In the second message below, the attacker pretending to be our minister asked the recipient to by a Google Play gift card for "a widow." It is unlikely our minister would make this request without mentioning the identity of the "widow" in question.
  2. They contains grammar mistakes or mysterious constructions. Phishing emails often originate outside the U.S., from attackers who may not be fluent in English. The first email below does not contain this flaw, but in the second one, "Good to hear from Gale" sounds a bit odd.
  3. They request a reply. The first email says "email me back as soon as possible." The attacker wants to see if the recipient is gullible enough to fall for the scam.
  4. The email address is not correct. This is the crucial point. In the email below, Rosemary Morrison's email address is listed as "rosemarymorrisonuuctc@gmail.com." While this looks like a plausible email address, it is not Rosemary's official address, which is minister@uuctc.org.
  5. The email address is not showing. Many email programs, such as gmail, do not show the email address by default, only the name the sender gave when they set up the account. There is usually a small "down arrow" or other icon near the recipient's name that can be clicked on to reveal the sender's address. In the second example below, the email address doesn't show, so if the recipient doesn't click on the down arrow (next to the words "to me"), there's no way to know the address is false. Clicking the down arrow on this email revealed the same incorrect email address as was used in the first example.

Screens shot of phishing emailScreensshot of phishing email

How to guard against phishing attempts.

Unfortunately there is no way to prevent these attacks as long as we make the names of our staff, board members, and officers available on our website. The best we can do is to learn to spot them and delete these emails. So far, no one in our community has been harmed by these emails. They are often obviously suspicious. But since our community is built on trust, we are vulnerable. We must be vigilant if anything seems odd about the emails we receive.

If something seems suspicious, check the email address. If you receive an email asking for gift cards, or a vague "favor," check the sender's email address. Staff members, board officers, and some committee members have official email addresses that end in "@uuctc.org." Hopefully anyone who has one of these addresses will use them. Many church members do conduct church business from personal email addresses. If you are not sure an email you've received is from a legitimate address, attempt to verify it. Call or text the person, or check with a mutual friend who would know the correct email address, or simply check your own address book. In many cases, the email address itself will appear to be connected to our church. The one used in the attempts below includes UUCTC -- our church's initials, in the name. An email purportedly from our current president might say something like "boardpresidentuuctc@gmail.com"

Check out this informative online quiz. Click this link to test how well you can spot phishing emails.

Please don't call this hacking. This may seem like irrelevant semantics, but it is important to distinguish between phishing and hacking. To say an email address has been hacked suggests that there has been a breach of our website security that must be fixed by our web and IT team. It also runs the danger of undermining trust in our church's web infrastructure. Fortunately, this has not happened to us as of this writing. Phishing is different in that it is everyone's responsibility to look out for it. It can't be stopped, it can only be guarded against. If you have questions about an email you've received, please feel free to email the webspinners with your questions. We're at webspinner@uuctc.org