“Your account appears to have an unauthorized transaction. To ensure that your account is not compromised, please click the link below and confirm your identity.”
Sound familiar? That message is from a recent phishing attempt I received via email. In the act of phishing, Internet fraudsters send spam or pop-up messages in hopes of gaining access to your personal information (credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information). The email looks official and raises concern and may even threaten dire consequences if you do not respond. They include a link to a website that looks official, but isn’t, and captures any personal information you enter so they may steal your identity.
Now, the same type of scam is finding its way to you via your cellular phone. In a smishing attempt, identity thieves send a similar message to your mobile phone using an SMS text. The text relays that an urgent matter needs to be discussed and provides a toll free number where a fake automated voice-response system records account number and password information. Smishing relies on the tendency for individuals to be more trusting of text messages than email messages.
In a world where fraudsters are looking for any opportunity to gain access to our private information, how do we defend ourselves? The American Bankers Association suggests financial institutions share tips and remind customers that socially engineered schemes rely on methods financial institution would never employ.
“To avoid fraud, banks and credit unions should remind customers to”:
- Never give out personal or financial information in response to an unsolicited phone call, fax, e-mail or text.
- Contact the financial institution to confirm the legitimacy of any e-mail that asks for the submission of personal or banking account information.
- Check credit card and bank account statements regularly for unauthorized transactions…even small ones.
- Make sure websites are secure when submitting financial information online. Check for padlocks or key icons at the bottoms of Internet browsers. Most secure Web addresses also use “https.”
- Report suspicious activity to the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.
- Contact your financial institution immediately if a phishy link may have been clicked or a suspicious communication responded to.
What have you done to prevent identity theft?
Employee education is one of the strongest tools in our arsenal to fight cybercrime. NACHA, the Electronic Payments Association, suggests that one simple question can make the difference between an infected network and a protected one. Teaching our employees to always ask, “Does this email make sense?” before responding to it, opening an attachment, or clicking on a link, can make all the difference.
Regularly remind your staff that financial institutions, government agencies, and associations will not request personal identification numbers (PINs), user names, passwords, or account verification via an email. Should they receive such a request, it is best to delete the email rather than risk infecting your network.
Emails from family and friends may include links to sites that also may infiltrate the network. Asking, “Does this email make sense” includes considering whether or not it makes business sense to open an attachment or link to an unknown site.
When in doubt, NACHA suggests:
- Using a lock up service such as “whois.net” to view domain registration information of an email sender.
- Contacting the sender to determine legitimacy, but never use the phone number included in the email.
- Deleting the email.
How have you been educating your staff about the perils of cybercrime?
An elder or usher or staff member at your church voluntarily confesses to embezzling church funds. How do you respond?
“In some church embezzlement cases, a person who has stolen church funds will voluntarily confess—usually out of a fear that he or she is about to be caught. Often, the embezzler will confess in order to prevent the church from turning the case over to the IRS, the police, or to a CPA firm. Embezzlers believe they will receive better treatment from their own church than from the government.”
This excerpt is from a recent Your Church blog by legal expert Richard R. Hammar, who tackles this thorny question objectively and biblically. To learn more, check out “If an Embezzler Confesses.”
How would your church respond?
I posted a blog on May 3 about a serious form of online fraud called account takeover fraud. An Iowa church appears to be one of the latest victims, to the tune of $660,000.
In a Your Church blog post titled Cyber Crime: Coming to a Church Near You, Matt Brannaugh tells the story, then offers six tips for avoiding a similar attack on your church. One that bears special mention is dual controls. From my earlier post, “This means that if one person authorizes creation of a payment file, a second person must authorize release of that file.”
At ECCU, we feel so strongly about the importance of dual controls that we require ministries to implement it when they set up their online banking.
For more information about how to protect your ministry’s information and funds, you can read our white paper Handling Cash: A Common-Sense Approach to Securing Your Ministry’s Most Liquid Asset.
I know it seems like we keep talking about fraud in the church. You’re probably thinking, “Can we move on to something more…positive?” Well, addressing fraud in the church, while never fun, is beneficial.
Vonna Laue of CapinCrouse LLP just blogged “The Top Three Reasons Fraud Happens in the Church.” She credits lack of segregation of duties, misplaced trust, and rapid change as catalysts for fraud.
Laue states, “Trust is not a sufficient strategy for protecting the church’s assets.”
Do any of these reasons surprise you? What best practices do you have in place at your ministry to prevent fraud?