Fraudulent Email Communication from Scammers

Dear Parishioners,

If you receive an email that appears to be from the Bishop, or a member of our clergy, asking you to take some kind of unusual action – click a link or download an attachment you didn’t request, wire money to a specified account, purchase gift cards and reply with the serial numbers, or simply to reply quickly, watch out – it could be a form of email “phishing” known as “whaling.”

Whereas “phishing” involves sending a fraudulent email to a large group of people in the hope that a few will respond, “whaling” involves forging communications that look like they’re from the “big fish” in an organization, i.e. the “whale.” For us, this usually means the Bishop or a clergy person, although it could be someone else in authority.

The message will give some explanation of why the leader needs your help immediately. They may include some story about another person in dire circumstances whom the bishop or priest is trying to help. But instead of helping a needy person, if you respond you will actually be turning over money and possibly your identity information to a scammer.

Because these emails are usually crafted more carefully than your standard “phishing” email, they can be more difficult to detect.

It appears that the scammers have been operating over a period of several weeks. Parishioners have alerted us to emails that “appear” to be from Rev. Phillip Craig. Sometimes, the staff and other members have received them as well. One of our Facebook accounts was also impersonated, sending out fake messages purporting to be from a member of our staff.

Unfortunately, it’s difficult to stop these “whaling” attacks. The email accounts in question have not been hacked. Instead, they are being “spoofed” – that is, a fraudulent email account is cleverly configured to look at first glance like a legitimate one. Even if you block the fraudulent email, they’ll just use another. Same thing with text messages from fraudulent phone numbers. It’s like playing “whack-a-mole.”

You can’t stop the senders of “whaling” emails, but what you can do – which is entirely free – is educate yourself and other potential recipients. Here are two simple guidelines to help potential recipients avoid being tricked:

Verify the “from” email

The malicious actors behind “whaling” attacks are counting on people springing into action as soon as they see an important name on an email. You can outsmart them by looking beyond the name and checking the “from” email address to see if it matches what you know the alleged sender’s email to be.

If you only see a name, you can cause the “from” email address to be displayed by hovering the cursor over the name.

Rev. Phillip Craig’s email is always [email protected]. No other variation of his email address is official.

Confirm requests with a conversation

Even if the email or text seems legitimate, if a request seems even remotely “off,” don’t act on it until you confirm it with a phone call or face-to-face conversation.

In the case of an alleged message from the Rector, you may want to reach out to a member of our staff, using their contact info in the staff directory. DO NOT reply to the suspicious email or text. Likewise, if a member of your parish staff is asking you to do something unusual, confirm with a phone call. Additionally, you can forward the message to [email protected] for us to review.

Observing these two steps will go a long way in identifying and avoiding “whaling” attacks before they get their hooks in you.

Sincerely,

St. James Admin