Phishing Scams
Email scams are an ongoing issue, even for churches and nonprofits. There’s usually not much you can do to combat them, but being aware of possible scams and knowing how to identify them is the best way to avoid becoming a victim of them. There are two main ways you may experience email scams - spoofing and phishing. We’ll explain and give examples of each.
Spoofing
Spoofing is when scammers disguise their identity by using the email address of a trusted source like a phone, electric, or other trusted vendor. Therefore the email looks legitimate. Often these spoofed emails solicit sensitive information or ask for money (or forms of money like cryptocurrency (e.g. Bitcoin) or virtual gift cards).
You can be a victim of spoofing in two ways:
-
You might receive emails that have been spoofed - using the email address of one of your vendors or contacts. If this happens, you can always call or text the sender to confirm they indeed sent the email.
-
Someone might spoof your or another staff member’s address to email your contacts. There’s not much you can do if this happens except to alert your contacts that the email is not legitimate and you are not actually stuck in Nigeria and in need of your friends to wire money for your return flight. That was the story of my (first) spoofed email!
Phishing
Phishing is when scammers use an email address that is meant to look like a legitimate address which encourages the recipient to click on a malicious link to collect personal information like passwords or credit card numbers or download an infected attachment. Some phishing scams involve spoofed emails and web pages which make them even more difficult to identify. If you’re not sure if an email is legitimate, hover over the links to see if the urls look suspicious. Check for spelling and grammar errors. Check email addresses and urls for misspellings or extra or missing letters.
Phishing can happen by phone and text as well. When I was on church staff, this happened regularly. We would get calls from someone claiming to be from our electric company letting us know our bill hadn’t been paid. They threatened to turn off our electricity in the next 30 minutes if we didn’t pay by phone. Because I knew we had paid, I was able to ignore it. The important thing in that situation is not to panic or be pressured into giving credit card or other information over the phone. If you’re not sure, take the time to look into it. Hang up and call your utility company directly to verify.
A Real-Life Example
A few years back, churches in DC were being targeted by scammers who were spoofing pastors’ email addresses. Pretending to be the pastor, they emailed members of local congregations and asked for personal financial assistance, usually in the form of gift cards. It was fairly sophisticated. The email was directed at members, it was well written and it was asking for relatively small contributions so it was within the scope of expected requests. While most recipients identified it as a scam, sadly a few well-meaning recipients purchased the requested gift cards. After all, the email was made to look like it was from a most trusted source - their pastor!
Once church staff learned of the spoofing, they sent an email to all members to alert them so that no one else would fall prey to it. They alerted other local churches to the scam as well. The cybercriminals had hit more than one church with the same scam. Thankfully it wasn’t for large amounts of money but it was disruptive and left its victims feeling embarrassed and vulnerable.
Guarding Yourself and Your Community
While there’s no way to prevent these attempts, taking an extra moment or two to investigate a suspicious email or phone call can save you a lot of trouble. Consider communicating guidelines with your community of what they can expect from you. For example, let members and donors know you will only invite them to give electronically directly to your church or nonprofit through your online giving portal and never to a third party, and never by purchasing gift cards. Awareness and attention to detail are your best defense. If you’re unsure, find a way to verify with the sender that the request is legitimate. It’s worth the extra effort and time to guard yourself and your church or nonprofit.