Email scam hits Ottawa parishioners

Parishioners in Ottawa recently received fraudulent email messages that appeared to be sent by a priest in the diocese asking them to buy gift cards totalling several hundred dollars that could be given as gifts for parish staff. The priest had never sent such a request, but the perpetrators had used a forged email address with his name that looked legitimate enough to convince some of the parishioners who received the message that it was real. One parishioner was warned off the purchase by a wary retailer, but at least one other person fell victim to the scam. Parishioners are cautioned to beware of any such requests.

Webmaster and network administrator Cathy Kent, who oversees server and email security for the Diocese, has provided the following advice for people who want to increase security measures for their email.

What is email spoofing?

Email spoofing is when someone sends an email with a forged sender address. Typically, the sender’s name or email address and the body of the message are changed to mimic a legitimate source. By pretending to be someone the victim trusts, the scammer directs them to a fake website that collects their personal information (a process known as phishing) or trolls them within the email, asking for a favour, typically the request is to visit a link, or for gift cards or money. There is always a sense of urgency. 

How do email spoofing scammers find victims?

Scammers use various methods to locate a target’s email address. A robot searches the Internet for email lists, online newsletters, websites and much more, collects email addresses for spoofing. If an email account has vulnerabilities, the scammers can sometimes enter the account, parse the address book, and harvest those addresses. 

Owners of the accounts likely do not know their email has been spoofed and it is good to let them know.

Tips for increasing email security

While there is no fool-proof way to protect your email address, adopting some of these best practices can help: 

• Change your account passwords frequently.
• Keep anti-malware/virus software up to date and running in the background at all times. (Norton, McAfee are paid software. AVG or Avast are free.) 
• Run a full system scan at least once a week.
• Clear your history / cache frequently (Glary Utilities has a free history clean up).
• Avoid including your email address in online blogs and posts. Try using (at) and (dot)com instead of @ and .com to prevent malicious automations from harvesting your address.
• Avoid using your primary email account for everything online. If you are signing up for a mailing list, contest, application form, or similar, use a free replaceable email account like Gmail or Hotmail reserved for just these actions that can be removed if infiltration occurs.
• Only use your primary email to communicate with people you know or trust.
• Do not share private or financial information through email.
• Turn your email account’s spam filters on to the strongest settings or use tools such as Gmail’s Priority Inbox.
• Avoid clicking suspicious links or downloading suspicious attachments.
• If anyone seeks your assistance, a favour, gift cards or money, verify this with them personally.
• Your best defense in your common sense and skepticism.
• Use a third-party secure email system.

Checking email headers 

The visible email address can be spoofed, but the metadata address (behind the scenes) cannot. Learn how to check to see if the header matches up with the sender’s name shown here: https://www.hostinger.com/tutorials/email-headers/ . You can also read your email account’s help files.

How to spot a Spoofing (Phishing) email

• Use of poor language, grammar, and punctuation.
• Use of language that conveys a sense of urgency.
• Mismatching or inaccurate information in the “from” field. (For example, does the sender’s name match their email address?)
• Ensure everyone in your organization is familiar with all of the above. If they are not, they could be the weak link in an otherwise carefully guarded system.

If you are already a victim:

While not all email spoofing involves a hacked account, it is a good idea to change the password, just in case.

• Check all your devices by running a virus / malware scan.
• It is a good idea to send a message to people on your email list / address book to notify them of this issue and what to look for.
• Change your email entirely if it is persistent.
• Notify your mail provider if you believe your email account has been spoofed so the provider can add blocks to the server. 
• Ensure you or your network administrator is watching your server bandwidth and web states for over-usage by bad bots trolling your pages. Block them or hire a firm to do so.

A helpful link

https://securityboulevard.com/2020/01/email-spoofing-101-how-to-avoid-becoming-a-victim/

---

Increasing security for Diocesan email users

It appears that some users to the Diocesan email accounts are not setting up their system’s security, spam levels, filters, white and blacklists correctly and are having send and receive issues.

The same situation exists for some who use Outlook. They must set their system with the correct co-ordinates for to-and-from flow.  Helpful suggestions can be found at the link below.

Please view the Webmail and Outlook

https://www.ottawa.anglican.ca/images/Security/WEBMAIL-OUTLOOK-SPAM-WHITELIST-BLACKLIST-filters.pdf