Contact Us

Use this form to get in touch with us.

 

510 Belknap Place
San Antonio, TX, 78212
United States

2107363132

Christ Episcopal Church is a loving and welcoming church family, centrally located in the historic Monte Vista District of San Antonio, Texas. Our sanctuary is one of the most peaceful and beautiful churches in the country, but the real beauty of our church is our people. We are a large church, but with a small, familial feel and lots of ways to become involved.

phishing+and+whaling2.jpg

Phishing Scams

PHISHING AND WHALING
EMAIL AND TEXT ATTACKS

What they are and what to do

Christ Church seems to be under almost constant attack from fraudulent emails and text messages purporting to be from our rector or our bishop. Most of you have received a request for “handling a need discreetly,” with a further request to respond ONLY to the email or to purchase gift cards. Watch out - these are a form of email “phishing” known as “whaling.”

Whereas “phishing” involves sending a fraudulent email to a large group of people in the hope that a few will respond, “whaling” involves forging communications that look like they’re from the “big phish” in an organization, i.e. the “whale.” For us, this usually mean our rector or our bishop.

A quick Google search of the terms “phishing” and “whaling” will bring up a boatload of articles and links. I have attached links to several very thorough sources of information, but will provide a summary below. Nina Nicholson’s blog post at the Episcopal Diocese of Newark neatly explains the use of this scam in a church setting. The National Centre for Cyber Security in Great Britain gives an excellent explanation of whaling. And of course, the Federal Trade Commission has an excellent article on how to detect phishing and how to report.

While there are multiple different types of phishing, Christ Church seems to be hardest hit by two forms in particular - whaling and spear phishing.

Whaling
When bad actors target a “big fish” like a business executive or celebrity, it’s called whaling. These scammers often conduct considerable research into their targets to find an opportune moment to steal login credentials or other sensitive information. If you have a lot to lose, whaling attackers have a lot to gain.

Spear phishing
Where most phishing attacks cast a wide net, spear phishing targets specific individuals by exploiting information gathered through research into their jobs and social lives. These attacks are highly customized, making them particularly effective at bypassing basic cybersecurity.

Phishing tactics work because they rely on a multi pronged approach to their victims. The scammers are quite clever at creating emails that appear legitimate. They create a perception of need - asking for your help while the sender is too busy. They create a false sense of trust by impersonating trusted individuals like the rector and the bishop. And, they rely on emotional manipulation. Frequently the attacks at CEC will say something like “I know I can rely on you to act discreetly.”

Remember, the church is an old-fashioned institution. Our rector likes to PHONE people to ask for their input or help. Alway err on the side of caution by calling the church (21-0736-3132) to verify ANY request.


What should you do if you are a victim of phishing?

  1. Write down as many details of the attack as you can recall. Note any information you may have shared, such as usernames, account numbers, or passwords.

  2. Immediately change the passwords on your affected accounts and anywhere else you might use the same password.

  3. Confirm that you’re using multifactor (or two-step) authentication for every account you use.

  4. Notify all relevant parties that your information has been compromised.

  5. If you’ve lost money or been the victim of identity theft, report it to local law enforcement and to the Federal Trade Commission. Provide the details you captured in step 1.

Keep in mind that once you’ve sent your information to an attacker it is likely to be quickly disclosed to other bad actors. Expect new phishing emails, texts, and phone calls to come your way.

How To Report Phishing

  1. If you got a phishing email, forward it to the Anti-Phishing Working Group at reportphishing@apwg.org .

  2. If you got a phishing text message, forward it to SPAM (7726).

  3. Report the phishing attempt to the FTC at ReportFraud.ftc.gov.