A new, more elaborate version of the gift card scam is making the rounds, and it has already impacted one of our United Methodist churches. Rev. Debbie Sperry, pastor at First United Methodist Church of Wenatchee, reached out to me, sharing what they experienced in the hope that others could learn from it.
“Our church office received an email that looked legitimate at the church office saying, ‘Hi, I have a new email address. Would you please update the record? And could you please send me a copy of the directory?’”
Sperry explained that the email address was assumed to be legitimate because it contained a known person’s first and last name before the @hotmail.com domain. Additionally, the sender made a request that wouldn’t be unusual for a church office to receive.
Sperry continued sharing what happened next.
“On the surface, everything looked legitimate, so an office person sent a copy of the directory and updated our database. She sent a note to all office personnel that the record was updated with the new email. I was suspicious and texted the member asking if she had a new email, and she said no. But the directory had already been sent. We modified our records/database to correct the address of the member who had been impersonated.”
Understanding that the member had been impersonated, the church turned toward trying to understand how and why this person’s name was used. In looking at their website, they noticed that the member’s name was hyperlinked with her email because she runs point for one of our outreach ministries.
“Then, the next level of the scam began with individual solicitations by email for help with a “discreet favor.” That fraudulent email had firstnamelastname.churchemail@gmail.com (so it looked legitimate at a glance with both my name and the church name like my legitimate email has). The emails had a signature tag with my name, “pastor” or “senior pastor,” and the church name.
If people replied, they were asked for gift cards (4 $500 Visa cards) and to send the info electronically.”
Thankfully, Sperry shared that “many of our people have seen our warnings before and know to initiate new contact with me based on the contact information they have on record.”
As mentioned above, gift card scams have been around for a while. They typically utilize publicly available information to capitalize on perceived relationships between individuals for whom they have contact information.
Over the past decade, I have received emails purporting to be from the bishop (at the time) and other leaders seeking to initiate similar scams. Most of these have come from easy-to-create fake accounts on Gmail, Hotmail, or Outlook, utilizing the bishop’s name in some fashion before the @ sign. More rarely, these messages have been spoofed, where a talented spammer has made it appear like the message was sent from a legitimate account.
What to do to protect your church and its members
The best first line of defense is protecting the data you share. Only publish lists of members and their contact information with safeguards to protect the information. Some churches have published entire directories on the web without protection. This is no longer a responsible thing to do.
Additionally, churches may wish to limit the contact information of their staff and key leaders they might typically publish on the website. There are tradeoffs involved in doing so, but it is worth considering. While some tools and practices have been available to prevent bots from reading email addresses, human eyes can get around those if they are on your website. Some churches have removed all email addresses from their website, replacing them with a contact form.
If you have some safeguards, as Wenatchee First UMC did, you should reexamine them and consider a two-factor-type solution. If someone requests privileged information like a directory or wants to update their contact information, confirm that change or request through a trusted point of contact. A phone call or text is better than an email address as they are harder to compromise.
Finally, but not least, take time to educate your members. Use stories like this one, or maybe one you’ve personally experienced, to emphasize the reality of the risk and reduce the shame that is sometimes associated with being a victim of one of these scams. We can all work on being more vigilant, but we should never forget that the scammers are the people at fault.
As part of that education, set clear parameters for the communication practices of church staff and leaders. Be explicit about how you will ask for donations of any sort, particularly those like gift cards that are so easy to exploit. Consider moving all of your church-related communications to a branded email (e.g., pastor@firsttownumc.org) to mitigate the opportunities for fraud further.
Finally, empower your members to practice some form of verification before responding to an email, text, or social media request from an unfamiliar source. The first email they receive often does not contain a request, so they may have to look for other signs. We collected some things to look for in a previous post on this topic. Let your people know that you would prefer they err on the side of caution.
Our congregations are filled with wonderful, generous people. Unfortunately, this also makes that a target for fraudsters seeking to exploit that generosity. The unfortunate reality is that fraud is essentially an industry generating billions of dollars yearly, and the schemes get more elaborate as our defenses go up. Avoiding fraudulent emails altogether is nigh impossible, but educating members to practice a healthy amount of skepticism before they open their wallets is a true gift that we can give.
[…] Beware of new gift-card scam (from UM News Digest) […]
[…] Beware of new gift-card scam (from UM News Digest) […]