Don't Feed the Phish! An Email Campaign Warning

The Diocese has received multiple reports from parishioners who have fallen victim to a recent internet email phishing scam. The scam begins when the parishioner exchanges a series of emails from an imposter who assumes the name of the local parish pastor.

The scam starts when a parishioner receives a casual email from the imposter with a subject like, “Many Blessings.” The body of the email will say something like, “Good morning, how are you doing?” “I need a favor from you, email me as soon as you get this email.” Then the email is signed using the pastor’s name.

Unbeknownst to the recipient, he or she then replies to an address that is not the pastor’s, but an imposter’s email address. This type of social engineered attack is commonly referred to as Phishing or CEO Fraud (the latter because the imposter uses the name of a person you trust or have a close relationship and plays on a sense of urgency). The next email will ask the parishioner to buy iTunes gift cards for some cause (like a cancer victim) and then to transmit the photo of the gift cards with the numbers revealed to the imposter.

What is Phishing?

Phishing is an email or text message that will attempt to trick the recipient into doing something s/he wouldn’t normally do (in this case emailing gift cards) because the request seems urgent, yet simple (like sending money, a bank or credit card number, or your email and network credentials). Close examination of the sender’s email address will reveal that the address is not to the actual person (like the pastor). But, it could be easily overlooked because the imposter will take a legitimate email address (like FrJoe@gmail.com) and use FrJoe@aol.com (email address looks very similar ... yet, different).

DON’T FEED THE PHISH...

With Christmas just around the corner, we are seeing a spike of phishing emails asking for iTunes gift cards. But remember, it could be anything of value. We ask that parish staff members and parishioners be extremely cautious when responding to these types of emails. When responding to emails that request for gift cards, money, or confidential information, be suspicious and call the parish to confirm the email is legitimate. The Diocese will never ask you to send gift cards by email.

If you want more information on how to protect yourself on the internet, go to the SANS website and subscribe to the OUCH! Monthly Newsletters.

Finally, if you believe you are a victim of an internet crime (no matter what the dollar value), go to the following website to file a report with the FBI Internet Crime Complaint Center. Go to their website https://www.ic3.gov/default.aspx for more information.

The Chief Information Officer strongly suggests that all parishes post information in their bulletins and announcements be made after all the Masses for the next few weeks to bring awareness to parishioners about these phishing attacks. DREs might even consider having a poster contest within your Religious Education programs in an effort to promote internet security awareness to all the families.