Spotting and Reporting Phishing Scams
September 14, 2020
This is your periodic reminder to accept no imitations when it comes to emails from St. Martin's clergy and other staff.
It has been reported that the Rev. Jarrett Kerbel has been spoofed in what is known as a "whale phishing" attempt. Emails initially appearing to be from Rev. Kerbel have been received by parishioners and staff.
As you can see, the email "from" name may have Jarrett's name listed, but the email address is a random Gmail account. The body of the email also lacks Jarrett's email signature line - something all of our staff have set up through our work accounts.
Since this is an impersonation, not a hack, our best defense is to inform you how not to get fooled by them, and how to report them.
When receiving a peculiar email be sure to check the following:
- Verify the "from" and "reply to" emails. Check the sending email address and the reply to email address. Make sure that they match and are legitimate St. Martin's email addresses. Staff emails all end in @stmartinec.org. Even the emails we send through this Constant Contact account carry our real email addresses. The email you receive may look even more like it is "real" than the above example - it could have elements of a staff member's name in the email address. The @stmartinec.org is essential to look for.
- Have a conversation. If you're still not sure if the email or request is legitimate, have a voice-to-voice conversation with the sender on the phone or in person. Do not reply to the suspect email nor click any links within it.
- Make sure to report the email as phishing using your email provider. Here's where to find that in your Gmail account, with the offending email open. It may look different in another email service provider.
If you want more information, the Episcopal Diocese of Newark (NJ) created a great blog post about these "whale phishing" attacks last June. You can read it here.
Finally, don't be frustrated with yourself if you didn't realize right away that the email was a scam. These scams are meant to throw you off and confuse you. As long as you report the phishing when it happens, systems can work toward eliminating the issue. Constant vigilance!