Every year, more organizations and people fall victim to cybercrime. Last year, more than 300,000 reported cybercrimes to the FBI with losses in the hundreds of millions of dollars. Whether it's simple theft, fraud, or identity theft, this is a significant area of opportunity for criminals. Let's shed some light on how to protect your church office and those you know from cybercrime.
Where There's Opportunity …
A new level of crime became possible with the popularity of the Internet on a scale never before imagined! Criminals saw the opportunity to repackage old scams into electronic format and reach the masses in a way that could yield astounding results. That criminal vision has become a painful reality to many naïve victims.
The FBI co-publishes an annual Internet Crime Report detailing painful statistics. In the 2010 report:
- Among people ages 20 and older, fraud complaints are evenly distributed. This means those who are younger and more tech savvy still are just as likely to fall victim.
- Cybercrimes are evenly split among male and female victims, although men report an average of 25 percent more in financial losses.
- The largest complaint category was no payment or no delivery of merchandise through an online transaction (14 percent), followed by scams (13 percent), and identity theft (10 percent).
- The top five places where criminals resided was the United States (66 percent), the United Kingdom (10 percent), Nigeria (6 percent), China (3 percent), and Canada (2 percent. This means we're all vulnerable, especially in the United States, where it appears most of the crimes occur.
It is important to note that people are vulnerable, but so are organizations! If your church or ministry conducts business over the Internet (email, purchasing, and so on), it is probably more vulnerable than an individual because of the number of staff online!
Most Common Scams
While non-delivery of merchandise or payments was the largest category of complaints, the second was scams. The three most common 2010 scams, according to the report are:
1. Mystery/Secret Shopper. Victims are contacted via email to help retailers evaluate the quality of their stores, personnel, and processes. Sometimes the employing company sends a check and asks the person to cash the funds, spend them, and return the unused portion. The problem is that the check is counterfeit.
Sometimes the employing company uses an extensive application and screening process to gain the shopper's personal account and identity information.
2. Claims of being stranded. Law firms are getting email from out-of-country citizens requesting help. Also, people receive emails telling them a friend or family member is stranded and needs money immediately wired to them (in some cases the email arrives from a person they know whose email account was hacked). The pleas are lies designed to trick people into sending money.
3. Natural disaster relief. Natural disasters bring out the best in Americans; they also bring out criminals.
What Does the FBI Recommend?
The Federal Bureau of Investigation provides five quick recommendations that individuals and church offices should note and share:
1. Do not respond to unsolicited email, also known as spam.
2. Avoid filling out forms in emails.
3. Don't click links.
4. Don't open attachments in unsolicited email.
5. Be skeptical of those representing themselves as surviving victims or stranded friends.
The FBI's recommendations are good, but I suggest going further with these additional precautions:
1. Besides avoiding responses to unsolicited email, get your email scanned for spam and malware before it arrives to your computers. This will eliminate almost all undesirable email and improve your defenses, but continue to be cautious! Cybercriminals are constantly working on ways to get through those protections, so still be wary of anything that looks questionable. The most effective solution is the Barracuda Spam Firewall , which you can acquire and use yourself, or you can hire a third party to install and do for you (which usually costs less than buying and doing it yourself).
2. If you receive an email from someone you don't know, don't click on any links or attachments (ideally, you'll just delete the email, but if you're afraid the email is a legitimate inquiry, be cautious and avoid clicking on anything. Simply hit "Reply" and craft your message based on the text you read). If you receive an email from someone you know that contains links, attachments, or other content that make no sense, delete it.
3. Any email offers that sound too good to be true are probably scams. Immediately delete them.
4. When you or your office want to respond to disaster-relief fundraisers, give only to organizations you know. Research unfamiliar ones through Charity Navigator or the Evangelical Council for Financial Accountability (ecfa.org).
Shopping online is a convenient and effective way to secure needed resources, often while saving money. For anyone using a church computer to make purchases, the following basic best practices before entering personal information, or credit card or banking information, can help ensure the transactions remain safe:
When browsing in Internet Explorer (the picture below is from version 8), first look for the closed lock. This will tell you whether or not you're on a secure, encrypted web page:
If you're still uncertain, click on the lock; doing so will tell you who owns the security certificate, who the issuing authority is, and when it expires:
On a Mac it will look like this:
In Firefox, the security certificate is available via the color-shaded section to the left of the website address, (also called the URL). Clicking on that shaded area shows the dark box shown with summary information about the certificate; clicking on "More Information" shows the following:
Clicking on "View Certificate" shows the following:
With these methods, you can check to be certain the website is owned by the organization you expect to own it, has a security certificate from an appropriate issuing authority, and is protected by a certificate that is still in effect.
Careful Where You Browse!
Another threat is the ease of inserting malware into unsecured websites. That means you could visit a legitimate website, but if the webhost hasn't kept their security up-to-date, a hacker could have added malware to it that will instantly download to your computer!
From the Cybercrime Intelligence Report (Issue #3, 2009) published by the Finjan Malicious Code Research Center:
As we reported in our previous reports, it doesn't take much for today's cybercriminals to infect website visitors with a Trojan. Using commercial software … available for $100-$300 on hacking forums, the cybercriminal can easily launch a massive attack. It allows him to insert exploiting code to vulnerable websites (legitimate or fake ones). Once a visitor visits one of the infected websites, an exploit code, served by the crimeware toolkit, installs a Trojan on the PC in use.
The best protection strategy is to run anti-malware software on all of your computers and servers. I recommend Sophos.
Spread the Word!
I also recommend holding workshops for your staff and for your congregation. Your staff needs to know how to protect themselves and your church, but your congregation is vulnerable too—especially during the holiday shopping season! A wise strategy includes hosting an annual workshop every October or early November to protect your church, your staff, and your congregation from potentially damaging threats they may not be aware of.
The January 2012 edition of Church Finance Today looks at the ways technology can be used–and misused–to conduct fraud on churches. For more help with your church's electronic safety, also check out Protecting Electronic Datafrom ChurchSafety.com.
This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is published with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations