Coronavirus Response

Woman reading a website
Latest Updates
Recent posts & stories from
around the conference.
Man holding a credit card next to money
Financial Resources
CARES Act, Local Church Giving,
& COVID-19 Fund.
Two people texting from separate spaces
Staying Connected
Holy Week, Easter, The Love Feast
& Bible Studies.
Woman watching a video on a computer
Webinars & Training
Help as you adapt & navigate
changes in ministry.

NC Conference

Healthy Congregations and Effective Leaders in Every Place Making Disciples of Jesus Christ for the Transformation of the World

Don’t Fall for Spear Phishing or Whaling Scams

1 Comment

Scammers want you to send them money. They want your password(s) so that they can log into your accounts and steal your data. Many of their attempts are laughably easy to detect and ignore. Others are carefully crafted to create a very convincing request. These requests are particularly dangerous as they avoid all traditional antivirus protection. It is easy to pass by an illegitimate request and perform the requested action. Consider this scenario:

A scammer visits your church website and carefully researches your Senior Pastor and Treasurer. There is likely a pictorial directory of all of your church staff somewhere on your site containing phone numbers and email addresses. Downloading a copy of a staff photo is easy to do. They then create a free email account, set it up to look like it is using your pastor’s email address – it even has your pastor’s face as the profile picture! At this point, everything is in place for a convincing scam. No laws have been broken. People set up throw away email accounts all the time. Keep in mind that this isn’t a robot harvesting email addresses from your website for sending spam. This is a person researching information that will help them in their scan. If a new visitor can see it on your website, the scammer can too.

One morning your Treasurer receives an email that looks like this:

———- Forwarded message ———-
From: Your Pastor
Date: Wed, Feb 17, 2016 at 9:43 AM
Subject: Urgent Request
To: yourtreasurer@firstchurch.org
Cc: yourtreasurer@firstchurch.org

Hello Treasurer,

How are you doing ? I will like you to take care of a wire bank transfer for me today. Can you handle it? If you can, reply and let me know the required information you will be needing to process the wire bank transfer.

I will appreciate a quick response from you.

Thanks
Your Pastor

Your Treasurer should carefully review this email. Is it legitimate request? For this example, only the Reply-To field showed that it wasn’t coming from Your Pastor. You can only see that by viewing the message header in your email client. How do we view this header? Every email program is different, but here’s how to do it in Gmail. In other words, unless you take an extra step, you have no idea that this is a scam. The best way to protect yourself would be to reach back out to Your Pastor and ask them if they made this request. Send a brand new email message (DO NOT hit Reply). Make a quick phone call or send text message. Walk down the hall and ask. If the pastor didn’t make the request then you should disregard this message – don’t send the money or give away your password!

There are excellent resources on how to detect and protect yourself from this type of scam here: Spear Phishing or Whaling Scams Continue to Lure Organisations.

The attackers aim is to steal company information, credentials, deploy malware or steal money.

The scammer sends an email, highly personalised. The email seems to come from a trusted source and the email address used at first glace looks the same as other frequently used ones within the organisation but on closer inspection it can be noted that this is not the case (but employees are not likely to pick this up easily).

The scammer’s aim is to entice urgency, often the email will pertain to an urgent matter that requires critical action thus taking priority over everything else.

An employee opening the email, sees an email sent from a colleague or a trusted source who they regularly deal with, demanding that they take urgent action. This often involves the recipient following a link to a fake website but because they are unsuspecting and nothing has so far appeared out of place the convincing site is the next step in the scam.

To the employee the site looks and feels authentic and they continue to act on the urgent request by either entering company information and or passwords or providing financial details. Alternatively, the email may require you to download an attachment which will place malware on your computer that can log activity allowing the scammer to access your company information.

The scam has only just been initiated, the attacker has his foot in the door and has acquired the information needed to further facilitate his attack which more than likely will culminate in a breach. A breach is detrimental to the organisation and could involve: loss of data, substantial financial implications, legal ramifications and negatively effect the reputation of the organisation.

Know the warning signs

Be aware of tactics often used: impersonation, enticement and the bypass of access-control.

  • You receive an urgent email that you are not expecting, requesting you to take urgent action often relating to a customer service complaint or legal issue-take caution.
  • Take extra care when looking at the sender’s address. It may look similar but not identical or may be one that you do not recognise.
  • Look out for incorrect spellings, vocabulary used incorrectly etc.
  • The email contains a link to a site or an attachment. It appears authentic complete with logos and branding.
  • You are requested to take urgent action, often involving the inputting of company or personal information or the input of financial details, make a payment or download software.

The days of trusting email are unfortunately over. If someone is asking you for passwords, security related information or money you should use caution. Follow up with this person and contact them again via a trusted method. Figure out whether or not the request is legitimate before you take action.

Additional References