With us all moving our social contact onto the Internet, into email and over the phone, we are all vulnerable to fraudulant activities with each of these forms of communication.
Over the last number of weeks, parishes across the diocese have been experiencing a new spike in email "spear phishing" attempts. These are emails made to look like they originate from a trusted person (cleric, warden, treasurer, friend) asking for money in the form of gift cards. There are also reports that phone scams designed to capitalize on people's current anxieties are also on the rise.
Key recommendations for email scams:
1) Check the sending address. All senders have the ability to set a personalized Display Name. That Display Name is completely separate from the email address: For example: If someone changed the Display Name on firstname.lastname@example.org to Logan McMenamie, it will appear as if the bishop is contacting you, even though he isn't. This is how the email is designed to work and will not be picked up as spam or blocked based on Display Name alone. To verify the 'true' email address click on the From line above the email, it should display the actual email address instead of the Display Name. If it looks like it's coming from an unknown email address, it is a phishing attack and should be immediately blocked and deleted. Do not reply to it.
Because our diocese uses standardized emails at both the synod level and the parish level it is easier to identify official emails related to our organization. They will either end with @bc.anglican.ca or the domain address of a parish website e.g. @stmarysoakbay.ca.
2) Verify the information. If you get a suspicous email, don't reply to it. Instead call or text the person to verify.
3) Block the sender. The way to do this will vary depending on your email client (e.g. Outlook, MacMail, Gmail). If in doubt, search for how in your search engine or ask someone to help you.
4) Notify your email provider. If you responded to a phishing attack, please call your email service provider (e.g. Telus, Bell) to notify them. Unfortunately if you have provided the fraudsters with personal information or sent them money, there is little that can be done to retrieve it, but contacting the company you purchased the cards from may help.
5) Do not publish on your parish website (directly on or in documents) the personal email addresses of anyone in your congregation. The only email addresses that should appear on your parish website are the official addresses of elected or appointed officials of the parish, which are themselves separate from those persons' personal email addresses.
Further information on Spear Phishing can be found here: https://resources.infosecinstitute.com/5-ways-to-identify-a-spear-phishing-email/. Please pass this information on to your contacts to help them keep their digital information safe and to protect themselves from this widespread fraud.
It's unfortunate that this is another thing we have to be so careful to protect ourselves from right now, but a moment's thought before acting will go along way to ensure this isn't one more thing you have to worry about.