So you open your email one day and there’s a note from the rector asking you to please help her out by buying gift cards and sending her the serial numbers so she can assist a family in need.
Except – it’s not from your rector. It’s a scam. And it’s targeting church folks by sending emails that appear to be from a church leader. This is called “phising,” or, when it goes after a higher ranking person, “whaling”.
What can you do? Here is an excellent article on this scam by Nina Nicholson, communication director for the Diocese of Newark, that offers great advice. Please read it all. Here are two important excerpts:
Verify the “from” email
The malicious actors behind “whaling” attacks are counting on people springing into action as soon as they see an important name on an email. You can outsmart them by looking beyond the name and checking the “from” email address to see if it matches what you know the alleged sender’s email to be.
If you only see a name, you can cause the “from” email address to be displayed by hovering the cursor over the name.
Note: This is one of the reasons for the requirement that all people doing diocesan business use edfw.org accounts. It allows the staff to take rapid measures to protect diocesan assets if someone’s account has been compromised.
Confirm requests with a conversation
Even if the email or text seems legit, if a request seems even remotely “off,” don’t act on it until you confirm it with a phone call or face-to-face conversation.
In the case of an alleged message from the bishop, you may want to reach out to [the bishop’s] staff [Janet.firstname.lastname@example.org or email@example.com]. Don’t reply to the suspicious email or text.
Observing these two steps will go a long way in identifying and avoiding “whaling” attacks before they get their hooks in you.
Please read it for information on where to report such scams, especially if you did purchase from gift cards.