An email scam targeting congregations all across the United States has hit Unitarian Universalist groups frequently in recent months.
At Fox Valley Unitarian Universalist Fellowship in Appleton, Wisconsin, dozens of congregants received emails in March that appeared to be from senior minister the Rev. Christina Leone-Tracy, asking for gift cards. There was a problem, though: Leone-Tracy, who was out of state on vacation, hadn’t sent any such emails. Though most members ignored the email or reported it to church staff, at least one member gave about $1,500 in gift cards to the scammers, thinking they were sending them to Leone-Tracy.
UUA systems analyst Larry Stritof said that UUA officials have heard from five congregations hit by the scam. Reporting for this article uncovered at least fourteen more who have faced this in the last two years.
Other ministers reported that some of their congregants had fallen victim as well. The scam preys on people’s trust and relationship with ministers.
“It was striking to me the person who really thought it was me and would have done anything I’d asked,” said the Rev. Megan Lloyd Joiner, minister of the Unitarian Society of New Haven, Connecticut, whose congregants received scam emails in April. “These folks know their audience.”
Leone-Tracy said she was angry at having that trust exploited. “I felt a lot of anger as the person whose relationship has been attacked,” Leone-Tracy said. “She said to me: ‘I would never have done this if it wasn’t you.’ This person was capitalizing on the trust I’ve established with congregants.”
A common version of the scam works like this. A scammer creates an email account similar to the minister’s account, by adding one letter or exchanging the domain of the church (@church.org) for a different one (@gmail.com). They then send a sympathetic plea to church members, supposedly from the minister, seeking help for a person, often saying that person has an illness like cancer. The scammers request that the receiver buy Google Play gift cards (or other similar products) and send the code on the back via email. Once that is done, the scammer can access the money and it is difficult, if not impossible, to trace.
Nancy Apfel, a member of the Unitarian Society of New Haven, said the scam was more sophisticated than others she had seen in the past. “The email didn’t have any of the misspellings you often see, and it was clever because it took Megan’s real address and added the Google part to it,” she said.
Apfel said she was initially drawn in by the sympathetic ask from what she thought was her minister, someone she’s worked closely with. She exchanged emails with the scammer asking how she could help, but it increasingly raised red flags for her. “It seemed like an odd request. I tried to call [Joiner] at home and church, no response,” Apfel said. “I thought, maybe this really is something, so I emailed back and said, ‘Do you want me to drop the card by the church?’” When the emailer asked her to get a $400 gift card and scratch it off and send the numbers, she knew it wasn’t real, she said.
Congregations can do several things to help members avoid falling for these kinds of scams:
- Communicate. Let members know now about these scams and how they work. For instance, all of the ministers interviewed for this story said they would never ask members to buy gift cards in this manner.
- Verify. Stritof offered this advice: “A good rule of thumb with emails you’re not expecting is to: (1) reach out to the sender through another channel (call, text, visit website) and (2) not click on a link (or send money, gift cards, etc.) without verifying with the trusted source.”
- Alert. If members of the congregation appear to be receiving scam emails, let the congregation know through multiple channels about it. “As soon as I knew, I changed my ‘away’ message to say something about it, we put in on our Facebook page, we put it in the newsletter,” Leone-Tracy said.
Joiner’s congregation contacted the police, though ultimately her congregant who sent the scammers money declined to follow through with charges.
“The police said no crime is committed until someone sends money,” Joiner said. “There is no complaint of impersonating a minister or setting up a false email address.”
It’s unclear how the scammers are getting contact lists to send these emails. The Rev. Chris Rothbauer, who was serving Keweenaw UU Fellowship in Houghton, Michigan, when congregants there received scam emails in 2017, thinks a plug-in on the congregation’s website may have been hacked. Others said members’ email addresses may have been taken from email providers, publicly available directories, or by searching congregational websites.
- Phishing: Don't Take the Bait! (UUA LeaderLab)
- Congregational Data and Computer Security Guidelines (UUA.org)
- Scammers Pose as Pastors in Email, Ask Faithful to Buy Gift Cards (Catholic News Service, Crux)
- Phishing Scams Targeting Pastors: Who’s Next? (Government Technology)