Avoiding Email Spoofing and Scams

C. Anderson JamesTechnology

The short version: if an email that seems to be from presbytery or church staff looks/sounds/feels strange or asks for money or gift cards, it is almost certainly a scam. Delete the message and move on. Read on for more information on how to be aware of these and some ways you can help prevent these spoofs from taking hold in your network.

The longer version: If you’ve found your way here, it has probably happened again. Some scammer created a fake email address, impersonating you or a friend or colleague. Then they sent out emails to people you are associated with that they identified from public websites, asking for a moment of their time, seeking assistance with travel, trying to get you to send money to them (usually via gift cards), or generally asking for their help. Here’s one that came my way:

This is a nasty practice known as email spoofing. It very rarely involves an actual hacking incident but rather is a scam that depends on our instinct of kindness to inspire our response. Sometimes these get caught by email systems and labeled as spam, but when they don’t, they can be incredibly confusing and scary.

Here are some suggestions for responding when this happens, educating your contacts to avoid getting trapped when it does, and setting things up to protect against these as much as that is possible.

Responding to the Spoof

If you receive one of these suspicious messages:

  • Do not respond directly. This just verifies your potential relationship and makes you a further target!
  • Report the message and sender. Various groups on the internet are actively trying to shut these scammers down. If you use Gmail, follow the instructions here to file a report. You can also send a copy of the message to the Anti-Phishing Working Group at reportphishing@apwg.org. (Use your email program’s “forward as attachment” option if possible.)
  • If you responded and actually got scammed, file a report with local law enforcement.

If your identity has been spoofed, there’s not much that you can do. Congregations can consider informing members if the pastor’s identity has been spoofed, but it is impossible to know who received the spoofed messages. These situations have become so common that it is safe to assume that there is already a spoof going around with your name on it. The best response is to educate your contacts and help them protect themselves in the future.

Educating Your Contacts

The best way to prevent damage from spoofing is to educate yourself and your contacts. Unfortunately, this happens often enough that pastors and other church leaders should assume that a spoof is actively circulating with their name on it at any time. Here are some good practices to share with your contacts and congregation.

  • Check the email address. 99% of the time, the email address is different from the one you know. There may be a character or two off, an extra digit added at the end, or a misspelling or transposition of characters. It almost always comes from a gmail.com address instead of the church’s domain name. For example, all legitimate email from New Hope Presbytery staff will come from an address ending in @nhpresbytery.org—anything else is a scam. Make sure your congregation knows how legitimate emails from your church will be addressed.
  • If you think the request may be legitimate, use another trusted, offline method to confirm the request and need. Do not trust a supposed new phone number or email address for this purpose.
  • Never send anything of value in response to these messages, including payment by gift card. Thieves ask for payment in gift cards because they are difficult to trace and nearly impossible to reverse once sent on.
  • Don’t open an unexpected attachment. A real request for assistance will almost never include an unsolicited attachment. Attachments are the perfect vehicles to infect your computer with malware.
  • If an email sounds odd, it probably is. (Thanks, Pastor Will!) Always exercise caution when dealing with sensitive information and situations. Use the phone or talk in person if you are ever unsure.

Setting Things Up to Help Prevent Spoofing

These scams hack our social interactions more than our computers, so there is only so much that we can do to prevent them. But beyond educating our congregations on what emails to avoid, churches can also do a few things to help prevent getting looped in to these scams.

  • Use a church domain for all staff email. This is the #1 way to help people avoid getting scammed! To help others identify church email, pastors, church administrators, and other church staff should use a church domain email address (for example, @nhpresbytery.org) whenever possible. You can even still use Gmail to read and respond to your messages. If you need some guidance about how to get this started, drop me an email.
  • Check your passwords.
    • Use strong passwords with a blend of uppercase and lowercase letters, numbers, and symbols for all your online accounts.
    • Don’t reuse your email account password on other websites.
    • Consider using a password manager program that can create randomized passwords rather than keeping a paper or electronic document with all your various website passwords.
  • Keep your computer and devices up to date. Many malwares take advantage of security vulnerabilities that have been patched to feed data into these attacks. Don’t postpone updates to your computer, tablet, or phone operating system unless absolutely necessary. Learning a few small changes after an update is a whole lot easier than recovering from a malware attack.

There’s no foolproof way to prevent these sorts of spoofing incidents, but I hope these steps are a helpful start. I’ve also included a few links below. Please email me at cajames@nhpresbytery.org if I can assist in these strategies so that we can be more focused using the important technology tools that we have to support the work of the church along the way.

Andy James

Links to learn more: