Phishing is a process of attempting to acquire information by pretending to be a trustworthy, and possibly familiar, entity. An online attacker sends an email disguised as something that a user might normally see. It might look like a colleague seeking help, or a system email that looks convincing. The attacker includes a link that the user clicks, or some other request, to trick the user into letting their guard down and providing passwords, usernames, or other valuable information.
According to KnowBe4, 91% of successful data breaches start with a phishing attack.
Many SNE staff have been previously trained, but the KnowBe4 program is regularly updated with new techniques. The SNE staff trains annually and is tested regularly by the program to see how well they recognize threats. Short refresher training sessions are offered to reinforce the safety concepts.
"Training staff to recognize when an email is a fake designed to cause harm is essential to the conference mission," says Drew Page, Media and Data Manager for the Conference. "A breach of our email system can cause financial harm, disruptions in productivity, or cause harm to our mission through unwanted messaging. Threats could potentially risk the online safety of our churches, clergy, and lay leaders as well. This training is a way for each of our staff to ensure the safety of those around us."
Cyber threats are a regular problem. Page says SNE staff regularly forward him emails that they have recognized at phishing attempts. Many of those emails asked for user's login information. Some even ask for gifts cards to be purchased for events that were listed on the Conference website.
"Attackers do their homework," says Page. "They read the website and learn the names of staff leaders, the programs we run, even the events we are offering in the coming weeks, before sending an email designed to look as authentic as possible."
Churches should also consider how well their staff and volunteers can identify potential threats. Last year, the Conference published an article about churches receiving threats in text messages posing as church leaders. In some of those instances, churches even lost money to attackers who had tricked a victim into thinking the message was legitimate.
One phrase Page reminds the SNE staff to use frequently is "When in doubt, check it out." When staff get an email from a name or email address they don't recognize, or with a request that seems unusual, they are encouraged to send a new email, text, or phone call to the real staff person to check if the request was legitimate. Often, this leads to them forwarded the failed attempt to Page who keeps them as samples of cyber attackers for further training.
Drew Page is the Media and Data Manager for the Southern New England Conference, and a member of the Conference's Communications Team. He writes and edits news, blogs, and devotionals, produces video, and spends a week each summer as a Dean at Silver...