Well, I'm not an expert. I take the same training that the rest of the staff completes. But I do have some experience with emails that target staff in an effort to get sensitive information. And this has taught me a few lessons.
Here's the short version:
1. "When in doubt, check it out."
2. Look at the actual email address, not the display name
3. Slow down, especially on phones
4. Never email sensitive information like passwords
The first tip is something I tell all the staff regularly: "When in doubt, check it out."
Spear phishing is a common tactic of emailing or texting someone while posing as a friendly or familiar person in order to get information. The message usually attempts to mimic the email of someone in your organization, or in a role in which you might normally communicate. Though attackers may do some research to get names and even the hierarchy of an organization, they don't really know who they are mimicking.
The "doubt" in my brief mantra refers to an email or text that just feels odd to you. It could be a request from a friend or colleague that sounds unusual. Or the wording of the email is completely different from the way that individual usually writes. The message could also be addressing a topic that isn't one in which you might normally engage with that person. A request for money or gift cards should raise a red flag right away.
"Check it out" means go directly to the real individual and ask. The attacker has ways to make their email address look like it came from your boss, a friend, your HR director, or the IT support staff of a company with which you do business. When you are not sure if the request is legitimate, send a new email, NOT a reply, using the email address you normally use, to the actual person the suspicious message pretends to be. Or send a text. You could even call (yes voice conversations still exist!) and ask the person about the message. That minute or so could prevent a major problem later.
Another tip is to look carefully at the actual email address, not the display name of the email. Take a look at the sample email that actually came to me in September. It comes from Kent Siladi, former Bridge Conference Minister, and someone who often emailed me with requests. But the email address says "email@example.com" which is clearly not right. The conference uses "sneucc.org" email addresses. Others we have received in the past use generic email addresses like office@ or HRdirector@ or ITSupport@. To help our staff, I often remind them that they will only receive emails regarding technology concerns from a few specific email addresses. Note, this is not fool-proof. We recently received a fake email on which the attacker actually had disguised the address with an "sneucc.org" address.
It is far easier to miss this phishing technique when reading email on a phone. Phone email applications usually don't display the entire email address – only the display name. Due to the smaller sized screen, it is much easier to miss the odd clue that normally warns of an attack.
My final tip is to slow down. I feel like the pace of the world has changed in my 50 plus years. When I was young, I had to write thank you letters after birthdays and Christmas. I never liked it because it took forever. Now I can read and reply to an email in under 30 seconds.
And I can make a major error when I do that! Taking a few more second to read an email and look at the address can prevent hours and even weeks of trouble later. Make it standard practice to never click on a link or attachment until you have read the entire email. Something may jump out at you – a phrase, even a miss-used word – that could warn you that the message is a fraud.
And never, ever give account numbers, user names, or passwords in an email. Even when I have to give distribute credentials through email for work, I send different parts of the information in multiple emails from different email accounts, or using a combination of email and text. The information is almost never in one message. And when possible, I call instead of using email.
Cyber crimes are rampant and growing more sophisticated each year. Often, they can cause financial problems, but some attacks attempt to flood systems with inappropriate messages. The Church is all about a message. Let's not put that message at risk.
Drew Page is the Media and Data Manager for the Southern New England Conference, and a member of the Conference's Communications Team. He writes and edits news, blogs, and devotionals, produces video, and spends a week each summer as a Dean at Silver...