The following is a memo from Lois Locey, Chancellor of the Diocese of Sacramento:
We received reports this past week of emails sent from a spammer impersonating a Gmail account of several pastors within our diocese.
The subject of the email was typically GOD BLESS YOU and they requested a reply (often times, it was a request of a gift card, such as iTunes). A careful inspection of the return email address, in some of the cases, revealed an incorrect spelling of pastor’s name. The emails seem to be sent to those who have an email listed on the respective parish’s or Catholic entity’s website (such as the staff directory or ministry leader directory). If you, any of your staff or parishioners receive this email, please do not respond. This is an example of the tactics used by spammers to receive money or personal information from you.
This particular spoofing email scam seems to be targeting Catholic parishes and dioceses throughout the United States for the past several months. Other dioceses have reported that the emails are sent repeatedly every few weeks or months.
I have asked Philip DeLeon, Chief Information Officer of the Diocese of Sacrament’s Office of Information Technology Services to provide some guidance on how to protect our parishes and Catholic entities from phishing and spoofed email. The following is his guidance:
- -The Pastoral Center frequently receives notification from parish staff members that parishioners are receiving email from someone who is attempting to impersonate the pastor or another member of the clergy. It’s usually in the form of a casual email where the sender sends a casual and brief note like, “Good morning John, I want to send some electronic gift cards to some needy members of the community.” “Can you help?”
- -The signature line uses a familiar name of the pastor, like “Fr Joe.” Unbeknownst to the email recipient, he or she then replies to an email address that is not the pastor’s, but an imposter. This type of social engineered email occurs frequently and is commonly known as a phishing email or a CEO Fraud (the latter because the imposter usually uses the name of the CEO of an organization). What is Phishing? Phishing is an email or text message that will attempt to trick the recipient into responding by sending money, sharing a password, PIN, or something of value (could even be parish checking account, credit card account or the parish email and network account).
- -Close examination of the sender’s email address will reveal that the address is a phony. But, it could be easily overlooked because the imposter will take a legitimate email address (like FrJoe@gmail.com and use FrJoe@msn.com (email address looks very similar … yet, different). The holidays are quickly approaching and we will start to see more of these phishing emails to try and trick the recipient into sending currency or something of value.
- -We ask that parish staff members and parishioners be extremely cautious when responding to these types of emails. When responding to emails that request for money or something of a confidential matter, consider responding to the email request in person or by telephone to confirm the email is legitimate. Texting and email should only be used as a secondary method of validation.
From Diocese of Sacramento website.