Suppose you are a church member, what if “God” is asking you for donations? Recently, phishers have come up with a new phishing technique and sent out a new round of phishing emails. In these phishing scams, they pretent to be pastors, requesting parishioners to make a contribution to church by buying gift cards.

Zoom in on the phishing scheme

On the website of Govtech, Daniel Lohrmann, a renowned cybersecurity leader and technologist, shared the email exchange between him and a (false) pastor:

In this case, the scammer acted as the pastor of the church and asked Dan for emergency donations to help “the widow” in need. Specifically, the bad actor instructed Dan to purchase an iTunes gift card.
Additionally, in other versions of the fraud scheme, the cybercriminals required the victims to buy several gift cards, take a photo of them, and send those photos to the sender emails.

Pay attention to the impact

Whatever its specific form, the scam will certainly harm both the victims and the church. For people who fall into the trap, they will suffer financial loss once they provide the numeric codes on the gift cards to the scammers. Although the sums of money involved may be relatively small compared to billion-dollar loss in some BEC (business email compromise) cases, the potential damage is huge to faith-based institutions. After all, those religious organizations depend on the trustworthiness of their leadership to win people’s respect. How will people react when they find out they have been tricked into giving?

Focus on the tricks

Despite all the harmful influences, those similar phishing scams seem rather credible. To begin with, they all used a respectable senior pastor as the “bait” to trick email recipients. In addition, the real-time responses from the phishers — “almost like texting back and forth” — made the donation requests more convincing. Besides, there were no suspicious links or bogus sites, which is different from other phishing emails we have mentioned before.

Take actions against the false pastors

Since the scammer disguised his or her identity so well, how did Dan see through the fraud? According to Dan, the major clue was the wrong email address from the sender. For example, the real email address of the pastor: became a false one:
It seems easy to unmask a malicious actor. “Just examine the email address,” you may think. However, a spoof sender address actually is easy to miss for the untrained eye, especially if the sender address is designed to closely resemble the real one.
Fortunately, if you have installed Mr. Post, you will know the Real Sender and the Profile of the sender with only one click. Now you can see whether you have received the email from the real “God”.

Moreover, Mr. Post can tell you whether an email is trusted by checking its IP address through SPF (Sender Policy Framework). Available now on Microsoft AppSource.