Beware of spoofed emails targeting churches
NOTE: Official North Alabama Conference email correspondence will only come from @umcna.org, @naconf.org or @brtapp.com email addresses. Any other email regarding Conference business not from these domains should be considered suspect and fraudulent. Please use the forwarding method when a questionable email is received to verify the sender.
The coronavirus pandemic has disrupted and changed many aspects of our lives over the past year. One thing that has remained the same is fraudulent emails targeting church members, staff and clergy.
As more of our church interactions have moved online, it is more important than ever to be on the lookout for possible scams and online phishing schemes. Below is an article that originally was posted in early 2019. The information is still relevant and helpful to keep you from falling victim to this type of malicious online behavior.
Recently there has been an increase in fraudulent emails targeting church members and staff.
A common version of the scam seen in the North Alabama Conference is an email appearing to be from the Bishop sent to Conference staff members, pastors or church members asking them to send money or purchase gift cards for an emergency situation. Several churches have also reported similar phishing emails sent to their church staff or membership appearing to be from the pastor.
On careful inspection of these spoofed emails, the receiver can notice several red flags including a “reply to” address that does not match the supposed sender’s email, odd wording and strange formatting.
North Alabama Conference Director of Information Technology Pete Banish recommends several steps you can take if you think you have received a scam email.
- Double-check the sender’s email address. A spoofed email address often has an extension similar to the legitimate email address.
- Look for clues. Does the email contain weird indents, maybe comprised of just sentence fragments? Does the sender usually send short emails or odd requests? These are telltale signs that the email is not legitimate.
- “Forward,” don’t “reply” to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures you use the intended recipient’s correct e-mail address.
- Always verify in person/telephone before sending money or sensitive data. Be suspicious! Make it standard operating procedure to confirm email requests for wire transfer, debit cards, account information or confidential information. Confirm face-to-face, or through a phone call using previously known numbers, not phone numbers provided in the email.
These phishing emails sometimes work because they are written in a convincing manner for the specific audience which they target. Additionally, the subject line and body of the emails often create a sense of urgency so the receiver acts quickly without noticing signs that the email is a scam.
This type of email often makes it through spam filters because it doesn't contain malicious links or attachments that would normally flag it as dangerous.
Banish notes that he is taking all possible steps to protect @umcna.org addresses from these scams. He says, “For my part, I also have the ability to blacklist addresses that are found to be fraudulent.”
Anyone who receives a scam email at their @umcna.org email address can report it by forwarding the email to firstname.lastname@example.org and the fraudulent sender will be blocked.
Banish adds, “Larger churches or churches with their own email systems are just as easy to exploit and often don’t have the staff resources to tackle problems like these.” Therefore, he encourages everyone to stay vigilant when checking their email and to follow the steps above to avoid falling victim to an email impersonation attempt or spoofed email scam.