A new round of phishing emails struck nationwide this week, with this latest cyberthreat coming from criminals pretending to be pastors. This cyberthreat used low-tech techniques to target unsuspecting membership with a few new twists, like real-time responses from the bad actors.
A similar phishing to the situation described by the Georgia attorney general in June 2018:
“In one version of the fraud scheme, con artists send out emails purporting to be from the Pastor of the church asking for emergency donations to help someone in need. The email, which uses the Pastor’s name but a phony email address, instructs the recipient to provide the money by purchasing an iTunes gift card and mailing it to a different address. …”
Although the dollar amounts involved may be relatively small compared to million-dollar bank transfers, the potential damage to respected institutions worldwide is huge, when considered in aggregate. I view this as a significant development, since the phishing scam is hitting much “closer to home” for many more organizations, undermining trust on a personal level for those who are tricked.
I personally received one of these phishing emails, and I immediately recognized that it was a fake (more on how I knew later in the article). I contacted this pastor immediately and provided help.
In addition, I initially played along to see what their nefarious plan was. See the box in blue below which described what happened in this email exchange from a (fake) pastor:
How Did I Know It Was a Fake?
Besides the fact that this particular pastor does not talk in this way, the wrong email address from the sender was a major clue — but easy to miss for the untrained eye.
Without giving out the exact church email details here, I can share that the bad actors used a “.org” domain name and made it a “gmail.com” address that closely resembled the real email address.
For example: email@example.com became firstname.lastname@example.org.
I can report that similar phishing schemes were used in multiple states this week alone, and all of them used a respected senior pastor as the “bait” to trick friends and trusted church members to get gift cards.
Much of the information used by the phishing scam seems to come from public websites and/or public information. However, where these criminals got the actual email addresses isn’t clear at this time. Internal phone directories, compromised PCs or other information may be used in the scam.
Why Is This Phishing Scam a New Twist?
A few new differences in these 2018 phishing attacks against pastors include the real-time responses to emails sent — almost like texting back and forth. Also, there were no links to click or websites to visit.
There were no requests to transfer large sums of money to bank accounts, which can often set off red flags for people. Rather iTunes cards were requested to be physically purchased with the gift numbers sent to the email address provided.
While these small sums of money may seem insignificant, the potential impact is huge to faith-based ministries or nonprofits who depend (and expect) the trustworthiness and respect of their leadership. How will people react when they find out they have been tricked into giving?
Also, this technique is spreading nationwide, and may even affect international organizations. Here are some other recent examples, where some people have fallen for the scam in the past few months:
- Greensboro, N.C.: Triad Church Warns Of Phishing Scam Asking For Gift Card Purchase
- Washington D.C.: Scammers imitate priests via email to defraud area congregations
- Omaha, Neb.: Email scam targets church
Pastor Tom says he believes thousands of dollars were dished out by his church members.
"I know that there are two people that bought cards for $400, one for $300. I know there are a couple $200 and at least one $100 card."
Once you give them the number on the back of your iTunes gift card, you never hear back from the scammers.
In a similar church email scam reported in Louisiana, the local police offered these tips for various types of phishing scam victims:
- Contact your local FBI or U.S. Secret Service office immediately to report a “business email compromise” scheme.
- Contact both your financial institution and the receiving financial institution to request that they halt or unwind the transfer if a wire transfer was actually processed.
- Seek advice from counsel about any legal obligations or protections you may have related to this situation, such as potential insurance coverage for any loss.
- Change your controls to minimize the risk of something similar happening again, and don’t think you need to sweep it under the rug.
- Making sure that employees know about the scam, how it was perpetrated, and that they can be a gateway for the scammer is important in motivating employees to remain vigilant.
- Call your local police.
First there was phishing.
Next, a 2.0 version arrived with spear-phishing.
The FBI reported last month that BEC has resulted in over $12 billion in financial losses from October 2013 to May 2018. “The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 115 countries. …”
Will "clergy-phish" or "pastor-phish" or "ministry-phish" evolve into phishing 4.0? Or is this just another form of whaling since these cyberattacks impersonate well-known pastors or priests (perhaps call this phishing 3.1?).
At the core, these scams attack the trust and faith you place in certain respected people, whether in a religious organization, nonprofit, government, company or other group. Whatever leader (or thought-leader) that large numbers of people pay attention to and look to for guidance — that is who the bad actors are trying to imitate.
Surprisingly the latest round of phishing scams that we are seeing didn’t use links or attachments or zero-day malware or ransomware. "Old school" is sometimes "new school," with a few real-time twists. Another difference here is the audience, who may be unsuspecting or untrained in these types of phishing attacks. While enterprise staff at businesses may be trained to avoid such scams, young people, elderly or other parishioners may not.
This topic is also a good reminder for government organizations who could be impersonated by bad actors online. Scams offering new federal or state grants or extra money could be offered to unsuspecting residents who are asked to pay a small amount of money up front to register.
Phishing Email Scam Avoidance Tips
There is no faith-based or government organization that is immune from this type of cyberattack. However, there are steps that all organizations should consider to prepare and/or limit impact if a phishing attack does come:
- Check your information available on public websites. Is giving out email addresses or other public information about individuals really necessary?
- Put appropriate security protections in place on ministry networks and computers.
- Train ministry staff on proper cyberhygiene with an effective security awareness program.
- Inform your donors and people who give contributions about the precautions your organization is taking and will take to ensure funds are going where they should. Who is asking for money or gift cards or other gifts? How? What protections are in place? How do they know legitimate from fraudulent sources? Are email addresses clear to avoid scams?
- Fast response to scams and other incidents. Are you prepared if things to go wrong?
- If something bad does happen, tell people quickly — after you understand what happened. Silence will harm your reputation, if people fall for the scam.
This phishing topic (again) rose to the top of my “hot cyberattacks” list when I received an email this week that initially appeared to be from a trusted pastor in my community. I think this trend is set to grow and get worse, until we can resolve our email identity issues.
At the core, this is an attack on trust and reputation. This simple little phishing scam is being perfected and will evolve into other forms of online scams that may be even harder to detect and more dangerous. Yes — this phishing scam was fairly easy to diagnose by trained pros, but untrained church members fell for the scam. Remember, the bad actors are evolving and trying new things all the time.
Churches, faith-based groups, other nonprofit organizations and governments need to learn from their private-sector counterparts. These scams are growing as online life evolves and can undermine your good work, if not properly addressed.
All domestic and international nonprofit groups that ask for donations should be on alert. Protect your email lists and act now to safeguard your trusted partners and reputation.
Take steps now, because if phishing scams are now targeting pastors, who’s next?