What do the Most Reverend Stephen Cottrell, Archbishop of York, and our Chaplain Dan have in common ? The answer: both their names have recently been used in an attempt by criminals to persuade members of their congregation to send Amazon vouchers to them.
In a report published in the Church Times today ( https://www.churchtimes.co.uk/articles/2020/28-august/news/uk/archbishop-of-york-impostor-emails-high-value-gift-requests ) it is reported that many members of the congregation around York received e-mails apparently from the Archbishop asking them to buy high value Amazon vouchers and then send a digital photo of the card’s codes to a realistic-looking e-mail address.
A spokesman for York diocese, Martin Sheppard, said that the sender had “taken some trouble” to identify the person they were impersonating and their intended victim, possibly by searching church websites for contact details. “Churches are communities of trust. The scammer will impersonate the vicar and contact the treasurer, the secretary, even the caretaker — and there’s a good chance that someone will fall for it,” he said.
“We’re asking people to look twice at the address the email is sent from; it’s often something generic like ‘firstname.lastname@example.org’. We can’t block all Gmail addresses, and many of these are throwaway accounts. Many people simply don’t look at the address, only the sender’s name, and it’s quite easy to hoodwink them. This isn’t an IT scam; it’s an old-fashioned confidence trick, done via email.”
Many other clergy have also had their names appropriated for this latest scam.
In our Chaplaincy, only one scam e-mail apparently sent by our Chaplain, Dan, appears to have been received - by one of our general contact e-mail addresses. The account owner quickly spotted the scam and alerted me. I took the immediate precautions of blocking the sending e-mail address from all Chaplaincy e-mail accounts, as well as sending an alert to everyone on our mailing lists in case the fraudsters had also acquired members of our congregation’s personal e-mail addresses.
What we did know was that there was no possibility of anyone having hacked into the Chaplaincy’s own e-mail listing system. Why ? Because the Chaplaincy has two separate e-mail systems which are both heavily protected, not only by passwords but also by a secondary security system which required accesses to be made from recognised users. If a new user attempts to access the systems, a separate authentication is required from an existing administrator.
In addition, as an extra precaution within our systems there are ‘trap’ e-mail addresses in our mailing lists which are set to never be sent e-mails by the Chaplaincy’s systems. Any attempt to ‘harvest’ the addresses from the system would not reveal this and would lead to an e-mail being sent to the ‘trap’, in which case the administrators would be immediately alerted to a hacking attempt and would then shut down the entire e-mail system. On this occasion, none of our security protocols were breached, and so we are 100% confident that in no way were our mail systems involved in or breached by the scam. With some hesitation because of the possible inconvenience, we are now filtering out all e-mails which arrive in the Chaplaincy system containing the word “Amazon” for individual checking before delivery. Please bear this in mind if you send an e-mail to someone with an @churchinmidipa.org e-mail address.
There are continuous dangers, however, and everyone should stay alert. One of the largest ones is that we can ourselves become unwitting accomplices in these scams, and can cause our friends to be placed at risk.
When we send personal e-mails to a large group of friends or contacts – possibly announcing something or sending Christmas or Easter greetings – everyone is able to see the e-mail address of everyone else it has been sent to. Those addresses are stored in each person’s e-mail box, and become vulnerable to being ‘stolen’ if any person on the list happens to get their computer infected by a virus. Many viruses (I am using the word ‘virus’ to generically describe a wide range of malevolent programs which are dedicated to spying on or harming your computer in some way) have the sole purpose of stealing e-mail addresses from your mail system in order to pass them back to scammers to use to impersonate you and/or send you scam e-mails.
If you send an e-mail to many people at once and place their e-mail addresses in the BCC: list (blind copies), then no one sees the e-mail details of anyone else to whom the e-mail has been sent, so a visiting virus would not be able to harvest all those e-mail addresses from one of the recipients.
In an another Amazon voucher e-mail scam which affected members of this Chaplaincy’s congregation a little while ago, we are again 100% confident that the Chaplaincy’s secure e-mail systems were in no way compromised because the e-mail addresses of people who reported receiving the e-mails did not correspond to any of our Chaplaincy’s e-mail lists (and did not include the ‘trap’ e-mails). They did look very similar, however, to typical e-mail distribution lists used by private individuals who had not used the BCC: facility. I emphasise that this does not mean that the original sender’s e-mail system was responsible for scam messages being sent, but rather that the e-mail account of someone to whom the message was addressed had been infected.
So what can I do to protect myself ?
1. Never send e-mails where you make all the addressees’ details visible by putting them in the To: or CC: address lists. Always put lists of addresses in the BCC: list.
2. Search back through your e-mail box. If you regularly receive e-mails from anyone who includes a lot of people’s e-mail addresses in their To: or CC: lists, contact them and ask them to move your address to the BCC: list
3. And finally, if you receive an e-mail from the Archbishop of York (or from Dan) asking you to send him an Amazon voucher, ask yourself how likely it is that the request is genuine and take a moment to contact him (not by replying to the e-mail you have received which probably came from a scammer) but by phone, text or another method and check that it is genuine before parting with any money.