The gift card email scam targeting American rabbis and synagogues has reached communities from New York to Hawaii, with some incidents of congregants falling for the scheme.
Three members of a Conservative synagogue in Virginia responded to emails they thought were from their rabbi by buying a collective $2,500 worth of gift cards. So far, two of the three have been able to get the gift cards cancelled and their money returned.
In Idaho, a woman nearly lost $400 in gift cards to the scam. But just as she was about to take pictures of the cards’ codes to send to the “rabbi’s” email address, a cashier realized what she was doing, and stopped her.
Even a Forward staffer received an email that appeared to be part of the scam, after someone purporting to be the rabbi of an Arkansas synagogue emailed him asking for eBay gift cards “for some women going through cancer at the hospital.” The email was sent, suspiciously, on Saturday morning.
Jewish clergy and their congregants are just the latest to be targeted by this kind of email scam, which has previously affected other clergy and businesses in various sectors. The “rabbis” tell victims to buy gift cards and send pictures of them, so that they can use the codes on the back. The scammer can then use the codes to purchase anything they want from that particular store or website.
While the extent of the scam is not clear, several dozen synagogues were targeted in the most recent wave of the attack last week, according to Michael Masters, the head of the Secure Communities Network, a not-for-profit that focuses on protecting American Jewish institutions.
Masters said that the group is coordinating with law enforcement agencies, including the FBI and the Department of Homeland Security, to investigate the scam. A representative for the FBI did not immediately respond to an emailed list of questions.
Little is known about the scam’s origins so far, though it appears to be coming from overseas, security experts told the Forward.
“The way that they are approaching it does become a typical gift card scam. But the social engineering up front is more important to the story,” said Larry Altenburg, a security consultant and the senior vice president of Agudas Achim Congregation in Alexandria, Virginia, where they know of three congregants who fell for the scam. “It’s not just the rabbi, it’s also our lay leadership — our congregation president has been impersonated.”
The scam largely appears to have been done in a low-tech fashion. In most incidents, the scammer — or scammers — creates one or several fake email addresses for a synagogue rabbi or leader, and sends emails requesting gift cards to addresses publicly available on the synagogue website.
But it’s possible that scammers may have also done some limiting hacking of email lists. In instances with both Agudas Achim and the Wood River Jewish Community in Sun Valley, Idaho, some of the emails targeted were apparently not available online. Rabbi Robbi Sherwin of Wood River said that the scammers sent emails to members of her interfaith coalition in Sun Valley — clergy who are not affiliated with her synagogue.
What is confusing — and what may have convinced some congregants that the requests for gift cards were real — is that the emails have the full name of their rabbi as the sender, including a picture of the rabbi as their Gmail avatar. Without a recipient clicking for more information on the sender, the emails would appear to come directly from the congregants’ rabbi.
The emails have followed a particular script: Most of the subject lines are “Shalom Aleichem,” a Hebrew phrase that means “peace be with you,” but one that is not normally used as an informal greeting. The scammer then signs off with “Blessings” or “L’Shalom,” which means “to peace,” and is sometimes used as a salutation in emails or letters.
In Sun Valley, crisis was averted by a cashier who had encountered the scam before, Sherwin said. The congregant sold her eBay gift cards to a friend who uses the auction website and repaid her with cash.
Sherwin did not identify the congregant, hoping to protect her privacy, but she said that the congregant was not an elderly person or someone unfamiliar with the darker forces of the internet. The two had recently been corresponding to plan a holiday program, and Sherwin said the scammers successfully exploited her role as a fundraiser and charity collector in their small community.
Asking for gift cards “sounds exactly like something I would do,” she said, adding that the email was “almost written in a way that I would compassionately ask for help.”
“Hackers and scammers have come a long way since the Nigerian princes,” she said.
Community organizations have been responding with email blasts to local synagogues, urging people to be wary of unusual emails from their rabbis.
Robert Wilson, the chief security officer for the Jewish Federation of Greater MetroWest NJ, said that the Federation is available to conduct cybersecurity trainings for synagogue staffs in their region. In an email he sent last week about the scams, he directed people to an overview of the scams by the Secure Communities Network.
The overview includes several best practices for avoiding such scams. Double-check that the message is coming from the synagogue’s actual account, and not Gmail. Confirm unusual requests for money by using a second type of communication, like a text or phone call. Make sure your online activities are secure — update your computer and password frequently, use two-factor authentication, and never send sensitive information over email.
“Cyber-hackers are attacking our government agencies,” Wilson said. “So they certainly can get into a small synagogue network if they try hard enough.”
If you have received an email that you believe is fraudulent or have information about an incident connected to this email gift card scam, you can report the incident to the Secure Communities Network by emailing DutyDesk@securecommunitynetwork.org or calling 844.SCN.DESK
Ari Feldman is a staff writer at the Forward. Contact him at email@example.com or follow him on Twitter @aefeldman