The unfortunate truth is that cyber criminals are getting smarter and sneakier with their attacks, and we have seen an increase in phishing emails preying on churches specifically as of late. These cyber criminals are smart, and they know that churches are “in the business” of caring for and helping people. They create false scenarios that prey on your generosity, kindness, and willingness to welcome people who are new or lonely.

Phishing emails are also starting to look more realistic. Historically, one of the easiest ways to identify a fraudulent sender would be to simply look for email addresses with lots of random letters and numbers. However, they are getting smarter and using more realistic looking email addresses that coincide with the sender’s name. Typos are still a common red flag as well, but in the same vein, cyber criminals are improving their grammar and writing skills too.

Enable clients often forward these types of emails to our service desk, which we love because:

1. That means our clients are viewing these suspicious emails with discernment and awareness.
2. We are able to stay on top of the phishing tactics that are being utilized in real time and spread awareness for other churches.

Tools like IRONSCALES are extremely helpful for catching these widespread phishing emails and allow your IT manager to flag and remove identified emails from your entire organization’s email server before they affect end users, but the automated technology can only do so much. As the phishing emails get more sophisticated, end users must increase their awareness & discernment and be careful as they engage with these “people.”

Common Red Flags to Help you Identify Phishing Emails

• The email address contains a random mix of letters and numbers
• The email contains typos or odd language
• The email asks you to buy something
• The email asks you to provide financial information
• The email asks you to provide personal information about yourself or someone else at the church, especially the senior/executive pastor, a decision maker, etc.
• The email asks you to download an attachment or click a link — if someone you do not know is asking you to do either of these things, that is suspicious!!!

One tip for preventing these types of emails ending up in your inbox in the first place is to avoid posting your staff email addresses on your website in plain text or with an email link. Cyber criminals can easily crawl your website for email addresses, so if you include everyone’s information in an online staff directory, you are a making yourself an easy target for receiving these emails. An alternative is to only have one general email address on your website that all online inquiries go to. Whoever manages that email address can forward requests accordingly, and this person needs to be sure they are trained in cybersecurity and hyper aware when sifting through emails.

How to Safely Engage with These Emails

If you are pretty sure that you have a phishing email on your hands, and especially if you receive a message like the examples we’ve included in the next section, don’t respond!

However, we understand that sometimes emails that come through your website from unknown senders can be legitimate. As the phishing attempts get more and more sophisticated, we can’t know for sure if some of these emails are fake. But like we’ve mentioned, cyber criminals know that churches are full of kind people who have a desire to help others, so they are going to try and exploit that. Caution is strongly advised.

Below are some tips for how to safely engage with these emails so that if it truly is a real person, you are giving them options for legitimate communication. But if it actually is a cyber criminal attempting to phish you, following these recommendations will help you remain safe and make sure you’re not giving away information that could be used in a negative way.

• Only reply with “publicly available” information. In other words, you can send links and information that are already published on the church website regarding meeting and service times. Do not supply any additional information via email if you do not know for certain who you are speaking with.
• Offer that if the person wants more info, they should call the main church phone number that they can find online (again, already published on the website) and someone will be happy to assist them.

Examples: Most Recent Church-Targeted Phishing Attempts

These emails have both come through our client’s systems in the last few days. On servers where IRONSCALES was implemented, it was flagged and Enable was able to quickly identify & remove the emails and notify all of our clients to be on the lookout for similar messages. Share these examples with your staff to make sure you don’t fall for one of these fakes!

Example 1:

Hello,

My name is Guadalupe Hernandez. I’m moving to your area soon. Over the last few months as I’ve considered moving, I’ve been looking to get closer to God. I grew up in a religious family, but it’s been a long time since I’ve been to church. This past year has made me reconsider my life.

I’m making a fresh start, and I wonder if your church might be a good home for me. With my new beginning, I’m looking to attend a church where I will be welcomed.

Let me tell you a little bit about myself. Growing up my family moved around a lot, so I’ve lived all over the country. In my free time I enjoy watching sports and movies and reading. On a more personal note, I’ve held several jobs over my lifetime, but most recently I’ve worked on several campaigns for Republican candidates.

Would you be willing to meet with me after I arrive in the area?

Sincerely,

Guadalupe

At first glance, the message seems normal. However, on a closer look, it is an oddly worded message, the information provided is very vague, and the request is a little off. If something feels off, it probably is! One of our best tips that we can give is to trust your gut. In these situations, it is better to be safe than sorry!

*Note that Guadalupe has friends as well. We’ve seen similar messages come through from Darnell, Amy, and Julio.

This next example is fairly sophisticated, and quite honestly hard to decipher if it is a phishing email or not. It comes from a pretty normal-looking Gmail email address, it was sent through the contact form on the church’s website, and it asks a very specific question about involvement at the church. In this situation, if you are unsure whether it is a phishing email or not, fall back on the recommendation of responding with publicly available information — a link to a page on your website, or the option to call the church at the phone number that is already posted on the site, and have a conversation with someone to answer your questions. Don’t respond with a staff member’s personal contact information.

A few reg flags in this email — there is a typo and the language is slightly off. But this one is tough!

While seeing examples can be helpful, these patterns are ever-changing and evolving. Our desire is to help make you aware of the concepts and generalities to look for — not just specific messages and names. Cybersecurity demands discernment, vigilance, and critical thinking.

Additional Safety Measures

Ironscales

At this point, the easiest thing you can do TODAY to start combating these phishing email attempts is implement IRONSCALES for your organization. IRONSCALES is an incredible email security platform, designed to detect and remove threats in email inboxes. It is powered by AI and enhanced by thousands of customer security teams who are using the tool and helping it improve in real-time. It also acts as a bonus training tool because it notifies the end user when it detects a suspicious email, allowing them to view these emails through a high-alert lens and helping them identify dubious patterns. In our opinion, it is the very best fraudulent email detection service on the market. We recommend it to every single one of our clients, and we use it ourselves. Reach out to us at info@enable.email if you’d like help getting it set up for your staff.

Cybersecurity Awareness Training

Cybersecurity Awareness Training is one of the most important aspects of the entire cybersecurity landscape when it comes to end users. While there are several versions of security training software available, there is not yet a program that is comprehensive or effective enough for us to confidently recommend one. In all of our experience with church staff, we have found that live in-person training is far and away the most effective option and our current best recommendation. Enable has provided live in-person training sessions for both clients and non-clients alike, so please reach out to us at info@enable.email to set up a session or training series for your staff!