Recent Phishing Scams Targeting Unitarian Universalists

By Tim Byrne

Man at a laptop with the word "security"

We’ve recently seen an uptick in email scams or “phishing” attempts that leverage recipients’ connections to the UUA and we wanted to alert anyone who might encounter them. The latest was an email purporting to come from Rev. Susan Frederick-Gray, the UUA president, saying, “I have a request I need you to handle discreetly.” As is common with this type of scam, if you reply to “Susan,” “she” will request that you purchase eBay gift cards as part of a charitable initiative.

Luckily, none of the recipients of this latest attempt took the bait. Recently, various religious denominations have seen similar scams deployed where the sender appears to be a trusted pastor and some constituents have been taken in, purchasing gift cards for what they thought was a worthwhile cause. Given that these scams are likely to continue, we’d appreciate you reaching out to your constituents with a message about these threats.

No reputable entity, not the UUA nor your individual pastor, will email or text you requesting that you purchase gift cards on their behalf. DO NOT REPLY TO OR ENGAGE WITH ANYONE SENDING SUCH A REQUEST.

You might be wondering: how can I determine if a particular email is a scam and what should I do if I suspect that’s the case?

What To Look For

  1. Look at the From address. The “display name” (e.g., Susan Frederick-Gray) might look familiar, but the actual email address will likely differ from the legitimate one. Look particularly at the “domain” part of the email address (the part between the @ symbol and the .com or .org). A UUA sender’s address will read “@uua.org” not “.uua@gmail.com” for example.
  2. Are you expecting this? Has this person reached out to you before or given you any indication that you might be receiving a “special request.”
  3. Is the sender trying to convey a sense of urgency and/or threat? Language like, “don’t call, I’m in a meeting, just reply” or “we’ll need to close your account” should be red flags.
  4. Spelling and grammar errors can also be a red flag, particularly if the name of a trusted entity (“Amozon”) is misspelled

What Should You Do?

  1. If an email strikes you as suspicious, reach out to the sender via another channel (call or text them, go directly to the entity’s website) to confirm the email’s validity.
  2. Never click on a link or open an attachment (or send money/gift cards) without verifying that the email is from a trusted source.
  3. Gmail, Outlook and other email applications have mechanisms whereby you can flag a particular email as spam or phishing. If your email provider receives multiple notifications that a sender is engaging in suspicious activity, they can block that sender in the future.
  4. Once you’ve determined a particular email is suspicious (and possibly flagged it through your email provider), you can safely delete said email.

About the Author

Tim Byrne

Tim Byrne has been working in the IT field for twenty-plus years, including stints as a trainer, database administrator and applications manager for large corporate law firms including Hale and Dorr (now WilmerHale), Sherburne, Powers & Needham and Choate Hall & Stewart LLP....

For more information contact .