Parishes urged to be on the lookout for email scams

BRAINTREE -- Last June, many people on the contact list of St. Stephen Parish in Framingham received emails claiming to come from the parish, asking the recipient to purchase a Google Play gift card as a present for someone and promising to pay them back.

One of the recipients, Osvaldo Calderon, who is in charge of media at the parish, knew that something was not right about this. He immediately notified the pastor and then contacted the parish office, confirming that it was not from any of the staff. They posted a warning about the fraudulent emails on the parish Facebook page, and at Calderon's suggestion, the parish created a new email with their own domain name.

Speaking to The Pilot on Nov. 5, Calderon said he thinks they did "pretty well" in handling the situation.

"I think if we didn't have fast turnaround communication between the parishioners and the parish, then people could have been affected by this," he said.

At a time when Catholic organizations are using digital technology more than ever, it is important that parish leaders, volunteers, and members know how to recognize phishing scams. Hackers use these fraudulent emails, purporting to be from a reputable person or company, to trick recipients into sending them money, revealing personal information, or granting access to their computer files, website accounts, or bank accounts.

All kinds of businesses -- for-profit and nonprofit alike -- can be targeted by hackers. Parishes are no exception, which is why the archdiocese's information technology group and Office of Risk Management help to prevent or resolve such situations. In addition to supporting the ministries at the Pastoral Center, the IT group also provides technology guidance to parishes, schools, and agencies throughout the archdiocese.

Deacon Peter Bujwid, the chief information officer of the IT group, spoke with The Pilot in November about the danger posed by phishing scams and how to protect against them.

"To recover from identity theft is a long, drawn-out, and heartbreaking process. So the extra caution that you take is really worth it," Deacon Bujwid said.

A basic phishing attack usually targets many people at once. It often begins with a precursor email, which may contain a vague message asking for an unnamed favor. If the recipient responds, the next email will ask for information or a financial transaction, often claiming that the matter is urgent and requires quick action.

More extreme examples will ask the receiver to pay a vendor or initiate a bank transfer, claiming that banking details have changed or a payment is overdue. This can result in a bank account being compromised.

A more focused kind of scam, called "spear phishing," targets a particular person with messages tailored to them and often designed to look like they come from someone the receiver knows. This sometimes happens to parishes that share staff members' email addresses publicly -- for instance, in the parish bulletin, website, or staff directory. "Whale phishing" specifically targets senior members of organizations, sometimes mentioning people they know or projects they are involved with.

The coronavirus pandemic may have increased opportunities for hackers as more organizations shifted activities online and more people began to work remotely.

Joe McEnness, director of the archdiocese's Office of Risk Management, said it is "hard to tell what portion of the increase is related directly to COVID and the new work environments." However, it is logical to assume that as more transactions are conducted over a distance, "the more likely (it is) you're going to have incidents like that, especially when you're talking about interim company communications."

Fortunately, steps can be taken to prevent cyberattacks and identify and report phishing emails.

One telltale sign is that phishing emails will often express urgency, claiming a quick turnaround time is required for a transaction.

McEnness said part of the problem is that electronic communication itself implies a desire for an immediate response. So people may not stop to more closely examine or question an unusual email.

"They become more accustomed to the transactions being handled in that fashion. So they almost become trained to respond quickly, and that increases the potential for them missing a red flag," McEnness said.

As a result, he said, "It's difficult to train them to stop and not execute so quickly."

When stopping to look closely, email addresses can also offer clues. Sometimes phishing messages come from accounts that appear, at first glance, to have an email address for an official organization, but the address may have different characters or an atypical domain name.

Osvaldo recommended that every parish have its own domain name, which will give their email account more credibility than a generic domain like Google or AOL.

"Domain names are not that expensive for what you get in return," he said.

He also suggested that a parish should keep their email account on one computer rather than multiple machines. It is also good, he said, to have another way to communicate with parishioners so they can be notified if an account is compromised.

Osvaldo said parishes should make it clear to parishioners how donations are to be facilitated, and not to trust any requests for donations that are not announced at Mass or in the bulletin. Any kind of financial transaction initiated by email should be confirmed by phone.

If a suspect email claiming to be a certain person or company provides a phone number or email to verify, the recipient should instead use whatever contact information they already have.

Deacon Bujwid warned that scam emails may include a link or attachment that would unleash malware or ransomware when opened. Some may say that the recipient has won a prize, or that a message is waiting for the recipient on a website, instructing them to log in.

"When they say you've won something, you really haven't. You're about to lose something," Deacon Bujwid said.

He said that instead of clicking on a link to an ostensible website, the recipient should go to the website and log in manually to confirm if the claims are true.

Deacon Bujwid also recommended that parishes backup their files regularly and test the backups. Parishes should also make sure their passwords are different and complex, and keep up with the latest security updates.

The recipient should notify the pastor or parish of any email claiming to come from them. They may have protocols in place for such a situation, and they can contact the archdiocese's IT group or Office of Risk Management if further assistance is needed.

"If it looks like the email actually did come from the pastor, but it did not come from the pastor, then we would absolutely want to know about that," Deacon Bujwid said.

If a parish calls them, the IT group will typically execute a plan of recommended steps, some as simple as changing passwords. If there has been a security breach, they will do preliminary forensics to determine the root cause. If the degree of compromise is high, they may call in the Office of Risk Management.

McEnness said that considering the size of the archdiocese and the number of parishes and staff, they have done "fairly well" minimizing the success of cyberattacks.

"A lot of that has to do with the education and the information we put out there. But one case can be a substantial financial hit. We'll always have the objective of trying to bring the successful phishing down to zero," he said.

Ultimately, he said, they have to rely on people's awareness and caution.

"We can implement protocols and we can train, but at the end of the day, we have to rely on a person executing a cautious approach when they open an email. That final step is always going to be the human judgment component," he said.

The archdiocese's Information Technology group can be contacted at The Office of Risk Management's cyber security checklist is available at