The “Nigerian Prince” scam has become so prevalent that it’s the go-to joke whenever someone brings up phishing scams. But con artists are constantly innovating, and new opportunities to trick people out of their money are an unfortunate byproduct of technological advancement.
And because of your church’s income and innate desire to help people, you are a prime target. If you aren’t vigilant, you could be vulnerable—not just to fake foreign princes, but to more devious imposters pretending to be people or organizations you know.
While the backstories and scams evolve, the underlying methods haven’t changed much. There are several things almost all phishing scams have in common. Surprisingly, you can combat many of these by simply following best practices for online security. Here are four dos and don’ts when something sounds fishy:
1. Check the email address
Confirming that an email address is legitimate can be tricky. Scammers will impersonate important individuals using an email address that looks real at first glance but is obviously fake under closer inspection. It might have subtle differences, like an n that should be an m, or it might use a different naming convention than your official church email addresses.
For example, you might use John.Doe@church, and the fake uses JohnD@churchh. The most dangerous scammers do their research and create frighteningly similar email addresses to the ones you actually use, and they learn the relationships well enough to know who to email and who to impersonate.
Just recently, someone tried to scam churches out of $20,000 by impersonating their pastors. The scammer hoped the recipient wouldn’t notice the altered domain or contact the pastor directly. One pastor remarked that such a request wasn’t uncommon—he traveled a lot, and it’s entirely possible that he would need the church to send him money on the road. The email scam included an instruction not to contact the pastor (because it would unravel the scheme), and the pastor said that even that sounded like something he might communicate.
If you ever see an email that makes a strange request or doesn’t look official, verify it’s legitimate before doing anything else. If it claims to be from someone you know, call them or speak to them about it in person. A 30-second conversation could save your church a lot of trouble.
2. Check links before you click them
If an email sends you to a website, check the web address carefully. It might be a copy of a legitimate website, but the URL address will be the dead giveaway. Anybody can buy a domain, and like a fake email address, a scammer’s URL will have subtle changes you may not notice at a glance. Double check it against the legitimate site.
If the email includes inline links, hover over them or right click to see where they’re taking you—don’t just click. Blindly clicking links is a surefire way to accidentally install malware or give a scammer access to sensitive information.
3. Don’t jump through hoops for unexpected money
If something sounds too good to be true, it usually is. Your church probably has a clear, simple system for people to donate money. If you receive an email claiming your church will receive money if you follow a few simple steps, don’t do it. Those steps are more likely to take money from your church.
You might be told that someone owes your church money, and you just need to verify some information to get it. There’s nothing to verify—that’s a scammer, phishing for you to give them information they don’t have…which they can then use to commit fraud. If the scenario the email describes sounds believable, talk to your staff about it. Don’t assume it’s legit until you can confirm the scenario is real.
Scammers may even impersonate banks or institutions your church deals with—like this scam claiming to be from USAA—but these organizations should never ask you to verify your information in an email or independent site. If a third party is involved, contact that organization separately to verify that the email is authentic.
4. Let unknown phone numbers go to voicemail
Phone scams have recently made huge advances. A dangerous new technique that’s received a lot of attention lately is shockingly simple: Scammers want you to say “yes” into the phone.
The scam sometimes starts with a recording that asks you to push buttons to stop receiving calls. This is how they confirm there’s a person on the other end of the line, and the next step is a trap that’s easy to fall for. The scammers call again with a recorded voice—which may sound a lot like a real person—asking something like “Can you hear me?” to get you to say yes.
Here’s why you should never say “yes” to a caller from an unknown number: They record your response and use it as a “verbal signature” to commit identity fraud. If someone calling from an unknown number starts a conversation that way or asks you to push buttons into the phone, you should immediately hang up and report the call to the FCC.
Pro-tip: Don’t fall for the “Hello? Whoops! Sorry, I’m having a problem with my headset!” line. This is an automated recording that’s been scientifically doctored to take advantage of well-intentioned people. The scammers want you to say “yes” so they can take advantage of you and your church. Don’t let them.
To protect yourself against calls like this, the FCC recommends registering your number for the national do-not-call list and contacting your phone provider to ask about robocall blocking services.
If a strange number calls your church, don’t answer. A real person can leave a voicemail.
Caution Is Your Best Defense
Part of stewarding your resources is protecting them from those who would take advantage of you and your church.
Anytime someone asks for money or information in an email or a phone call, do your homework. Check their email address. Verify with them in person. Whatever you do, don’t just say “Yes.”