When Phishers of Men Go After Churches, Here’s How to Escape Their Nets

With more churches and Catholic organizations than ever before using digital technology, internet scammers are looking at them as easy prey. But simple best practices can provide enormous protection.

Experts offer tips to keep parishes and other Catholic entities safe online.
Experts offer tips to keep parishes and other Catholic entities safe online. (photo: Unsplash)

Father David Mullen got the message every pastor dreads to hear thanks to 21st-century technology: “I think someone hacked your account.”

An internet scammer had breached the Boston Archdiocese’s priests’ account back in August, looked at the content of his emails, and then proceeded to email people in his address book saying he needed to talk with the recipient “about something personal.” 

Thankfully, the recipients noted something seemed off: For one thing, the pastor wouldn’t approach them via email that way, and he seemed to use “terminology that I wouldn’t typically use on an email.”

The pastor quickly got the word out to his parishioners through the parish’s communications platforms that his email had been hacked and to be wary of any emails appearing to come from him that look suspicious or request any kind of personal information. 

But the priest says it is not the first time that internet scammers have tried to use his identity to trick parishioners into a scam. One scammer used a fake email address where the name appeared as “Father David Mullen,” saying he was stranded in a Paris airport and needed cash — specifically, $400 worth of Google cards — to get back home.

“But I had one friend — God bless him — who thought this was true! He went to the CVS,” Father Mullen said. Thankfully, the CVS cashier was savvy enough to realize his friend was probably being scammed and said he should contact the priest first to confirm before doing anything else. 

“I texted him back and told him I couldn’t believe he thought it was true,” the priest said. 

“Nobody lost any money in the situation,” he said. “But it’s concerning.” 

With more Catholic churches, charities and organizations on the internet and communicating with their members digitally more than ever before — a process accelerated by the COVID-19 pandemic shutdown — internet scammers and extortionists are looking at them as potentially easy prey. 

Joe Garcia, senior evangelist at eCatholic, a web service serving more than 6,500 dioceses, parishes, schools and ministries in the U.S. and 20 other countries, told the Register that 99% of their clients have seen various scam or phishing attempts made against them within the past six months. 

Garcia said the phenomenon is not surprising. The COVID-19 pandemic forced churches to get onto the digital realm and make regular use of websites, email and other tools. But hackers and internet scammers also know that churches typically rely on older volunteers, many of whom would not be considered “tech savvy.”


What to Watch Out For

ECatholic hosted an Oct. 7 webinar for its eCatholic clients to help them learn how to recognize different types of phishing emails and other digital spam.

Garcia said phishing is fairly common, such as an email from the pastor saying he is stuck and needs money sent to an account. Others have more intimidating factors, such as a person pretending to be an FBI director, and the email address may look nearly exactly like a government address, except have a doubling of the letters (for example, “@fbii.gov”) that the eyes can easily miss. Others can be from someone claiming to sue a website for copyright infringement of a photo unless they click on a link and follow the instructions. 

Although eCatholic has not seen it yet, some of these links can be ransomware, software that locks down their system until they pay the hacker a ransom. Garcia said churches should never pay the hacker; otherwise, they will come back for more. 

“They’re getting sophisticated, too,” he said. Garcia said he worked with one Catholic parish that had a website built. A hacker built a page that looked almost exactly like the parish’s — the URL looked the same except the hacker used a “.net” domain instead of the parish’s “.com” domain. The hacker got hold of the parish’s email addresses from the parish newsletter, which was on the web platform that was hacked. The hacker then emailed the whole parish asking them to give to a nonexistent building project, which then sent them all to the fake “.net” page to donate their money. Unfortunately, many did.

“That money was all lost and gone,” Garcia said.

But it shows how everyone is vulnerable to this kind of fraud.

“If I wasn’t actively looking and on red alert, as a parishioner I might have clicked on it,” Garcia said.


Best Practices: Simple & Cost-Effective 

The good news is Catholic entities have inexpensive remedies and best practices to protect themselves. Garcia said purchasing and holding onto domain names similar to a parish’s website address is one way to prevent hackers from pulling off that kind of elaborate scheme. 

Garcia also said churches can take steps to remedy “bad security practices” that make them vulnerable. 

“Hackers or people doing this are going to take the path of least resistance,” he said.

Making sure that the parish doesn’t have one password for everybody is key, because otherwise a hacker will end up having full access to everything. Garcia said digital password protectors, such as 1Password or LastPass, can create complex password combinations for each and every site, but the user needs to have only one master password that they write down, memorize and store in a safe or secure location.

“It’s a really secure way to manage all that, and it’s cheap,” he said. 

But Garcia said another mistake churches make is not paying enough attention to the vulnerabilities of the physical plant. Garcia said churches should make sure their local area network, including the physical routers, are separate from the public network that is accessible to parishioners (or anyone else). 

Staff-written passwords on desks, or sign-up forms with names and contact information left out in the open, are vulnerable to someone taking a screenshot and using that information to hack or pull off a scam. 

“That’s really all you need to target the people in an organization,” Garcia said. 


Take This Seriously

Matthew Warner, founder of Flocknote, an email, text and database platform service for churches, told the Register that churches need to take phishing attempts and scams seriously for three key reasons.

“First, of course, is that they will be better prepared to protect their flock from being victims of these scams,” he said. “Second, by understanding how they work — when they inevitably occur — church leadership will know when there is genuine cause for concern vs. something they should just ignore.”

Warner said this understanding helps prevent church leaders from overreacting, “which causes more alarm and anxiety for their members than is necessary.” Warner dedicated an episode of Flocknote’s Finding Uno podcast to helping churches recognize phishing and other scams. 

“Understanding what is really happening will help them take the right steps to effectively address the issue without doing additional harm in the process, like unnecessarily restricting communication tools, freaking people out, etc.,” he said. 

Third, Warner said, “demonstrating competent handling of the situation is an opportunity for church leaders to build trust with their community.” 

“Whereas if they overreact, misunderstand, or mishandle the situation,” he added, “they risk further degrading that trust and making communication and gathering of personal information more difficult for them in the future.”

Maintaining Vigilance

Catholic organizations communicating more than ever via email and other digital tools are taking proactive measures to raise awareness and keep their members vigilant about phishing and other internet scams.

The Knights of Peter Claver and Ladies Auxiliary, a family-based Catholic organization open to all that was founded by Black Catholics in the early 20th century, has been telling its members in their communications to be on the lookout for phishing and other email scams. 

“Email and internet security have always been high priorities for the Knights of Peter Claver and Ladies Auxiliary,” Percy Marchand, associate director of the Knights of Peter Claver, told the Register. 

Because Claver members’ tech savviness spans “all ranges of ability,” Marchand said the Catholic organization strives “to strike a balance” in being “technologically progressive” while also accommodating those members who have challenges with technology.

“The pandemic, along with considerable lapses in USPS service, has forced us to be even more reliant on virtual operations,” he said. “That requires us to be that much more aware of our need to execute best practices and advocate the same to our members regarding email and internet safety.”

The Knights seek to fortify members, especially those in more vulnerable demographics, through their communications and internet safety trainings. 

Marchand said, “We do our best to make sure they are aware of vulnerabilities, what to look for, how to avoid them, and what to do if they do become victims of such scams.”