Phishing emails targeting United Methodists are on the uptick. One email making the rounds is a classic pyramid scheme, asking for a contribution and promising big returns.
Members and leadership of The United Methodist Church are increasingly the targets of “phishing” emails designed to pass along viruses and steal personal information for use in identity theft.
“Spam, scam and phishing emails and texts aren’t anything new,” said Danny Mai, chief operations officer at United Methodist Communications. “However, increasingly, scammers are targeting more and more unsuspecting people using the guise of people in authority. It seems The United Methodist Church and its leadership has become a focus recently.”
Scammers use a variety of tricks to con people out of their passwords, bank account, or Social Security numbers to illegally access their personal accounts. Thousands of phishing emails are sent every day and many are successful, according to the Federal Trade Commission. In 2019, the FBI’s Internet Crime Complaint Center received 467,361 complaints and recorded more than $3.5 billion in losses to individuals and businesses.
One email making the rounds is a classic pyramid scheme, asking United Methodists to contribute an amount of money and promising that much more money will be sent back to them in return. No United Methodist church agency would ever offer such a program.
“Giving is part of the joy of the holidays,” said Bishop Elaine Stanovsky of the Greater Northwest Episcopal Area, which encompasses the Alaska, Oregon-Idaho, and Pacific Northwest conferences.
“But we should all make sure to review any online giving request carefully, even if it looks like it is coming from a trusted person or organization. I hate the thought that trusting people might be cheated by someone asking for money in my name without my knowledge.”
Anyone who receives a financial request from a bishop should verify it before sending a gift by contacting the office of that bishop or the Council of Bishops, said the Rev. Maidstone Mulenga, director of communications for the Council of Bishops.
“We are truly living in strange times when people would use names of bishops to scam someone out of their money,” Mulenga said. “If you get an email purporting to be from a bishop asking for financial help, please double-check that the email is from that bishop.”
Publically listing contact information has been a method for pastors and others to make themselves assessable. Unfortunately, it also allows scammers to get hold of the same information.
“Recently after email fraud here in New Jersey, we reviewed some of our current practices and are taking steps to address securing email addresses of individuals (in the conference),” said Bishop John Schol of the Greater New Jersey Conference. “We are also communicating that information in our conference journal may not be used to gather email and mail addresses for bulk use by an individual or organization.”
United Methodist Communications has been working on eliminating public lists of emails from various places, in particular the popular Find-A-Church data bank, Mai said.
“Find-A-Church relaunched in early 2020 with a new form-based contact feature, allowing searchers to still reach out to churches without an easy ability for harvesters to scrape emails from listings,” Mai said. “This is a first step, but there is still more to do to minimize sophisticated and targeted harvesting attacks on data.”
Administrators should review their websites with an eye toward omitting listings of email addresses or PDFs with email addresses in them, he said.
“Consider placing some sort of human challenge (username/password, captcha, etc.) in front of the information that doesn’t prevent true searchers from accessing information, but does slow down automated script attacks,” Mai said.
Here are some tips for spotting phishing emails and eliminating threats:
- Phishing emails often try to induce panic to encourage victims to reveal information without thinking it through. Common strategies include warning about suspicious activity or log-in attempts, claiming payment or personal information needs updating, including fake invoices, and urging clicking on a link to make a payment or get a refund or coupon.
- Sometimes when approaching a church audience, a phishing email will use a heart-tugging message or story to stir sympathy and encourage generosity. Although church institutions do encourage giving in various ways, be on the lookout for messages that seem manipulative and come through unusual channels.
- Emails that come from peculiar email addresses should be treated with caution. Criminals sometimes take care to include the name of a legitimate sender or a recognizable logo in the text of an email, but a check of the actual email address where it originates is often a giveaway of a phishing email.
- Check for spelling, grammar, and punctuation mistakes, and be on the lookout for awkward writing. Legitimate companies check for such errors before allowing a mass email to be sent.
- Beware of hyperlinks. Hover over before clicking on them and see if the link looks accurate. Sometimes scammers purchase a domain name similar to the one they are purporting to be, so inspect it carefully.
- Attachments, especially from an unknown or suspicious company name, should be treated with caution. Clicking on the wrong attachment can lead to viruses or malware being installed on computers and networks. Even if an attachment looks valid, scanning it with antivirus software is recommended.