Avoid getting hooked by a phishing scam

A quick internet search reveals that many churches are specifically being targeted by phishing scams! And these attacks can come in many forms.

August 20, 2019
Dennis Carson

A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency, a business, or even an organization such as a church. No one is immune from these attacks! Not individuals. Not businesses. And not even churches.

In fact, a quick internet search reveals that many churches are specifically being targeted by phishing scams! And these attacks can come in many forms. One variant makes the emails appear to be coming from the pastor of the church and asks for gift card numbers. Another version asked for emergency donations in the form of iTunes gift cards. Other versions of the attack come over the telephone and ask for donations. These types of attacks are all a form of social engineering which is used to trick people into doing something.

If you have a computer and an email account, you’ve probably received the following at some point: “This is your bank contacting you. You must login within 24 hours or your account will be deactivated due to inactivity and you will lose all of the funds in it!!!”the all-too-common inbox email reads. “Please follow this link and enter your username and password to update your account information and keep your account active!!!”

These types of emails look very real, and in some cases they may have the correct logos from the organization that they are attempting to impersonate…but they are actually phishing scams. Phishing is the act of sending an e-mail to a user falsely claiming to be another trusted user, company, or organization such as a Church in an attempt to steal their credentials. The e-mail can contain a link to a fake web site that asks the user to enter personal information such as username, password, credit card number, and social security numbers. In some cases, the scammer may look up personal information about you from a social media site to highly customize the message that you receive to make it more realistic.

We often hear of massive data breaches in the news, and think that there must be some sophisticated ‘hack’ that is responsible. But, it may surprise you to find that phishing is the number one attack vector.

In today’s high tech world, learning to spot and avoid phishing scams is a life skill. Failure to do so can put you at risk of identity theft and/or financial loss. While there are technical controls out there than can offer some level of protection such as email filtering, scammers are skilled at defeating these controls. User education is often times the best defense against phishing.

Here are common phishing lures that scammers use:

Bills or Invoices – Fake ‘Invoice Due’ emails tend to get users attention and prompt them to open the message.
Account Lockout – A fake alert appearing to come from a familiar account telling the user they’ve been locked out and must “click here” to provide information.
Authority Figures/Executive Staff – People generally reply quickly from emails that appear to be from upper management in a company. Scammers take advantage of this by impersonating these employees.
Order or Delivery Confirmation Emails – Emails containing links where a recipient can click a link to check the status of an order can be phishing emails.
Recruiting/Job Search – Email purporting to be from a recruiter asking an individual to open an attachment or click a link could be a phishing email.
Refund or Prize Notifications – These often are purported to be from the IRS or other organizations that supposedly owe you a refund or have a prize for you to claim. Note: The IRS will never contact you via email.
Donation Requests – Email purporting to be from a Church leader asking for donations sometimes in the form of gift cards.

There are several signs you should look for to identify a phishing e-mail:

Any e-mail asking for your name, birth date, social security number, e-mail username, e-mail password, or any other type of personal information, no matter who the e-mail appears to be from, is almost certainly a scam. Reputable businesses do not send unsolicited e-mail requesting personal or financial information.
E-mails that are poorly worded, have typos, or have phrases such as “this is not a joke” or “forward this message to your friends” are generally scam e-mails.
Phishing mail often includes official-looking logos and other identifying information taken directly from legitimate web sites, and it may include convincing details about your personal information that scammers found on your social networking pages.
A few phrases to look for if you think an e-mail message is a phishing scam are:
- “Verify your account.”
- “If you don’t respond within 48 hours, your account will be closed.”
- “You have won the lottery.”

How to avoid being a victim:

Verify the URL (web address) of a website before clicking on a link. Malicious websites may look identical to a legitimate site, but the URL may use a variation of spelling or a different name. In some cases, the actual address in the link will be totally different than the actual website.
Don’t send sensitive information over the Internet before checking a website’s security.
Do not reveal personal or financial information, and do not respond to e-mail solicitations for this information. This includes following links sent in e-mail.
Never respond to suspicious e-mails or click on links inside suspicious messages.
If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email
Be aware that scammers are out there targeting information such as usernames, passwords, credit card numbers, and social security numbers.
Since some phishing scams contain links that attempt to install malicious software, having up-to-date antivirus software and operating system updates are important.

What to do if you are a victim:

Report it to the appropriate people within your organization.
If you believe your financial accounts may be compromised, contact your financial institution immediately.
Watch for any unauthorized charges on your account.
If you provided your username/password, change your password immediately for all accounts that use that password.
Scan your computer for viruses/malware.
If you see signs that your identity has been stolen, report the theft to the Federal Trade Commission (FTC) by going to: https://www.identitytheft.gov/. The FTC will guide you through the steps to take whether your information was stolen from your credit card account, utilities, checking and savings, or medical insurance. You should also place a fraud alert on your credit report to make it harder for criminals to rack up charges using your identity. The alert lasts for 90 days, but you can renew it if you need more time.

It’s important to note that while many phishing scams are delivered through email, some scammers will actually make phone calls to steal information that way also. Text messages can also be used in these schemes. Social media is also a common way for phishing and malicious links to spread. Technology has essentially allowed the door to door scammers of 20-30 years ago to move online and target thousands of people.

While phishing is a very real threat that we all face with modern technology, having an awareness that these types of attacks exist is an important step in avoiding becoming a victim. Armed with the information in this article, you should now be able to stay vigilant and avoid taking the bait from a phishing scheme!

Dennis Carson

Dennis Carson is employed as the Director of Networking, Security, and Data Center at California University of Pennsylvania. He possesses two Master's degrees (business and cybersecurity) and numerous certifications. His wife Kimberly is a campus minister at California University of Pennsylvania. He is active in many sports, including ultimate frisbee and weightlifting. Email him here.