Churches Continue to be Prime Targets for Social Engineering Scams and Email Attacks

Recently at Enable Ministry Partners, we have witnessed a rash of compromised (hacked) email accounts amongst churches and some of our clients. Compromised accounts pose dangerous security risks to churches and other organizations. Once an account is compromised, attackers can send any messages they desire directly from the compromised mailbox. Because the email comes directly from the compromised email account, the message appears to be a legitimate email from the mailbox owner.

In recent cases, the attackers were able to determine the organization’s bank account information quickly and send messages to the client’s bank via the compromised mailbox. These messages requested fraudulent account access changes and wire transfers. Unfortunately, because of this activity, some churches have experienced financial losses and leaks of their private church management database information. We have written about these types of attacks in other places, e.g., https://enableministry.com/2019/08/01/email-security/.

Cybercriminals are Using our Own Tools (and Human Nature!) Against Us

How can these “bad guys” compromise so many email accounts? One answer is that they are clever and have figured out how to use human nature and the church’s security protocols against unwitting users. One increasingly common and particularly frustrating approach cybercriminals utilize is a “Multi-Factor Authentication (MFA) Fatigue attack.”

As most users know, Multi-Factor Authentication is a method whereby a user can be protected from attack even when their primary login information and credentials have been stolen. By requiring additional confirmation of identity via a cell phone or other personal device that is in the physical control of the rightful account holder, MFA can prevent unauthorized logins by a “bad actor.”

MFA Fatigue attacks are insidious. In these attacks, a cybercriminal who has stolen a user’s account credentials repeatedly attempts to log in to the user’s account. These repeated attempts create and send a constant barrage of MFA push requests to the victim’s mobile device. This situation is annoying and tiring for the user. The goal of this continuous bombardment of MFA push requests is to persist until the victim lets their guard down and unknowingly allows the “bad” actor into their account.

Unfortunately, in the face of continuous attacks, many people get annoyed and worn down. Also, as these types of attacks become more familiar and commonplace, the attacks begin to lose their feeling of threat or danger. Once the sense of danger is gone, people may start to downplay or discount the seriousness of the situation. They cease being vigilant and may choose “Accept” to the MFA prompt to stop the barrage of requests. At this point, the “bad guy” has successfully entered their account and, potentially, the rest of the church’s systems.

So, What Can We Do to Protect Ourselves?

1. Remain vigilant to avoid falling victim to “MFA Fatigue.” MFA Fatigue can cause you not only to bypass MFA tools but also to resist other security procedures as well. Today, cybersecurity tools are your friends; they are not foes. Any additional steps or work involving these tools is much less onerous than dealing with a cybersecurity breach! By now, you definitely should have multi-factor authentication (MFA) enabled on your email account and any other system that supports this feature. Ensure you approve only those MFA prompts or requests that occur when you are actually trying to log in to your account! If you receive an MFA prompt at a time when you haven’t just attempted to log in, you should hit “no” to disallow the login. You should also immediately work to change your email account password, as it is very likely that someone has your password and has just attempted to log in to your account. We have provided more information on MFA and MFA fatigue at the following link: https://www.beyondtrust.com/resources/glossary/mfa-fatigue-attack
   
2. Be especially careful of any email that gives you a link to click on and then asks you to log in to Microsoft 365 or Google Workspace. It’s always best to manually type the address into your browser rather than clicking on a link in an email. Manually typing the address will help ensure you’re logging into only legitimate Microsoft/Google websites.
   
3. Implement an anti-phishing tool such as IRONSCALES and use your email application’s Report Phishing button to report suspicious messages. If you’re not already using IRONSCALES or another anti-phishing tool, please ask your leadership to contact your IT support staff to add this very effective and helpful tool for all your team. There are other tools, of course, but we have provided information on IRONSCALES at this link: (https://ironscales.com/resources/learn/anti-phishing-tools/)

Always use unique, long, complex passwords for every system and website! Never use the same password twice and change any password with fewer than 12 characters ASAP. Use a password manager to store these unique, long, and complex passwords securely. To get more information about password management tools, please see: https://enableministry.com/2021/04/14/why-you-need-a-password-manager-2/

What Are Some of the Specific Measures Enable is Taking to Help Our Clients?

We have adjusted the MFA settings for our Microsoft 365 clients to enforce “number matching,” which will enhance the security of the Microsoft Authenticator application by requiring users to type a two-digit code displayed on the computer into the mobile authenticator application. For example:

In 2022, Enable implemented additional safeguards for all Microsoft 365 tenants by disallowing end users from directly integrating third-party applications with their Microsoft 365 accounts. We did this to limit the possibility of a malicious third-party application (or a hacked third-party company) accessing your sensitive information stored in Microsoft 365. We will continue to scrutinize any requests for integration and discuss these with each client’s leadership before granting third-party application access.

We also continue to publish helpful security advice on our website and offer suggestions for additional tooling and processes in our quarterly meetings with client leadership. More info: https://enableministry.com/cybersecurity-tips-and-tricks/ and https://enableministry.com/wp-content/uploads/2022/09/Enable-Cybersecurity-Checklist.pdf

As always, if you have any questions about the security of your accounts or data or how you can better protect yourself and your organization, don’t hesitate to get in touch with us at help@enable.email.