What happened:
At 5:07pm on Wednesday, September 27th, 2023 an unknown scammer started to send messages to email addresses connected with Oceanside Church. The scammer posed as “Pastor Andy Arnold” asking the recipient if they were “busy at the moment?” If the recipient responded, the scammer proceeded to ask the recipient to purchase a selection of Visa Gift Cards to be emailed back. While the messages appeared to come from the church, on closer inspection they were actually unassociated gmail.com accounts.
What you need to do:
No immediate action from yourself is required as no information which could be used by itself for financial fraud was obtained. However you should expect the scammers to continue to use fake emails with the names of oceanside church leadership or office staff to email you for the purpose of buying gift cards or other means of transferring money.
Oceanside Church and its leadership team will never request such things over email or text message. Also, these emails usually start in an ambiguous manner but then lead in the direction of obtaining finances.
Please be extremely cautious of the following types of messages:
- Asking for gift cards
- A ambiguous message seeming urgent
- Sending links to online donation platforms
- Reporting giving problems or issuing refunds
- Asking for additional private information
Tips for avoiding scams:
- Check that the email really is from "@oceansidechurch.ca"
- If something doesn’t feel right trust your instincts
- Call the "sender" to confirm if you suspect the email may be fake
- Know that these messages may pop back up in weeks, months or years.
Sadly, we are also not the only church on Vancouver Island who has been targeted in recent weeks so please be mindful. If you transferred funds to the scammer please get in touch with us.
Initial response:
At 5:13pm we were contacted by a number of individuals in our community to report the scam. At 5:35pm we were able to lock down our church management system to any outside access. And, at 5:40pm we sent out a message to anyone in our system warning of the scam. At this time we have not heard of the scam being successful.
Investigation:
That evening using the names and email addresses of those who reported to us we were able to identify that an attacker obtained some level of access into our church management system’s directory. And, working with our software vendor we identified that a phishing attack against the office had been used to obtain access into a Deacon’s account.
The phishing attack succeeded at 12:08pm on the 27th, was exposed at 5:13pm and our system was locked down in response at 5:35pm.
What data was not compromised:
At no point did the attacker gain access to passwords, giving-records, financial-information or private communication. Also Oceanside does not collect or keep any sensitive information such as: social insurance numbers, credit or debit cards, driver's license numbers or personal health numbers. While people do donate to Oceanside using financial institutions, including online giving, we do not have access to information which is used to submit donations.
What data was accessible:
The deacon’s account had access to view a list of people's names, associated email addresses and phone numbers within a window. We believe this was the scammers intended target and exploit as messages were found from the scammer trying to obtain a church email directory along with the phishing attack.
What data was searchable:
If the scammer chose to search for individual profiles within our management system, they may have been able to view addresses and dates of birth if we had them on file. We are required to keep information, like addresses, for people who have donated to the charity for tax purposes. However, we don’t believe that this searchable data was the main target of the attack, as if it had been, they would have been unlikely to reveal themselves as they did at 5:13pm.
What we have done in response:
We have carried out a security audit alongside our software vendor and taken additional steps to further restrict and limit access to any church directories. We will also continue to carry out phishing fraud prevention training for staff members.
We sincerely apologize for the data breach, the personal information that has been exposed along with the continued inconvenience caused by this scammer. Please don't hesitate to contact us if you have further questions.
- Andrew Arnold, Lead Elder at Oceanside.