Grace Notes: February 21, 2024 – Rev. Kimberley Debus

from Rev. Kimberley Debus

For a few years now, I have watched as other ministers post warnings about fake emails or texts pretending to be them, asking for gift cards or some such, with concerns about hacking, safety, and often a rush to change passwords. I wondered why I wasn’t experiencing this – until this past autumn, I suddenly was. And then I wondered what was happening, and my curiosity got the better of me, and down the rabbit hole I went.

So what is happening?

In a nutshell, scammers are working very hard to part you from your money. This is called “phishing.” Scammers will hunt for data across the internet – which includes emails and phone numbers – then create fake emails that look a lot like official emails from trusted sources, like Amazon, Best Buy, or even banks, and send tons of these fake emails out to the addresses they have. It’s a fishing expedition, as they hope to catch even one person who takes the bait.
Now those more general phishing scams go out randomly. But scammers have learned to be more savvy, and now there are two kinds of more targeted phishing.

The first is called “whaling,” because they go after the big fish (CEOs, CFOs, etc.). Their goal is to deceive top personnel in organizations to get large sums of money, trade secrets, access to secure systems and databases, and even execute unauthorized actions that can compromise a corporation. I mention this one because the way it was first described made me think we were also seeing that, but now I know they are trying to scam the top folks, not use the authority of a leader to scam others.

What we are experiencing is called “spear phishing” – this is what we see any time an email or text purports to come from a minister or other leader of the congregation. Similar to phishing, they mine data, but in these cases, they highly personalize the fake emails to “hopefully” make it sound authentic. This is why you see a lot of things like “peace and love” or “god bless” in the text. By using the name of someone in a position of authority like a minister, they are counting on your not reading closely and wanting to help.

Now to be clear – no one’s personal accounts are hacked in any of these phishing schemes; they are using data that is – for hackers – easy to get, and if you look at the email addresses or phone numbers these scammers use to contact you, you’ll see they usually aren’t anywhere close to real.

And it’s still a pain.

So how do you know when it’s a scam?

When you know what to look for, they’re easy to spot. Typical spear phishing attempts contain an unusual sense of urgency, incorrect email address or phone number, spelling or grammar mistakes, asks for sensitive information, links that don’t match the domain, and sometimes unsolicited attachments. Additionally, you are likely to know how your minister signs their name, what they sign off with (mine is typically “Cheers” or ’“Blessings”), and in my case, if I’m texting you, I either already know you have my number and will see it’s from me, or I’ll state up front that it’s me if I’m not sure you do.

And of course, use your common sense. If it seems odd that I’m in a meeting and need hundreds of dollars of gift cards right now for something you haven’t heard of, there’s your sign. Any time there’s even a scintilla of doubt, go with that feeling. Check the email address it actually came from. Look for awkward language (for example, the word “kindly” often shows up in phishing emails). Look at the situation. Heck, even look for my lengthy signature block on email.

Now why am I suddenly part of the club?

That’s easy. For years I was never with a congregation for more than six months, and I was never listed anywhere as a lead or senior minister. That changed when I took this role as lead of the interim ministry team, and it was listed on the website… which is about the only downside to this otherwise amazing work we are doing together.

Hope this helps! Now continue to be excellent to one another.

Rev. Kimberley