Phishing emails target church workers in the Diocese of Honolulu
By Anna Weaver
Hawaii Catholic Herald
Father Marvin Samiano was worrying about the threat of incoming Hurricane Lane and at a medical appointment at Queen’s Medical Center on Aug. 23 when he checked his work email. One in particular caught his eye. It was from “Rev. Larry Silva.”
When you receive an email that seems to be from your boss, the bishop of the Diocese of Honolulu, you take notice. It read:
“Good to hear from you, its my niece birthday and I need to get her an iTunes gift card that I promised her as a birthday gift but I can’t do this right now because I’m currently busy checking on a friend at the hospital. Can you get it from any store around you? I’ll pay you back.”
“All I see is the bishop’s name so I’m like, ‘Absolutely, Bishop, let me know how I can help you,’” said Father Samiano, who is the parochial vicar at the Cathedral Basilica of Our Lady of Peace in downtown Honolulu.
He replied to the sender, finding legitimacy in it having been sent to his official rcchawaii.org email address and addressed to “Father Marvin Samiano.” The emailer asked for $700 in iTunes gift cards, which Father Samiano went and got at a nearby store. The “bishop” then said he couldn’t pick the cards up so could Father Samiano scratch off the activation codes, then email them and the gift card numbers to him to pass on to his “niece.” Father Samiano did so.
It wasn’t until he sent an email directly to Bishop Silva’s official email address asking if he’d gotten the activation codes — and the bishop replied “What codes?” — that he knew he’d been scammed.
Not the only one
Father Samiano later found out other staffers at the Cathedral Basilica of Our Lady of Peace had received similar emails. The scammer later tried to email the priest, phishing (the fraudulent practice of sending emails claiming to be from a reputable source to get people to give personal information, such as credit card numbers) for more money.
“The hard part is my faith in humanity just plummeted after that,” Father Samiano said. “It took awhile for me to realize not all people are bad. It was just a very expensive lesson for me to learn.”
Most spam emails get caught up in the Diocese of Honolulu’s spam filters, said the diocese’s information technology manager Francis Kung, but spoofers are getting more elaborate and knowledgeable in how to avoid getting caught by spam blocker keywords and algorithms. The subject line for Father Samiano’s phishing email was “Re: God Bless…” for example.
Another cathedral staffer recently received an email addressed to him personally that supposedly came from Bishop Silva and read, “I will be going in for a meeting right now and i need you to handle a financial obligation for me today .Can you let me know what details you need to process a wire transfer payment today.I will be expecting your emai[sic].”
The staffer saw that the email had been copied and pasted from other phishing attempts since it used a fake email with a bishop from another diocese’s name in it and signed off as yet another diocesan bishop.
But scam emails can be convincing, especially when someone is rapidly flipping through emails or has a quick trigger finger when clicking on links.
Kung thinks people are better at spotting and hanging up on robot calls, the kind that tell you your extended car warranty has expired or the IRS is collecting on back taxes.
“Those are pretty easy to spot,” said Kung. “But the email ones, I think quite a few people fell for it, people pretending to be priests.”
He doesn’t have data on the number of incidents in the Diocese of Honolulu in recent years but believes phishing emails like the one Father Samiano received are fairly common. Scam emails tend to spike during tax season, a.k.a. “phishing season.” They might ask for employee lists or request tax information.
“I think the majority of the phishing type of email, I’d say 99 percent, are financially driven,” Kung added.
There are 1,500 or so mailboxes under the diocese’s email server, Kung said, and Barracuda, its spam blocker, blocks 30,000 of the approximately 80,000 emails received each month.
Kung has heard from three or four people in the past couple of years saying they were victims of church-targeted phishing emails. But he thinks some people may be too embarrassed to report incidents to the diocesan IT department.
Father Samiano hopes others can learn from his experience.
“Don’t go through the same thing I did,” he said. “It was a very expensive lesson. But evidently for me it was a very needed lesson.”
Signs that an email is a scam
Diocesan IT manager Francis Kung said that these are tell-tale signs a church-related email you receive is likely a scam:
- Bad spelling, grammatical errors, stilted language.
- Unusual church terminology usage. Example: Using “Rev.” rather than “Father.”
- An email address that seems fishy, coming from a personal rather than official account.
- Any email asking you to give personal information and requesting money or log-in information.
Test out your phishing IQ
Take this online test that Kung recommends: https://www.sonicwall.com/en-us/phishing-iq-test
Got a suspicious email?
Kung said that if you receive a phishing email targeting you via your diocesan and parish connections:
- Don’t reply back to the sender. Doing so alerts the sender to the fact that this is a live email account.
- Instead call the alleged sender directly on their official phone line and ask if they sent the email.
- Don’t click on any links in the email. Instead hover over a link to see the full web address and whether it might be coming from a suspicious site that could install malware on your computer or try and get your sensitive information like log-ins, personal data or financial details.
- If you’d like to alert the diocese to the fact that an email pretending to be someone related to the church is circulating, you can forward it to ithelpdesk@rcchawaii.org.
Since this article went to press, several parishes have told us they have experienced similar scams. In particular, parish and school staff and volunteers are receiving emails pretending to be the parish’s priests and requesting iTunes gift cards codes be sent to them. If you received this type of email, do not respond to it but call your parish office directly for verification. You can also report scam emails to the Federal Trade Commission.
