Slideshow image

Dear all,

A new twist: even emails from normally trustworthy email addresses can be suspect, Two island parishes were hacked last week and sent round a legit-looking request to log in with Microsoft credentials to view an invoice. Fortunately I thought it was odd that another parish would be sending me (and the rest of the lower Island parish admins) any invoice, let alone all the same one, so I emailed back to their proper email address – and got a scammer’s weird generic reply. So I called their office to check with the real admin, who said it wasn't from her. They are getting ever sneakier, so we have to be ever more attentive and critical. If you're not expecting a message with an attachment or a link to click, even from an email address of someone you know, delete the message and check with them via non-email means. If it was legit, they can always send it again.

Generally, the below does still apply as well:

A parishioner has let us know about the latest of many 'phishing' emails that are circulating and misusing names and email addresses related to the church. Phishing is a malicious attempt to obtain sensitive information by sending emails disguised as coming from a trustworthy website, person, or company. If you are already familiar with these, feel free to skip. But they are still taking people in. Let's work through this example. The email began:

"Rev. Canon Peter Parker <carechurch303 @ gmail.com> wrote:
"Hello! Are you less busy at the moment? I got a request for you to manage discreetly. I will be going into a meeting soon, no calls so kindly respond back via mail. Thanks,
"Rev. Canon Peter Parker."


We can already see several clues that the message is fake:
1) The real Peter Parker would not be writing, particularly about St Philip business, from" carechurch303 @ gmail.com".
2) The recipient's own name was in the email's subject line, which is odd in itself, but the email message just starts "Hello" without using a name.
3) Peter wouldn't usually sign informal emails with his full title.
4) The writing style doesn't fit.

The correspondence continues:

"Thanks for your response, I have been thinking of giving the staff something as a show of appreciation to the various dedicated staff including yourself, and I came to a conclusion of getting them a gift card. I will be glad if you can volunteer to help me manage this as I am occupied at the moment. This is a surprise and should be Confidential until they all have the gift cards as it's a surprise. Can you help get this done?"

Again, reading carefully, the writing style is a little strange, and more importantly, this is not how St Philip goes about showing appreciation for staff.

The next step:

"Thank you for your consideration and forthcoming response. I sincerely appreciate your flexibility and willingness to help, I’m glad I could count on you, I aim to surprise every staffs with a photo of a gift card through their individual emails. I already have their chosen emails, and I'd appreciate your assistance with the purchases. I'll see to it that you receive your reimbursement as soon as possible. Please let me know if you can assist in purchasing the Gift Cards as requested so that I can provide you additional information about how I want this done. Thanks
"God Bless
"

And now the scammer has come to the point: a request for the 'scammee' to make purchases. Note the language is still odd but also careful - "I aim to surprise every staffs with a photo of a gift card" - not with an actual gift card! No names or occasion are mentioned. The scammer's aim is to get the recipient to buy the (virtual) gift cards on their behalf - and then disappear. No staff reward, no reimbursement. Again, the suggested procedure should be ringing warning bells. Fortunately, it did.

Alas, we all have to be ever more vigilant these days in checking that emails are genuine. Spam or phishing emails are as common as those phone calls from "This is your credit card provider" or  junk mail by post saying "You have won a million dollars, all you need to do is send us a thousand dollars", but they can have a more sophisticated appearance these days, and the consequences of being fooled can be serious and expensive. Four things you can check right away are:

1) Sender's email address - check for the address <inside angle brackets like this>. There may be a name as well, e.g.
St Philip Oak Bay <admin@stphilipvictoria.ca>
If they don't match, e.g. Peter Parker <gonephishing@churchy.com>
that's not a good sign. *If they do match, it could still be spam, see above.

2) Actual URL (web address, format http://www.whatever.ca) of any links in the message. Don't click on them, just move your mouse over the link to make the full address appear in a little popup box. If the linked text in the message is "St Philip Church" but e.g. http://www.whoopeecasino.ca appears when you move your mouse over it, it's not genuine. The URL may pop up right next to the link,  or it may be near the bottom of your screen. Or somewhere else on your screen depending on your computer and software! Practise by moving your mouse over the (real and harmless) link below, and see where the URL pops up.

St Philip Victoria

You should see the full URL of this article: https://www.stphilipvictoria.ca/news/recent-spam-and-phishing-attempts 

3) Language style and nature of the request - does it fit with what you know of the supposed sender and the usual way of doing things?

4) Lack of specific details - the sender is hoping you will assume it's genuine and read more into the message than is really there.

If you receive this kind of email, or others you find in any way odd, please read critically and:
1) Don't reply.
2) Don't click on any links or images in the email.
3) Don't open any attachments.
4) Delete the email.
5) If you are concerned about missing a genuine request, call the supposed sender on the phone, or write them a new email from scratch, at the email address you know is correct.
* If the email seems to come from a genuine address of someone you know, the address could have been hacked (broken into and used without authorization), so use the phone or a different way of getting in touch.

All that said, it is also worth occasionally checking your Junk or Spam email folder. Email filters are not perfect, and while they may let a phishing attempt like this into your Inbox, they do also sometimes send genuine emails straight to the Junk folder!

More about the many kinds of online scams, and how to spot and avoid them:

from McAfee Antivirus software

from the Canadian government

from Charted Professional Accounts of BC - about AI scams

and see pp22 and 23 of the CPA Magazine, HERE


 Image by Tumisu from Pixabay