It’s not lost on the Archdiocese of Toronto that various fraud attempts and scams are ever evolving and remain a constant threat to exploiting trust from staff and Catholic communities at large.

Earlier this month, forged documents using the Canadian Council of Churches' official letterhead and a counterfeit signature from its general secretary, falsely promising immigration assistance or visas, were detected. Although the council does not provide either service, the replication was enough for the CCC to warn its user base of the circulating scam. 

This recent alert highlights a broader pattern of scammers exploiting trust in religious institutions, with similar tactics hitting closer to home for Catholics working for the Archdiocese of Toronto.

Advertisement

On Jan. 22, the Archdiocese of Toronto's Management Information Services issued a security advisory after an employee’s email account was compromised in an “Adversary-in-the-Middle” phishing attack, an active cyberattack where a threat inserts itself between two communicating parties, often a user and a website, to intercept, read or alter data. It was reported that online attackers had accessed internal messages for more than 32 hours before sending fraudulent proposal emails to external contacts in an effort to mimic legitimate Church correspondence.

Both of these recent incidents underscore the challenges that religious organizations continue to battle with. The Management Information Services team leads efforts to detect, contain and educate against such threats that prey on faith and goodwill. 

David Finnegan, director of M.I.S., said the continually changing digital landscape has allowed for fraud to evolve exponentially over the past few years, a reality his office is well aware of. 

“ It's not just the odd email from a Nigerian prince any more, or those badly worded letters looking for money. These tools have become very sophisticated to create electronic documents that can be altered, duplicated and distributed anywhere in the world, basically in minutes,” he said.

“We have seen a big emphasis on scammers impersonating trusted institutions like banks or the Church, and so a big part of my job now is just focusing on security, awareness and helping set up an environment where people are trusting but also cautious.”

Interestingly, Finnegan says that beyond more advanced approaches, the entire culture of online fraud has shifted since he began in the office 25 years ago. He says hackers used to operate akin to hobbyists, but now, they are more reflective of organized crime syndicates operating under the format of legitimate businesses.  

Advertisement

Still, trademark attempts to abuse social engineering and psychologically manipulate remain. The combination of a perceived urgency, both through personable status and timing, is a common way victims are lured into email scams. 

Unlike generic scams that fail due to the subject not resonating, even when the same tools apply, scams that prey on faith, charity or refugee appeals inherently tap directly into Catholic values, making manipulation far easier.

“The entire level of sophistication has gone up.  People of faith have compassion and often are open to helping, so (scammers) may try to play on those feelings. If you can imitate a member of the clergy and convince people that you want them to do something, that can be a very easy way to manipulate,” he said.

“There's also usually an urgency, asking people to act right away. They don't want to give you time to think, but rather have it seem like an emergency. As much as things have evolved on the technical side, it has always been a very psychological game.” 

Finnegan advises users to slow down above all else, and be wary if a suspicious email feels urgent and demands immediate action. Users are also advised to verify independently by contacting the purported person or organization through a different, verified channel. As usual, diligence around messages from new or unfamiliar contacts, those requesting money or requests with unreasonable time-sensitive pressure is recommended.   

While efforts toward secure online habits go a long way as well, Finnegan and the M.I.S. team continue to stay focused on security and awareness as threats develop. 

“ We continuously have security awareness training as the level of sophistication changes, and we want to educate people to know that the people who are defrauded are the victims, and we don’t want to persecute somebody who clicked on a bad link,” he said. 

Advertisement

“We want to keep growing the type of culture where people can be free to say they have made a mistake and not get blamed for it. We are here to educate and help them.”