It has come to our attention that some of our clients’ parishioners received emails and texts that appear to come from their pastor, asking them to respond with information. These messages are a scam and are referred to as phishing emails.
We are taking the appropriate steps to prevent this from happening again, but we cannot do it alone. Please keep in mind the following guidelines to help overcome this issue.
What is phishing?
Phishing is usually done through email, text, ads, or by sites that look similar to sites you already use. For example, someone who is phishing might send you an email that looks like it’s from your bank so that you’ll give them information about your bank account.
Be cautious if an email, site, or text asks for:
- Usernames and passwords, including password changes
- Social Security numbers
- Bank account numbers
- PINs (Personal Identification Numbers)
- Credit card numbers
- Your mother’s maiden name
- Your birthday
When you get an email that looks suspicious, here are a few things to check for:
- Check that the email address and the sender name match.
- Check if the email is authenticated.
- Hover over any links before you click on them. If the URL of the link doesn't match the description of the link, it might be leading you to a phishing site.
- Check the message headers to make sure the "from" header isn't showing an incorrect name.
- To check some of these items, expand the header to see full details.
- Confirm with the sender via another method (call or text).
Take these precautions when texting:
- Only open text messages from someone you know and trust.
- Don’t send personal information by replying to a text from an unknown sender.
- If the text contains a telephone number, do not call the number. It is just another part of the scam.
- Always go directly to a company’s website, not the link included in the text message. Scammers can build fake websites using forged company logos, signatures and styles.
- Ensure that a website is secure by checking to see whether there is an “s” after the http in the address and a lock icon at the bottom of the screen.
See more information on att.com.
Examples of the phishing scams include:
- "I am going into a meeting and need a favor. Please buy gift cards and email me the codes."
- "Please contact me about doing a Bank Wire Transfer."
- "I sent you an email that loaded a virus on your computer. Your (some personal information such as cellphone number, address, or a password) is xyz. I have been monitoring your internet activity and will notify your manager that you are visiting inappropriate sites unless you send me money."
- "How are you doing? Kindly email me your personal number, thank you."
All parish wide emails that are truly from our clients are sent by an email service provider (MailChimp, Vertical Response, Flocknotes, Constant Contact, etc.). If anyone at the parish, including the pastor, emails directly to you, it will be from a domain email. The domain is the website address.
If you see something, say something
When you see a fraudulent email, report it.
If you are using Gmail or if the fraudulent email appears to come from a Gmail address:
This moves the email to spam, and prompts Google to investigate. Even if another staff person or parishioner has already reported it, report it again. Google will weight the issue based on the number of reports.
To submit a phishing scam message to Microsoft:
- Create a blank email message.
- Address the message to firstname.lastname@example.org.
- Copy and paste the phishing scam message into the new message as an attachment.
Note: You can attach multiple messages to the new message. Leave the body of the new message empty.
- Click "Send."
See more information on microsoft.com.
To report a phishing email to Comcast:
- Copy the full message headers from the spam message. Do not forward the spam email.
- Paste the header and the message into an email.
- Send it to email@example.com with the subject line "Phishing email."
See more information on xfinity.com.
If you receive a fraudulent text:
- Report the number as spam to your cell provider.
- Block the number.
- Alert GCI or someone in the parish so we can warn the community.
Please let GCI know when you receive a phishing email or text as well, so we can be sure to block the offender.
Prevention (for our staff)
We ask that all staff change their email passwords and turn on 2-step verification immediately.
For our staff using Gmail, follow these links:
For our staff using Office 365, follow these links:
Our clients have multiple levels of security in place for the technology systems — however, no system is perfect. The parish email system has protocols to protect / validate emails — including SPAM and JUNK algorithms, domain key (DKIM) and sender policy framework (SPF) records — as well as firewalls, antivirus, and domain name server (DNS) layer protection. Cooperation and vigilance are still required.
If you have any questions, please contact GCI or your parish office directly. We apologize for any inconvenience or confusion this may have caused you.